Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

spyaxe

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

spyaxe

Unread postby Armando » December 6th, 2005, 8:47 am

When I started my computer today, I got scan results from SpyAxe, which I never installed. Then I get constant warnings of spyware, that urge me to install appropriate software. I removed SpyAxe from Control Panel, then I searched for and deleted svchost.dll, which I read that I should do (it's still in recycle bin though). I ran Microsoft Anti-Spyware, and Norton Antivrus, which caught some things and removed them. Still getting pop-up adds and spyware/adware-caused spyware warnings.

Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:05:33 AM, on 12/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\stunnel\stunnel-4.05.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\DC++\DCPlusPlus.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\system32\hpD244.tmp
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [732V33j] nvssfr.exe
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [M0t9RTH8P] nvibrand.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Startup: DC++ Local.lnk = C:\Program Files\DC++\DCPlusPlus.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZI ... b34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/defaul ... der_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: stunnel - Unknown owner - C:\Program Files\stunnel\stunnel-4.05.exe" -service (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Armando
Active Member
 
Posts: 6
Joined: December 6th, 2005, 8:38 am
Advertisement
Register to Remove

Unread postby amateur » December 6th, 2005, 8:53 am

Hello Armando, :D

Welcome to MRU. :D I'll be looking into the items in your log. It takes a while so please be patient. I'll get back to you as soon as I am able.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby amateur » December 6th, 2005, 6:08 pm

Hi Armando, :)

Thanks for your patience. :) Let's free you of this pest. ;) First, we need to disable MSAntispyware so that it will not interfere with the fix.

1. Open Microsoft AntiSpyware.
2. Click on Options, Settings.
3. In the left pane, click on Real-time Protection.
4. Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
5. Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
6. After you unchecked these, click on the Save button and close Microsoft AntiSpyware.
7. Right click on the Microsoft AntiSpyware Icon on the taskbar and select Shutdown Microsoft AntiSpyware
============================================

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop. Do not run it yet.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

============================================
Go to Start>Control Panel>Add/Remove Programs and remove the following programs if found:
C:\Program Files\Security Toolbar
C:\Program Files\eMule
C:\Program Files\DC++ Please read here for further information.
===================================================
Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
    ===============================================

    Double-click My Computer.
    Click the Tools menu, and then click Folder Options.
    Click the View tab.
    Clear "Hide file extensions for known file types."
    Under the "Hidden files" folder, select "Show hidden files and folders."
    Clear "Hide protected operating system files."
    Click Apply, and then click OK.

    Please do not delete anything unless instructed to.
    ====================================================
Now scan with HJT. Close all other windows, except HJT and place a checkmark next to each of the following items and click FIX CHECKED:
===================================================

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\system32\hpD244.tmp
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll (file missing)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [732V33j] nvssfr.exe
O4 - HKCU\..\Run: [M0t9RTH8P] nvibrand.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart

O4 - Startup: DC++ Local.lnk = C:\Program Files\DC++\DCPlusPlus.exe
===================================================

Close HiJackThis, but stay in Safe Mode. Navigate (press Windows key and E at the same time to bring up Windows Explorer)and delete the following files and folders in bold, if found:

Files:
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\hpD244.tmp

Folders:
C:\Program Files\eMule
C:\Program Files\DC++

===================================================
Still in Safe Mode, Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.

==========================================
Reboot back into Windows in Normal Mode and click the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Removing DC++ and eMule

Unread postby Armando » December 7th, 2005, 12:32 am

I've already performed all the steps up to the point where it says to remove eMule and DC++. I'm going to go ahead and see if I can remove them while saving all the information I need from them so I can resume using them when I am done getting rid of this pest.
If you could tell me that removing these isn't really necessary though, that would definately be something I'd like to hear.
Armando
Active Member
 
Posts: 6
Joined: December 6th, 2005, 8:38 am

Unread postby Armando » December 7th, 2005, 5:46 pm

Thank you very much for helping me out. Regarding my above post, I went ahead and removed the programs anyway, just saved some config info in a txt file.

This is my new HJT log that I got when I was about to fix those items. I wasn't sure if you wanted an HJT log from after I had finished doing everything or not, since you didn't explicitly tell me to, but I included one at the end of this post just in case.

Also, there is one item you told me to fix with HJT that I didn't, because I printed out instructions, and the printer apparently cut off a line at the top of one of the pages. The line was:
R3 - Default URLSearchHook is missing

Also, the line below didn't exist, but a very similar line did, which I fixed with HJT:
O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\system32\hpD244.tmp
The line I fixed had "hpB95D.tmp" at the end.
Other than that, I think everything else went well enough.
-------------
HJT log
--------------


Logfile of HijackThis v1.99.1
Scan saved at 12:25:58 AM, on 12/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\system32\hpB95D.tmp
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [732V33j] nvssfr.exe
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [M0t9RTH8P] nvibrand.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Startup: DC++ Local.lnk = C:\Program Files\DC++\DCPlusPlus.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZI ... b34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/defaul ... der_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: stunnel - Unknown owner - C:\Program Files\stunnel\stunnel-4.05.exe" -service (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

-----------
Contents of smitfiles.txt :
-----------


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 12/07/2005
The current time is: 0:41:15.85

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Security Troubleshooting.url
Online Security Center.url
Security Troubleshooting.url
Online Security Center.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir
msvol.tlb
ld****.tmp
ncompat.tlb
nvctrl.exe
mscornet.exe
hp***.tmp


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 864 'explorer.exe'
Killing PID 864 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)

---------------
Ewido log :
------------------

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:01:44 AM, 12/7/2005
+ Report-Checksum: 80030110

+ Scan result:

HKU\S-1-5-21-2399954768-3293936855-1811947853-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-2399954768-3293936855-1811947853-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-2399954768-3293936855-1811947853-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKU\S-1-5-21-2399954768-3293936855-1811947853-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Cleaned with backup
HKU\S-1-5-21-2399954768-3293936855-1811947853-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-2399954768-3293936855-1811947853-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.167:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.168:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.295:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.296:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.298:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
:mozilla.299:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
:mozilla.300:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
:mozilla.301:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
:mozilla.302:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
:mozilla.303:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.304:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.305:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.309:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.310:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.311:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.312:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.313:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.314:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.315:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.316:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.317:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.318:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.319:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.320:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.321:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.322:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.323:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.324:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.325:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.326:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.327:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.328:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.329:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.330:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.331:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.332:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.333:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.334:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.335:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.336:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.337:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.338:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.339:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.340:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.341:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.342:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.343:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.344:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.347:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.348:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.360:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.361:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.362:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.363:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.364:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.365:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.366:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.367:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.368:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.390:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.391:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.408:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.409:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.410:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.411:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.412:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.413:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.414:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.415:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.416:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.417:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.418:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.419:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.420:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.421:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.426:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.427:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.432:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.433:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.434:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.435:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.443:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.444:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.445:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.446:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.447:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.449:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.450:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.451:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.452:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
:mozilla.454:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.455:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.456:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
:mozilla.457:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.472:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.473:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.474:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.475:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.476:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.477:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.478:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.490:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.491:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.492:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.493:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.494:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.496:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.497:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.498:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.499:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.500:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.501:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.502:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.503:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.504:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.505:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.506:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.507:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.508:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.509:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.545:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.549:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.550:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.551:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.552:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.553:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.554:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.555:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.556:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.557:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.558:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.565:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.595:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.596:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.603:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.604:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.617:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.624:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.638:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Counted : Cleaned with backup
:mozilla.645:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.648:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.666:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.676:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.677:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.712:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Trafic : Cleaned with backup
:mozilla.716:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.746:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.747:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.748:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.750:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.761:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Epilot : Cleaned with backup
:mozilla.762:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Realtracker : Cleaned with backup
:mozilla.763:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Realtracker : Cleaned with backup
:mozilla.787:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Paycounter : Cleaned with backup
:mozilla.823:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.866:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Xhit : Cleaned with backup
:mozilla.867:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Xhit : Cleaned with backup
:mozilla.868:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Xhit : Cleaned with backup
:mozilla.869:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Xhit : Cleaned with backup
:mozilla.870:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Xhit : Cleaned with backup
:mozilla.871:C:\Documents and Settings\Armando Jr\Application Data\Mozilla\Firefox\Profiles\7nus6z3e.default\cookies.txt -> Spyware.Cookie.Xhit : Cleaned with backup
C:\Documents and Settings\Armando Jr\Cookies\armando jr@ad.adition[2].txt -> Spyware.Cookie.Adition : Cleaned with backup
C:\Documents and Settings\Armando Jr\Cookies\armando jr@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Armando Jr\Cookies\armando jr@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Armando Jr\Cookies\armando jr@ads18.bpath[2].txt -> Spyware.Cookie.Bpath : Cleaned with backup
C:\Documents and Settings\Armando Jr\Cookies\armando jr@axa.addcontrol[1].txt -> Spyware.Cookie.Addcontrol : Cleaned with backup
C:\Documents and Settings\Armando Jr\Cookies\armando jr@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Armando Jr\Cookies\armando jr@cnn.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Armando Jr\Cookies\armando jr@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Armando Jr\Cookies\armando jr@e-2dj6wjmiwkcpshp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Armando Jr\Cookies\armando jr@e-2dj6wjny-1mdpwf.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Armando Jr\Cookies\armando jr@educationsuccess.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Armando Jr\Cookies\armando jr@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Armando Jr\Cookies\armando jr@microsofteup.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Armando Jr\Cookies\armando jr@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Armando Jr\Cookies\armando jr@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Armando Jr\Cookies\armando jr@rotator.adjuggler[2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Armando Jr\Cookies\armando jr@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Armando Jr\Cookies\armando jr@www.adtrak[2].txt -> Spyware.Cookie.Adtrak : Cleaned with backup
C:\Documents and Settings\Armando Jr\Cookies\armando jr@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Armando Jr\Cookies\armando jr@www.burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Armando Jr\Cookies\armando jr@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\DEN\Cookies\den@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\DEN\Cookies\den@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\DEN\Cookies\den@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\DEN\Cookies\den@cnn.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\DEN\Cookies\den@e-2dj6wjk4gncjcbo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\DEN\Cookies\den@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\DEN\Cookies\den@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\DEN\Cookies\den@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Navajo\Cookies\navajo@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Navajo\Cookies\navajo@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Navajo\Cookies\navajo@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Navajo\Cookies\navajo@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Navajo\Cookies\navajo@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Navajo\Cookies\navajo@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Navajo\Cookies\navajo@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Navajo\Cookies\navajo@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Navajo\Cookies\navajo@www.burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Navajo\Cookies\navajo@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\tom\Cookies\tom@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\tom\Cookies\tom@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\tom\Cookies\tom@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\tom\Cookies\tom@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup


::Report End

----------------
Panda scan report :
-------------------


Incident Status Location

Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Armando Jr\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv408.jar-16d4db64-1f1acab0.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Armando Jr\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv408.jar-16d4db64-1f1acab0.zip[Matrix.class]
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\DEN\Local Settings\Temp\AutoUpdate0\setup.inf
Adware:Adware/Exact.SearchBar Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3D3B249B-FE17-43B1-A0F8-F1A2A5\5F25B845-41B0-4A65-9F31-271BE5
Virus:Bck/Complod.A Not disinfected C:\temp\Ds\Software\CloneCD.v5.0.4.5.rar[SetupCloneCD5.0.4.5.exe]
-----------------
Newest HJT log, after I'd finished everything :
-----------------

Logfile of HijackThis v1.99.1
Scan saved at 3:36:52 PM, on 12/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\stunnel\stunnel-4.05.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZI ... b34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/defaul ... der_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: stunnel - Unknown owner - C:\Program Files\stunnel\stunnel-4.05.exe" -service (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

-----------------

Thanks again for all your help
Armando
Active Member
 
Posts: 6
Joined: December 6th, 2005, 8:38 am

Unread postby amateur » December 7th, 2005, 7:52 pm

Hello Armando, :)

I had already prepared the following post before I saw your last post. I am going to post it anyway for your information. I am working on your logs now. I'll get back to you on those soon.

Hi Armando, :)

Those two programs are Peer-to-peer file sharing programs where most malware pass through. The following entry is added by W32/Rbot-ALZ WORM. Look in here and here

O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart


You can find more information about it here. I have already included the link for DC++ in my previous post. Please read them carefully. I strongly would recommend that you uninstall them. If you still want them, install them after the computer is clean, at your own risk. As long as you have those programs running, it would be futile to try cleaning the computer. That's probably how you got infected in the first place. :(
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby amateur » December 7th, 2005, 9:39 pm

Hi Armando :)

I am glad you decided to remove those programs. :) Thanks for the logs. :) Unfortunately your computer is not clean yet. :( We have some work to do.

Go to Control Panel > Java -or- Java Plugin > General tab > Temporary Internet Files > Delete Files:
Checkmark all 3 options
Click "OK"

If those settings are different, the "Clear Cache" option might be under the "Cache" tab instead.

==================================

I couldn't determine what version of Java is installed on your computer. Sun's Java is sometimes updated in order to eliminate the exploitation of perceived vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 5.0 Update 6 .

To check your version to see if it is the latest version, Please go to this link to verify your version to get the updates needed:

You'll need to use IE and allow ActiveX for this update. Follow the instructions on that page to verify Your Java software

Or you can get the manual download here:

Once you have installed the latest update, please go to Add/Remove Programs and remove all older instances of Java listed there.

====================================

You may want to print out these instructions for reference.

Please download AproposFix from here:

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following: This is very very important. This will only work in Safe Mode.

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, tap F8 a few times .
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode

Run Panda online scan again.

Post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby Armando » December 13th, 2005, 9:07 pm

Sorry it took me so long to reply...I followed all the steps you gave me. According to Panda's online scan I'm still infected with some apropos stuff.

----------------
HijackThis log
----------------


Logfile of HijackThis v1.99.1
Scan saved at 6:59:40 PM, on 12/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\stunnel\stunnel-4.05.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R3 - Default URLSearchHook is missing
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZI ... b34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/defaul ... der_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: stunnel - Unknown owner - C:\Program Files\stunnel\stunnel-4.05.exe" -service (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

------------------
AproposFix log
------------------


Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\Armando Jr\Desktop\aproposfix

************

Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!

----------------------
Panda Scan log
----------------------



Incident Status Location

Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\DEN\Local Settings\Temp\AutoUpdate0\setup.inf
Adware:Adware/Exact.SearchBar Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3D3B249B-FE17-43B1-A0F8-F1A2A5\5F25B845-41B0-4A65-9F31-271BE5
Virus:Bck/Complod.A Not disinfected C:\temp\Ds\Software\CloneCD.v5.0.4.5.rar[SetupCloneCD5.0.4.5.exe]
Armando
Active Member
 
Posts: 6
Joined: December 6th, 2005, 8:38 am

Unread postby amateur » December 14th, 2005, 8:27 am

Hi Armando, :)

Your log is looking much better. :D Please run HijackThis again. Put a checkmark against the following entries:

R3 - Default URLSearchHook is missing

Close all other windows except HijackThis. Click on "fix checked" button.
=========================================
We need to show hidden files and folders.

Click Start>Control Panel>Folder Options and double click.
Under the View tab scroll down to Hidden Files and Folders
Check Show hidden files and folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended} Say Yes
Click Apply and click OK
=========================================

Reboot in Safe Mode, following my earlier instructions.

=========================================

On your keyboard press Windows key and E key at the same time to bring up the Windows Explorer. Navigate to
C:\Documents and Settings\DEN\Local Settings\Temp -------- Delete the contents of this folder. Press Ctrl + A to select all the contents. Right click and click on delete.
While you are in the Windows Explorer, expand the Locak Disk (C), navigate and find the file in bold and delete it. C:\temp\Ds\Software\CloneCD.v5.0.4.5.rar[SetupCloneCD5.0.4.5.exe]

=========================================

Adware:Adware/Exact.SearchBar Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3D3B249B-FE17-43B1-A0F8-F1A2A5\5F25B845-41B0-4A65-9F31-271BE5 <------------------ This item is in the Quarantine of Microsoft AntiSpyware. It won't harm you as long as it's there, but if you wish to remove it, follow the instructions below:

1. A list of all items in your quarantine is displayed. Select the item you would like to delete and when the item appears in the right details pane, click Remove Threat. This permanently removes the threat from your computer.

2. To remove multiple threats in the quarantine, select each item and click Remove all checked Threats at the bottom of the screen.

==========================================

Reboot in Normal Mode.

==========================================

Scan with Panda online and HijackThis again and post their respective logs, please.

P.S. You appear to have the Norton Security Suit. I just want to make sure that it's up-to-date and active. If it's not, please let me know so that we can do something about it.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby Armando » December 20th, 2005, 5:11 pm

Ok, followed directions exactly, below are the two logs.
About Norton Antivirus, I have Norton Antivirus 2005 v11.0.16.2
Something I forgot to mention, is my Norton Antivirus has been acting weird lately I guess. I think this started happening right after I noticed SpyAxe. Everytime I start up my computer, a "Preparing to Install..." box pops up for a second, then I get a message box saying "Norton Antivirus does not support the repair feature. Please uninstall and reinstall." Not sure why this started happening.

Anyways, the logs:

--------------------
Panda Scan
--------------------


Incident Status Location

Adware:Adware/Exact.SearchBar Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3D3B249B-FE17-43B1-A0F8-F1A2A5\5F25B845-41B0-4A65-9F31-271BE5
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\EEA1787D-C8AF-4E61-9570-2152BA\A5D98C6D-C34D-4D2D-B805-E8A5C1
Virus:Bck/Complod.A Not disinfected C:\RECYCLER\S-1-5-21-2399954768-3293936855-1811947853-1011\Dc774.rar[SetupCloneCD5.0.4.5.exe]
Hacktool:HackTool/OptixPatch Not disinfected C:\temp\Game Fixes\C&C Tiberian Sun Stuff\TibSun203Crk.exe
Hacktool:HackTool/OptixPatch Not disinfected C:\temp\games\C&C - Tiberian Sun\Command_and_Conquer_Tiberian_Sun_v2.03_No-CD_Crack.zip[TibSun203Crk.exe]
Virus:Trojan Horse.AP2 Not disinfected C:\temp\Installation Files\CDRW\Installation Files\MikroAMP250.exe

--------------------
HijackThis
--------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:01:27 PM, on 12/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\stunnel\stunnel-4.05.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZI ... b34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/defaul ... der_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: stunnel - Unknown owner - C:\Program Files\stunnel\stunnel-4.05.exe" -service (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


I notice Panda now lists my NoCD patch for Tiberiun Sun, which has been there the entire time and was not listed on previous scans. That MikroAMP thing was always there too, and it didn't list it on previous scans. How come? (btw, i could've sworn i got that MikroAMP thing off the official winamp website, could be wrong though)

Anyways, again, much thanks for the help, and sorry it's taking me so long to reply.
Armando
Active Member
 
Posts: 6
Joined: December 6th, 2005, 8:38 am

Unread postby amateur » December 21st, 2005, 6:34 pm

Hi Armando, :)

Welcome back. :) It's possible that the infection may have caused some problems with your antivirus program. Try uninstalling and then reinstalling, but please, once you uninstall your antivirus, you are vulnerable to new attacks. Make sure that you are physically disconnected from the internet while you uninstall and reinstall your antivirus. Once the installation is complete , update it and run a full scan immediately before you do anything else.

You said in your earlier post
Thank you very much for helping me out. Regarding my above post, I went ahead and removed the programs anyway, just saved some config info in a txt file.


And now Panda is showing this:

Hacktool:HackTool/OptixPatch Not disinfected C:\temp\Game Fixes\C&C Tiberian Sun Stuff\TibSun203Crk.exe
Hacktool:HackTool/OptixPatch Not disinfected C:\temp\games\C&C - Tiberian Sun\Command_and_Conquer_Tiberian_Sun_v2.03_No-CD_Crack.zip[TibSun203Crk.exe]
Virus:Trojan Horse.AP2 Not disinfected C:\temp\Installation Files\CDRW\Installation Files\MikroAMP250.exe

Is that how you've saved them? They are infected. You have to delete them.

Adware:Adware/Exact.SearchBar Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3D3B249B-FE17-43B1-A0F8-F1A2A5\5F25B845-41B0-4A65-9F31-271BE5
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\EEA1787D-C8AF-4E61-9570-2152BA\A5D98C6D-C34D-4D2D-B805-E8A5C1

Don't worry about the items in the box above. They won't harm you because they are in the quarantine of Microsoft AntiSpyware.

=========================

Please open HijackThis. Close all other windows except HijackThis and put a checkmark against the following entry:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com

Click "fix checked". Close HijackThis.

Now do the following:
================
1. Go > start > run and type cleanmgr and click OK
2. Scan your system for files to remove.
3. Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
4. Click OK to remove those files.
5. Click Yes to confirm deletion.

================

Cleaning Prefetch folder:

Using Windows Explorer navigate and open C:\Windows\Prefetch\ folder.
Delete All files in this folder but not the Prefetch folder itself.
================
Cleaning up Temporary Internet Files

Close all open windows

Right Click on the Internet Explorer Icon on your Desktop
and select Properties
Select Delete Cookies Then OK
Select Delete Files Then OK

Now Go to Start / Run and type in %temp%
then ok Edit>Select All>Delete

Now Go to Start / Run and type in cleanmgr
then ok
to use the Drive Cleanup

Please also empty out your Recycle Bin


==================

Run Panda again and post the result with a new HijackThis log, please.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby Armando » December 26th, 2005, 1:15 pm

About the info I saved...I opened up Notepad, and copy and pasted ed2k links and hub and login info, and saved it as a text file. Those lines that Panda started to show, the TibSun and MikroAMP things, are completely unrelated files that have been on my computer, untouched, for a long time. The TibSun thing is to enable me to play a game without constantly inserting the CD, and the MikroAMP thing is a plug-in for WinAMP.

Ok, I did all the steps you gave me, and below are the two new logs. I notice that the line you told me to fix using HijackThis is still present, even though I did put a check mark by it and clicked Fix Checked.

---------------
Panda Scan
---------------



Incident Status Location

Adware:Adware/Exact.SearchBar Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3D3B249B-FE17-43B1-A0F8-F1A2A5\5F25B845-41B0-4A65-9F31-271BE5
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\EEA1787D-C8AF-4E61-9570-2152BA\A5D98C6D-C34D-4D2D-B805-E8A5C1


-------------------
HijackThis
-------------------


Logfile of HijackThis v1.99.1
Scan saved at 11:07:52 AM, on 12/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\stunnel\stunnel-4.05.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZI ... b34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/defaul ... der_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: stunnel - Unknown owner - C:\Program Files\stunnel\stunnel-4.05.exe" -service (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Armando
Active Member
 
Posts: 6
Joined: December 6th, 2005, 8:38 am

Unread postby amateur » December 26th, 2005, 1:54 pm

Hi Armando,

We are almost there. :) Try removing that line in Safe Mode.

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, tap F8 a few times .
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
============================
Open HijackThis. Click on "Scan". Close all other windows/applications except HijackThis. Place a checkmark against the following entry:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com

Click "fix checked".
===================
Item is in the Quarantine of Microsoft AntiSpyware won't harm you as long as they are there, but if you wish to remove them, follow the instructions below:

1. A list of all items in your quarantine is displayed. Select the item you would like to delete and when the item appears in the right details pane, click Remove Threat. This permanently removes the threat from your computer.

2. To remove multiple threats in the quarantine, select each item and click Remove all checked Threats at the bottom of the screen.
=======================

Scan with Panda again.
=======================

Restart your computer. Post a new HijackThis log and the Panda report.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby NonSuch » January 9th, 2006, 3:35 am

Whilst we appreciate that you may be busy, it has been 10 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum.

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27215
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 40 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware