Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

warnhp

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

warnhp

Unread postby wonderwill » December 6th, 2005, 3:40 pm

y pc has become infected by something that hijacked my desktop/wallpaper with a black panel and the message "Warning! Your computer might be infected with spyware or adware".
I discovered it was warnhp located in c:\windows and deleted this. I now have a white background and cannot get rid of what is causing this?


Here is the Log from Hijacked which I do not know what to do with:

Logfile of HijackThis v1.99.1
Scan saved at 14:02:34, on 04/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE PopUp-Killer - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6978078038
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7818920249
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promot ... WebAAS.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ ... loader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm
Advertisement
Register to Remove

Unread postby Kimberly » December 7th, 2005, 12:41 pm

Hello wonderwill,

I wish it was as simple as deleting a *.html file, but unfortunatly it is not. :(

Please print out or copy these instructions\tutorials to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Download WinPFind.zip to your Desktop or to your usual Download Folder.
http://www.bleepingcomputer.com/files/winpfind.php
Extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.
______________________________

Please download SmitRem.exe by noahdfear to your Desktop.
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
Double-click the smitRem.exe and it will extract the files to a smitRem folder on your Desktop.
______________________________

Please download the trial version of Ewido Security Suite 3.5 from here:
http://www.ewido.net/en/download/
  • Install Ewido Security Suite.
  • When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
  • When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
  • The program will prompt you to update. Click the Ok button.
  • The program will now go to the main screen.
You will need to update Ewido to the latest definition files.
  • On the left-hand side of the main screen click the Update Button.
  • Click on Start.
The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.
______________________________

If you already have the latest Ad-Aware SE 1.06 version, skip to Run Ad-Aware. Otherwise download Ad-Aware SE 1.06 from here and install it. Uncheck all the options before leaving the Install Wizard.

Run Ad-Aware and Click on the World Icon. Click the Connect button on the webupdate screen. If an update is available download it and install it. Click the Finish button to go back to the main screen.

Click on the Gear Icon (second from the left at the top of the window) to access the Configuration Window.

Click on the General Button on the left and select in green
  • Under Safety
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
  • Under Definitions
    • Prompt to udate outdated definitions - set to 7 days
Click on the Scanning Button of the left and select in green
  • Under Driver, Folders & Files
    • Scan Within Archives
  • Under Select drives & folders to scan
    • choose all hard drives
  • Under Memory & Registry
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file
Click on the Advanced Button on the left and select in green
  • Under Shell Integration
    • Move deleted files to Recycle Bin
  • Under Logfile Detail Level
    • Include addtional object information
    • DESELECT - Include negligible objects information (make it show a red X)
    • Include environment information
  • Under Alternate Data Streams
    • Don't log streams smaller than 0 bytes
    • Don't log ADS with the following names: CA_INOCULATEIT
Click the Tweak Button and select in green
  • Under the Scanning Engine (Click on the + sign to expand)
    • DESELECT Unload recognized processes & modules during scan (make it show a red X)
    • Scan registry for all users instead of current user only
  • Under the Cleaning Engine (Click on the + sign to expand)
    • Always try to unload modules before deletion
    • During Removal, unload Explorer and IE if necessary
    • Let Windows remove files in use at next reboot
  • Under the Log Files (Click on the + sign to expand)
    • Include basic Ad-aware SE settings in logfile
    • Include additional Ad-aware SE settings in logfile
    • Include reference summarry in log file
    • Include alternate data stream details in log file
Click on Proceed to save the settings and close the program.
______________________________

If not already installed, download and install the VX2 Cleaner 2.0 plugin from Lavasoft by following the instructions below.

Installing VX2 Cleaner 2.0
  1. Close Ad-Aware, if it is currently open.
  2. Download the VX2 Cleaner 2.0 Plug-in here.
  3. Install the VX2 Cleaner by clicking on vx2cleaner_inst.exe.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
______________________________

Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present.

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Close ALL windows and browsers except HijackThis and click Fix Checked.
______________________________

Open the smitRem Folder, then double-click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Navigate to C:\Windows\Prefetch
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Procede like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see an checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido Security Suite, and run a full scan.
  • Click on Scanner
  • Click on Settings
    • Under How to scan all boxes should be checked
    • Under Unwanted Software all boxes should be checked
    • Under What to scan select Scan every file
    • Click on Ok
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
  • Click Save Report button
  • Save the report to your Desktop
Close Ewido.
______________________________

Start Ad-Aware SE
  • Click on Add-ons
  • Select the VX2 Cleaner plug-in and click Run Tool
  • If your computer isn’t infected, click Close.
    OR
  • If you computer is infected with VX2, a dialog box with text such as New VX2 variant found or VX2 variant 1 found will appear.
  • Press Clean and a dialog box with text The first phase completed. Please reboot and perform a Smart Scan will appear.
  • Reboot your computer
  • Run Ad-Aware and Click on the Scan Now Button
    • Choose Perform Full System Scan
    • DESELECT Search for negligible risk entries, as negligible risk entries (MRU's) are not considered to be a threat. (make it show a red X)
    Click Next to begin the scan. When the scan is completed, the Performing System Scan screen will change name to Scan Complete.

    Click the Next Button to get to the Scanning Results Window where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects, right click on one of them, click the Select All entry in the pop-up menu to mark all entries. Click Next and then OK in the dialog box to confirm the removal.
Repeat this until the VX2 Cleaner reports System clean. Press Close to exit.

Run Ad-Aware one more time and perform a Perform Full System Scan of your computer to make sure VX2 has been found and removed. Reboot in Normal Mode
______________________________

Open the C:\WinPFind folder and double-click on WinPFind.exe.
Click on Configure Scan Options.
Remove all the checkmarks under Folder Options on the left side by clicking the button Remove All, uncheck Run Addon's and click Apply.
Click on the Start Scan button and wait for it to finish.

Please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log file named C:\WinPFind\WinPFind.txt. Please copy that log into your next reply.
______________________________

Please post :
  1. c:\smitfiles.txt
  2. Ewido log
  3. C:\WinPFind\WinPFind.txt
  4. a new HijackThis log
  5. Click on Start, Control Panel, click on Add/Remove Programs
    Look through the installed programs and tell me if the following program is present: Messenger Plus 3!
Your may need several replies to post the requested logs, otherwise they might get cut off.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Logs send by PM - Transfering here

Unread postby Kimberly » December 10th, 2005, 3:20 pm

Kim

<essanger Plus is being run by my daughter and I will send the other 2 log files seperately

--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 16:24:06, 10/12/2005
+ Report-Checksum: 9C1C1402

+ Scan result:

:mozilla.19:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Trafic : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.143:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.194:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.195:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.197:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.198:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.199:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.200:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.201:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.202:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.203:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.204:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.208:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.209:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.210:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.211:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.212:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.213:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.214:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.215:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.216:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.217:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.218:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.271:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.273:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.274:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.277:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.278:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.279:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.284:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.285:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.286:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.287:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.288:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.296:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.297:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.299:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.300:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.307:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.308:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.309:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.310:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.321:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.334:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
:mozilla.335:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
:mozilla.342:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.343:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.365:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.377:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.378:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.379:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.380:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.384:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.385:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.386:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.387:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.439:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
:mozilla.448:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Linkbuddies : Cleaned with backup
:mozilla.466:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.520:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Paycounter : Cleaned with backup
:mozilla.522:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.528:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.537:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.538:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.539:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.540:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.541:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.552:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.553:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.554:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.555:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.556:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.557:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.558:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.561:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.566:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.567:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.568:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.569:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.570:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.588:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.589:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.590:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.619:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Masterstats : Cleaned with backup
:mozilla.655:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.656:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.657:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.686:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.687:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.688:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.689:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.690:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.691:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.692:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.693:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup


::Report End
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Transfering logs

Unread postby Kimberly » December 10th, 2005, 3:21 pm

Logfile of HijackThis v1.99.1
Scan saved at 17:22:24, on 10/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\Rar$EX00.000\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE PopUp-Killer - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6978078038
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7818920249
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) -
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ ... loader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


smitRem © log file
version 2.7

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: 10/12/2005
The current time is: 15:22:54.70

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby Kimberly » December 10th, 2005, 3:23 pm

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Privacy_Suite
{880E1C60-DBEB-11D3-A4C4-A58C7193AA36} = C:\PROGRA~1\CYBERS~1\cybshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Privacy_Suite
{880E1C60-DBEB-11D3-A4C4-A58C7193AA36} = C:\PROGRA~1\CYBERS~1\cybshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{49E0E0F0-5C30-11D4-945D-000000000003}
IE PopUp-Killer = C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^EPSON Background Monitor.lnk
location Common Startup
command C:\PROGRA~1\EPSON\ESM2\STMS.exe
item EPSON Background Monitor
backup C:\WINDOWS\pss\EPSON Background Monitor.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\EPSON\ESM2\STMS.exe
item EPSON Background Monitor
backup C:\WINDOWS\pss\EPSON Background Monitor.lnkCommon Startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk
path C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MICROS~1\Office\OSA9.EXE -b -l
item Microsoft Office
path C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MICROS~1\Office\OSA9.EXE -b -l
item Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HotKeysCmds
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hkcmd
hkey HKLM
command C:\WINDOWS\System32\hkcmd.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hkcmd
hkey HKLM
command C:\WINDOWS\System32\hkcmd.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IgfxTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxtray
hkey HKLM
command C:\WINDOWS\System32\igfxtray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxtray
hkey HKLM
command C:\WINDOWS\System32\igfxtray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MessengerPlus3
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MsgPlus
hkey HKLM
command "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MsgPlus
hkey HKLM
command "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msnmsgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msnmsgr
hkey HKCU
command "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msnmsgr
hkey HKCU
command "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\STManager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item drst
hkey HKCU
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item drst
hkey HKCU
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SurfAccuracy
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SAcc
hkey HKLM
command C:\Program Files\SurfAccuracy\SAcc.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SAcc
hkey HKLM
command C:\Program Files\SurfAccuracy\SAcc.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\zanu
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item zanu
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item zanu
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoColorChoice 0
NoSizeChoice 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0
NoDispAppearancePage 0
NoDispBackgroundPage 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs MsgPlusLoader.dll


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/12/2005 17:16:06
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby Kimberly » December 11th, 2005, 12:28 am

Hello wonderwill,

You were very lucky, you didn't get infected really much. That's good news :)

A few details to fix, but you did run the last HijackThis log from within a rar archive, this is not recommended in case we need a backup. Use the one located here: C:\HJT\HijackThis.exe

Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - Default URLSearchHook is missing
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) -

Close ALL windows and browsers except HijackThis and click Fix Checked
______________________________

Copy/paste the following text into a new Notepad document. Make sure that you have one blank line at the end of the document as shown in the quoted text.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SurfAccuracy]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\zanu]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]


Save it to your desktop as Fixme.reg. Save it as :
File Type: All Files (not as a text document or it wont work).
Name: Fixme.reg

Locate Fixme.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt.
______________________________

Look for folders named nCase, n-Case, MSBB, 180Solutions and 180Search Assistant inside C:\Program Files and delete them if found.
If found, delete C:\Program Files\SurfAccuracy
______________________________

The reason I did ask about Messenger Plus 3 is because it come bundled with LOP.
It is possible to install that program without the sponsor programs (LOP) but they word it funny so you will most of the time get it wrong. There are no visible signs of LOP running on your system right now but my advise is to remove Messenger Plus 3 from the system. It is not required for using MSN messenger - it is a third party addon program. Please let me know about your decission.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

warnhp - Wonderwill

Unread postby wonderwill » December 11th, 2005, 8:17 am

Kim

Done all as you said and still have white background to desktop. Here is my log file after doing as you asked:

Logfile of HijackThis v1.99.1
Scan saved at 12:12:25, on 11/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner.HOMESOPHIE\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE PopUp-Killer - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6978078038
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7818920249
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ ... loader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby Kimberly » December 11th, 2005, 10:41 am

Did you perform this ?

Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see an checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Next, click on the tab themes, select Windows XP in the dropdrown box and click Apply. Click on the Desktop tab and select the wallpaper of your choice and click Apply then Ok.

Let me know if that fixes it.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Warnhp

Unread postby wonderwill » December 11th, 2005, 11:24 am

Kim

That did the trick, cannot thank you enough.

I have another problem with my other PC in my home network.

I have a trojan IRC/BackDoor.SdBot.MYX which seems to be in
C:\system\volume Information I am running free version of AVG which states it is deleting it (I turned system restore off) but after a couple of boots it seems to come back.

I will post this seperately and quite understand if I just have to do so.

Many thanks for your help.

Regards
Wonderwill
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby Kimberly » December 11th, 2005, 2:43 pm

I'm happy it did fix your Desktop, that's good news. :)

I have a trojan IRC/BackDoor.SdBot.MYX which seems to be in
C:\system\volume Information I am running free version of AVG which states it is deleting it (I turned system restore off) but after a couple of boots it seems to come back.

That's a very dangerous group of trojans, they may seriously comprise a computer and steal personal information. Below is a general description of this family. Backdoor.Rbot/Sbot is a family of Trojan programs for Windows, which offer the user remote access to victim machines. The Trojans are controlled via IRC, and have the following functions:

  • monitor networks for interesting data packets (i.e. those containing passwords to FTP servers, and e-payment systems such as PayPal etc.)
  • scan networks for machines which have unpatched common vulnerabilties (RPC DCOM, UPnP, WebDAV and others); for machines infected by Trojan programs (Backdoor.Optix, Backdoor.NetDevil, Backdoor.SubSeven and others) and by the Trojan components of worms (I-Worm.Mydoom, I-Worm.Bagle); for machines with weak system passwords
  • conduct DoS attacks
  • launch SOCKS and HTTP servers on infected machines
  • send the user of the program detailed information about the victim machine, including passwords to a range of computer games
Does AVG only finds it in System Restore only or somewhere else too ? If AVG finds the file in another folder (not C:\system\volume Information) what is the name of the file ?
Did you try to reset System Restore as shown below ? (see instructions for this PC)
They often have a duplicate running somewhere or are able to download a copy of themselves again from Internet, best would be to post a HijackThis log in a new topic and I'll have a look at it. Sometimes you see a startup program, but not always.

These instructions are for your daughters PC

Please reset System Restore to remove eventual backups of the spyware and trojans.

Turn off System Restore
  1. Click Start, right-click My Computer, and then click Properties.
  2. Click the System Restore tab.
  3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
  4. Click Yes when you receive the prompt to the turn off System Restore.
Reboot your computer.

Turn System Restore back on
  1. Click Start, right-click My Computer, and then click Properties.
  2. Click the System Restore tab.
  3. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
A new restore point will be created automatically.
______________________________

Hide your system files again.
  1. Click Start.
  2. Click My Computer.
  3. Select the Tools menu and click Folder Options.
  4. Select the View Tab.
  5. Under the Hidden files and folders heading uncheck Show hidden files and folders.
  6. Check the Hide protected operating system files (recommended) option.
  7. Click Yes to confirm.
  8. Click OK.
______________________________

Consider upgrading to Windows XP Service Pack 2, more information can be found here: http://www.microsoft.com/athome/securit ... hoose.mspx
______________________________

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Windows, Internet Explorer and Microsoft Office Updates

Visit Microsoft's Windows Update Site frequently. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

If you are running Microsoft Office, or any application of it, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed.

If you have trouble with Windows Update, you still can get all the Critical Updates, Security Fixes and Service Packs. Below are a few links to bookmark.

Microsoft Security Bulletins
http://www.microsoft.com/technet/security/current.aspx

Office downloads
http://office.microsoft.com/en-us/offic ... fault.aspx

Download Center
http://www.microsoft.com/downloads/search.aspx

Microsoft Security Advisories
http://www.microsoft.com/technet/securi ... fault.mspx

Recently Published
http://www.microsoft.com/technet/securi ... fault.mspx

Make your Internet Explorer more secure
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click on the Security tab
  3. Click the Internet icon so it becomes highlighted.
  4. Click on Default Level and click Ok
  5. Click on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  6. Next press the Apply button and then the OK to exit the Internet Properties page.
Take the time to check out the following links

Resources for using Internet Explorer 6
http://support.microsoft.com/?kbid=867470

How to Configure Enhanced Security Features for Internet Explorer from Windows XP SP2
http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/iesecxp.mspx]

Microsoft Malicious Software Removal Tool
http://www.microsoft.com/security/malwa ... ilies.mspx

Keep your Sun Java up to date

The most current version of Sun Java is: Java Runtime Environment Version 5.0 Update 6

To check if you have the latest version installed and get the needed updates, please go to the link below:
http://www.java.com/en/download/windows_automatic.jsp
You'll need to use IE and allow ActiveX for this update. Follow the instructions on that page to check your Java Software.

Or you can get the manual download here:
http://www.java.com/en/download/manual.jsp

Check in your Control Panel, under Add/Remove programs and uninstall ALL older versions of Sun Java. And in the future, remember to remove older versions of Java when you automatically update to a newer version to avoid exploitation of older versions left on your system.

Check out these topics for more information:
http://spywarewarrior.com/viewtopic.php?t=17910
http://spywarewarrior.com/viewtopic.php?t=17598

Download and install the following free programs
  • SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    You can download SpywareBlaster here
    A tutorial can be found here
  • SpywareGuard
    It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware. And you can easily have an anti-virus program running alongside SpywareGuard. It also features Download Protection and Browser Hijacking Protection.
    You can download SpywareGuard here
    A tutorial can be found here
  • IE-SPYAD
    IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. It basically prevents any downloads, cookies, scripts from the sites listed, although you will still be able to connect to the sites.
    You can download IE-SPYAD here
    A tutorial can be found here
  • Hosts File
    A Hosts file replaces your current HOSTS file with one containing well known ad, spyware sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    A tutorial tutorial can be found here
    • MVPS Hosts File
      You can download the MVPS Hosts File here
      Furthermore the website contains useful tips and links to other resources and utilities.
    • Bluetack's Hosts File and Hosts Manager
      Essentially based on the research made by Webhelper, Andrew Clover and Eric L. Howes, it contains most if not all the known spyware sites, sites responsible for hijacks, rogue apllications etc...
      Download Bluetack's Hosts file here
      Download Bluetack's Hosts Manager here
Install Spyware Detection and Removal Programs
  • Ad-Aware
    It scans for known spyware on your computer. These scans should be run at least once every two weeks.
    You can download Ad-Aware here
    A tutorial can be found here
  • Spybot - Search & Destroy
    It scans for spyware and other malicious programs. Spybot has preventitive tools that stop programs from even installing on your computer.
    You can download Spybot - S&D here
    A tutorial can be found here
Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware".
You will find the list here

Ewido Security Suite

Most of you will have already the trial version of this software, which is an excellent program and particularly good at catching trojans. If you find it useful you might want to consider buying the full program. When the trial period ends, the real-time protection and the automatic update feature will stop working. You still will be able to update the program manually.
You can download Ewido Security Suite here
Ewido manual updates. Make sure to close Ewido before installing the update.

WinPatrol

WinPatrol uses a heuristic approach to detecting attacks and violations of your computing environment. Traditional security programs scan your hard drive searching for previously identified threats. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. You'll be removing dangerous new programs while others download new reference files.
  • Detect & Neutralize Spyware.
  • Detect & Neutralize ADware.
  • Detect & Neutralize Viral infections.
  • Detect & Neutralize Unwanted IE Add-Ons.
  • Detect & Restore File Type Changes.
  • Automatically Filter Unwanted Cookies.
  • Avoid Start Page Hijacking.
  • Detect changes to HOSTS & critical system files.
  • Kill Multiple Tasks that replicate each other, in a single step!
  • Stop programs that repeatedly add themselves to your Startup List!
Starting with WinPatrol 9.5 PLUS users also get the addition of Real-time Infiltration Detection so they'll know immediately when changes are made to critical system areas. WinPatrol Free is not demo or trial software. You're welcome to use it as long as you like.
You can download WinPatrol here
WinPatrol FAQ

Use an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See the link below for a listing of some online & their stand-alone antivirus programs.
Computer Safety On line - Anti-Virus
http://www.malwareremoval.com/forum/viewtopic.php?p=53#53

Update your Anti Virus Software

It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall

I can not stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below.
Computer Safety On line - Software Firewalls
http://www.malwareremoval.com/forum/viewtopic.php?p=56#56
A tutorial on Understanding and Using Firewalls can be found here

Additional Information

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link.

A very nice collection of tutorials is available at Bleeping Computer
http://www.bleepingcomputer.com/tutorials/

Let me know if everything runs fine on this PC now. :)

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Trojan

Unread postby wonderwill » December 11th, 2005, 2:52 pm

Kim

Yes I set the restore as listed and yes on ocassion the Trojan turns up under C:\oo.exe which does not exist?
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby Kimberly » December 11th, 2005, 3:09 pm

I think I know what the problem is, killing the trojan isn't enough, we've got more to fix but I need to see a HijackThis log to have confirmation. Can you please post one ?

And post the results of this mslook.bat too please:

Copy/paste the following quote box into a new notepad (not wordpad) document.

regedit.exe /e %systemdrive%\regkey.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig"
notepad %systemdrive%\regkey.txt
del /q %systemdrive%\regkey.txt

Save it to your Desktop as mslook.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: mslook.bat

Locate mslook.bat on your Desktop and double-click it. When notepad opens, copy/paste the content in your reply. When you close Notepad the CMD window will close automatically and the text file will be deleted.

Also, let me know if you have Limeware, Kazaa or something similar installed on that PC.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Trojan

Unread postby wonderwill » December 11th, 2005, 4:56 pm

Kim

Yes, I am afraid I use Limewire, emule and Kazaa!

Here is info you wanted: Registry Hijack log to follow:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~3\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Willie Clemie^Start Menu^Programs^Startup^stdialup.exe]
"backup"="C:\\WINDOWS\\pss\\stdialup.exeStartup"
"location"="Startup"
"item"="stdialup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATIModeChange]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ati2mdxx"
"hkey"="HKLM"
"command"="Ati2mdxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BlockChecker]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="block-checker"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CARPService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="carpserv"
"hkey"="HKLM"
"command"="carpserv.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Joylogmemodefy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Meet Deaf"
"hkey"="HKLM"
"command"="C:\\Documents and Settings\\All Users\\Application Data\\Rule Cast Joy Log\\Meet Deaf.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KAV50]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kav"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KAZAA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KazaaLite"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Kazaa Lite K++\\kpp.exe\" \"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp\" /SYSTRAY"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MessengerPlus3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsgPlus"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NBJ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NBJ"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PinnacleDriverCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PSDrvCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\PSDrvCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\roambleh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Amok dumb"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UIWatcher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UIWatcher"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"system.ini"=dword:00000000
"win.ini"=dword:00000000
"bootini"=dword:00000000
"services"=dword:00000000
"startup"=dword:00000002
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Hijackthis - Trojan

Unread postby wonderwill » December 11th, 2005, 4:57 pm

Logfile of HijackThis v1.99.1
Scan saved at 15:31:50, on 11/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MsMovies\MsMovies.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Willie Clemie\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.evesham.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=2346
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IEsearch.clsIESpy - {4508E20C-ACAD-11D2-9FC0-00550076E06F} - c:\progra~1\2search\plugin.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {0BBC1B5B-2E48-4D18-973B-8E74730051C0} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0000.1082\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... p=ZNfox000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/229?bf612650fd3e45d8a2417e55949533ca
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/230?bf612650fd3e45d8a2417e55949533ca
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... .0.8-2.cab
O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} (007installer Control) - http://download.007guard.com/msnnames/msnnames.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8026252546
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/180solu ... e-c266.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: pavwait.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE (file missing)
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe (file missing)
O23 - Service: GEARSecurity_BackUp - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe" -run bl -n PersonalPro -v 5.0.0.0 -ttsr 10000000 (file missing)
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby Kimberly » December 11th, 2005, 6:00 pm

Hello wonderwill,

Yes, I am afraid I use Limewire, emule and Kazaa!

I kinda did suspect that when you did mention the presence of BackDoor.SdBot.MYX and C:\oo.exe .... ;)

Shutdown all p2p filesharing programs for the moment, you've got a serious infection that spreads through p2p programs and it's possible that you will upload a ton of infected files atm.

In meanwhile, Limewire and Kazaa Lite, please have a look here:
http://www.spywareinfo.com/articles/p2p/

Looking up the log now, I'll post back later on with a fix because you've got some other nasties on board too.

Kim

Edit : Fix is on page 2
Last edited by Kimberly on December 12th, 2005, 1:14 am, edited 1 time in total.
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 34 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware