Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Spyaxe is killing me!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Spyaxe is killing me!!

Unread postby PatrickRN » November 20th, 2005, 1:16 pm

OK, somewhere along the way I got hit with the Spyaxe. It is hijacking my home page even though when I go into Tools--Internet Options the homepage I selected is still there. If I hit Home on my IE tool bar it takes me to http://www.updateyoursystem.com which sells this horrible malware, Spyaxe, SpyTrooper, etc...

I ran trojan hunter, spybot along with my Norton scan and microsoft antispyware but I still have the problem. I had the blinking icon in the systems tray that would bring up the message that my pc was infected, blah blah blah and i got rid of that, although I think i just have it hidden.

Here is my HT log...

Logfile of HijackThis v1.99.1
Scan saved at 10:52:40 AM, on 11/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\aim\aim.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Program Files\Access 97 Runtime\msaccess.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Me\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/av ... _homepage/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 151.164.228.114:8000
O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINDOWS\system32\hp8A4E.tmp
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: Kremlin Sentry.LNK = C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O18 - Protocol: icoo - {86FE362E-74FA-4F71-8B69-B94D28880628} - C:\Program Files\ICOO Loader\addons\icoou.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


thanks in advance
PatrickRN
Active Member
 
Posts: 5
Joined: November 20th, 2005, 11:58 am
Advertisement
Register to Remove

Unread postby Susan528 » November 20th, 2005, 1:41 pm

Hello PatrickRN and Welcome to Malware Removal,

You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder

STEP 1.
======
SpySweeper
Please download WebRoot SpySweeper.
(It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

STEP 2.
======
Download Ewido
  1. Download and install Ewido Security Suite It is a free trial version of the program.
  2. Install ewido security suite
  3. Launch ewido, there should be an icon on your desktop double-click it.
  4. The program will now go to the main screen

STEP 3.
======
Update Ewido
You will need to update ewido to the latest definition files.
  1. On the left hand side of the main screen click update
  2. Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use Ewido manual updates

STEP 4.
======
Ewido Scan
Once the updates are installed do the following:
  1. Click on scanner
  2. Click on Complete System Scan and the scan will begin.
  3. NOTE: During some scans with ewido it is finding cases of false positives.**
    o You will need to step through the process of cleaning files one-by-one.
    o If ewido detects a file you KNOW to be legitimate, select none as the action.
    o DO NOT select "Perform action on all infections"
    o If you are unsure of any entry found select none for now.
  4. Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  5. Click Save report.
  6. Save the report .txt file to your desktop.

Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")


Please post the results from SpySweeper, ewido and a new hijackthis log.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby PatrickRN » November 20th, 2005, 4:33 pm

Thanks Susan528, here is what you asked for...

Spysweeper

********
2:01 PM: | Start of Session, Sunday, November 20, 2005 |
2:01 PM: Spy Sweeper started
2:01 PM: Sweep initiated using definitions version 574
2:01 PM: Starting Memory Sweep
2:06 PM: Memory Sweep Complete, Elapsed Time: 00:05:09
2:06 PM: Starting Registry Sweep
2:06 PM: Found Adware: popuper
2:06 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objecta\ (4 subtraces) (ID = 735573)
2:06 PM: Found Adware: security2k hijacker
2:06 PM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || kernel32.dll (ID = 796421)
2:06 PM: Found Trojan Horse: trojan-downloader-zlob
2:06 PM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || wininet.dll (ID = 797370)
2:06 PM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || wininet.dll (ID = 797671)
2:06 PM: HKCR\nvideocodek.chl\ (2 subtraces) (ID = 820294)
2:06 PM: HKLM\software\classes\nvideocodek.chl\ (2 subtraces) (ID = 820324)
2:06 PM: Registry Sweep Complete, Elapsed Time:00:00:27
2:06 PM: Starting Cookie Sweep
2:06 PM: Found Spy Cookie: coremetrics cookie
2:06 PM: emma@data.coremetrics[1].txt (ID = 2472)
2:07 PM: Found Spy Cookie: 2o7.net cookie
2:07 PM: ashley@2o7[2].txt (ID = 1957)
2:07 PM: Found Spy Cookie: 64.62.232 cookie
2:07 PM: ashley@64.62.232[1].txt (ID = 1987)
2:07 PM: ashley@64.62.232[2].txt (ID = 1987)
2:07 PM: ashley@64.62.232[3].txt (ID = 1987)
2:07 PM: ashley@64.62.232[5].txt (ID = 1987)
2:07 PM: ashley@64.62.232[6].txt (ID = 1987)
2:07 PM: Found Spy Cookie: 888 cookie
2:07 PM: ashley@888[2].txt (ID = 2019)
2:07 PM: Found Spy Cookie: shop@home cookie
2:07 PM: ashley@a.shopathomeselect[1].txt (ID = 3368)
2:07 PM: Found Spy Cookie: websponsors cookie
2:07 PM: ashley@a.websponsors[2].txt (ID = 3665)
2:07 PM: Found Spy Cookie: about cookie
2:07 PM: ashley@about[2].txt (ID = 2037)
2:07 PM: Found Spy Cookie: ad-logics cookie
2:07 PM: ashley@ad-logics[1].txt (ID = 2049)
2:07 PM: Found Spy Cookie: yieldmanager cookie
2:07 PM: ashley@ad.yieldmanager[2].txt (ID = 3751)
2:07 PM: Found Spy Cookie: adecn cookie
2:07 PM: ashley@adecn[1].txt (ID = 2063)
2:07 PM: Found Spy Cookie: adknowledge cookie
2:07 PM: ashley@adknowledge[2].txt (ID = 2072)
2:07 PM: Found Spy Cookie: hbmediapro cookie
2:07 PM: ashley@adopt.hbmediapro[2].txt (ID = 2768)
2:07 PM: Found Spy Cookie: hotbar cookie
2:07 PM: ashley@adopt.hotbar[2].txt (ID = 4207)
2:07 PM: Found Spy Cookie: specificclick.com cookie
2:07 PM: ashley@adopt.specificclick[2].txt (ID = 3400)
2:07 PM: Found Spy Cookie: adorigin cookie
2:07 PM: ashley@adorigin[2].txt (ID = 2082)
2:07 PM: Found Spy Cookie: adrevolver cookie
2:07 PM: ashley@adrevolver[2].txt (ID = 2088)
2:07 PM: ashley@adrevolver[3].txt (ID = 2088)
2:07 PM: Found Spy Cookie: addynamix cookie
2:07 PM: ashley@ads.addynamix[2].txt (ID = 2062)
2:07 PM: Found Spy Cookie: ads.adsag cookie
2:07 PM: ashley@ads.adsag[1].txt (ID = 2108)
2:07 PM: Found Spy Cookie: cc214142 cookie
2:07 PM: ashley@ads.cc214142[1].txt (ID = 2367)
2:07 PM: Found Spy Cookie: pointroll cookie
2:07 PM: ashley@ads.pointroll[2].txt (ID = 3148)
2:07 PM: Found Spy Cookie: adserver cookie
2:07 PM: ashley@adserver[2].txt (ID = 2141)
2:07 PM: Found Spy Cookie: advertising cookie
2:07 PM: ashley@advertising[1].txt (ID = 2175)
2:07 PM: Found Spy Cookie: apmebf cookie
2:07 PM: ashley@apmebf[1].txt (ID = 2229)
2:07 PM: Found Spy Cookie: falkag cookie
2:07 PM: ashley@as-eu.falkag[1].txt (ID = 2650)
2:07 PM: ashley@as-us.falkag[1].txt (ID = 2650)
2:07 PM: Found Spy Cookie: ask cookie
2:07 PM: ashley@ask[1].txt (ID = 2245)
2:07 PM: Found Spy Cookie: atlas dmt cookie
2:07 PM: ashley@atdmt[2].txt (ID = 2253)
2:07 PM: Found Spy Cookie: belnk cookie
2:07 PM: ashley@ath.belnk[1].txt (ID = 2293)
2:07 PM: Found Spy Cookie: atwola cookie
2:07 PM: ashley@atwola[2].txt (ID = 2255)
2:07 PM: Found Spy Cookie: banner cookie
2:07 PM: ashley@banner[2].txt (ID = 2276)
2:07 PM: ashley@belnk[2].txt (ID = 2292)
2:07 PM: Found Spy Cookie: bluestreak cookie
2:07 PM: ashley@bluestreak[2].txt (ID = 2314)
2:07 PM: Found Spy Cookie: bravenet cookie
2:07 PM: ashley@bravenet[1].txt (ID = 2322)
2:07 PM: Found Spy Cookie: bs.serving-sys cookie
2:07 PM: ashley@bs.serving-sys[1].txt (ID = 2330)
2:07 PM: Found Spy Cookie: burstnet cookie
2:07 PM: ashley@burstnet[1].txt (ID = 2336)
2:07 PM: Found Spy Cookie: casalemedia cookie
2:07 PM: ashley@casalemedia[2].txt (ID = 2354)
2:07 PM: Found Spy Cookie: centrport net cookie
2:07 PM: ashley@centrport[1].txt (ID = 2374)
2:07 PM: Found Spy Cookie: clickagents cookie
2:07 PM: ashley@clickagents[1].txt (ID = 2394)
2:07 PM: Found Spy Cookie: clickbank cookie
2:07 PM: ashley@clickbank[1].txt (ID = 2398)
2:07 PM: Found Spy Cookie: commission junction cookie
2:07 PM: ashley@commission-junction[2].txt (ID = 2455)
2:07 PM: ashley@coxhsi.112.2o7[2].txt (ID = 1958)
2:07 PM: Found Spy Cookie: clickzs cookie
2:07 PM: ashley@cz8.clickzs[2].txt (ID = 2413)
2:07 PM: ashley@data.coremetrics[1].txt (ID = 2472)
2:07 PM: Found Spy Cookie: did-it cookie
2:07 PM: ashley@did-it[1].txt (ID = 2523)
2:07 PM: ashley@dist.belnk[2].txt (ID = 2293)
2:07 PM: Found Spy Cookie: ru4 cookie
2:07 PM: ashley@edge.ru4[2].txt (ID = 3269)
2:07 PM: Found Spy Cookie: empnads cookie
2:07 PM: ashley@empnads[2].txt (ID = 5012)
2:07 PM: Found Spy Cookie: experclick cookie
2:07 PM: ashley@experclick[2].txt (ID = 2639)
2:07 PM: ashley@familycrafts.about[2].txt (ID = 2038)
2:07 PM: Found Spy Cookie: fastclick cookie
2:07 PM: ashley@fastclick[2].txt (ID = 2651)
2:07 PM: Found Spy Cookie: findwhat cookie
2:07 PM: ashley@findwhat[1].txt (ID = 2674)
2:07 PM: ashley@gateway.122.2o7[1].txt (ID = 1958)
2:07 PM: ashley@geography.about[1].txt (ID = 2038)
2:07 PM: Found Spy Cookie: clickandtrack cookie
2:07 PM: ashley@hits.clickandtrack[2].txt (ID = 2397)
2:07 PM: Found Spy Cookie: hypertracker.com cookie
2:07 PM: ashley@hypertracker[2].txt (ID = 2817)
2:07 PM: Found Spy Cookie: screensavers.com cookie
2:07 PM: ashley@i.screensavers[2].txt (ID = 3298)
2:07 PM: Found Spy Cookie: ic-live cookie
2:07 PM: ashley@ic-live[1].txt (ID = 2821)
2:07 PM: Found Spy Cookie: maxserving cookie
2:07 PM: ashley@maxserving[1].txt (ID = 2966)
2:07 PM: ashley@msnportal.112.2o7[1].txt (ID = 1958)
2:07 PM: Found Spy Cookie: nextag cookie
2:07 PM: ashley@nextag[2].txt (ID = 5014)
2:07 PM: Found Spy Cookie: offeroptimizer cookie
2:07 PM: ashley@offeroptimizer[2].txt (ID = 3087)
2:07 PM: Found Spy Cookie: one-time-offer cookie
2:07 PM: ashley@one-time-offer[1].txt (ID = 3095)
2:07 PM: Found Spy Cookie: overture cookie
2:07 PM: ashley@overture[1].txt (ID = 3105)
2:07 PM: Found Spy Cookie: paypopup cookie
2:07 PM: ashley@paypopup[1].txt (ID = 3119)
2:07 PM: ashley@perf.overture[1].txt (ID = 3106)
2:07 PM: Found Spy Cookie: pro-market cookie
2:07 PM: ashley@pro-market[2].txt (ID = 3197)
2:07 PM: Found Spy Cookie: qksrv cookie
2:07 PM: ashley@qksrv[2].txt (ID = 3213)
2:07 PM: Found Spy Cookie: questionmarket cookie
2:07 PM: ashley@questionmarket[1].txt (ID = 3217)
2:07 PM: Found Spy Cookie: realmedia cookie
2:07 PM: ashley@realmedia[2].txt (ID = 3235)
2:07 PM: Found Spy Cookie: reunion cookie
2:07 PM: ashley@reunion[2].txt (ID = 3255)
2:07 PM: Found Spy Cookie: revenue.net cookie
2:07 PM: ashley@revenue[2].txt (ID = 3257)
2:07 PM: Found Spy Cookie: rn11 cookie
2:07 PM: ashley@rn11[2].txt (ID = 3261)
2:07 PM: Found Spy Cookie: adjuggler cookie
2:07 PM: ashley@rotator.adjuggler[2].txt (ID = 2071)
2:07 PM: ashley@screensavers[1].txt (ID = 3297)
2:07 PM: Found Spy Cookie: server.iad.liveperson cookie
2:07 PM: ashley@server.iad.liveperson[2].txt (ID = 3341)
2:07 PM: Found Spy Cookie: serving-sys cookie
2:07 PM: ashley@serving-sys[2].txt (ID = 3343)
2:07 PM: ashley@shopathomeselect[1].txt (ID = 3367)
2:07 PM: Found Spy Cookie: spylog cookie
2:07 PM: ashley@spylog[1].txt (ID = 3415)
2:07 PM: Found Spy Cookie: onestat.com cookie
2:07 PM: ashley@stat.onestat[2].txt (ID = 3098)
2:07 PM: Found Spy Cookie: statcounter cookie
2:07 PM: ashley@statcounter[2].txt (ID = 3447)
2:07 PM: Found Spy Cookie: webtrendslive cookie
2:07 PM: ashley@statse.webtrendslive[1].txt (ID = 3667)
2:07 PM: Found Spy Cookie: targetnet cookie
2:07 PM: ashley@targetnet[1].txt (ID = 3489)
2:07 PM: Found Spy Cookie: tickle cookie
2:07 PM: ashley@tickle[2].txt (ID = 3529)
2:07 PM: Found Spy Cookie: tradedoubler cookie
2:07 PM: ashley@tradedoubler[1].txt (ID = 3575)
2:07 PM: Found Spy Cookie: trafficmp cookie
2:07 PM: ashley@trafficmp[1].txt (ID = 3581)
2:07 PM: Found Spy Cookie: tribalfusion cookie
2:07 PM: ashley@tribalfusion[2].txt (ID = 3589)
2:07 PM: Found Spy Cookie: tripod cookie
2:07 PM: ashley@tripod[1].txt (ID = 3591)
2:07 PM: ashley@vip.clickzs[2].txt (ID = 2413)
2:07 PM: Found Spy Cookie: burstbeacon cookie
2:07 PM: ashley@www.burstbeacon[1].txt (ID = 2335)
2:07 PM: ashley@www.screensavers[2].txt (ID = 3298)
2:07 PM: ashley@www.shopathomeselect[2].txt (ID = 3368)
2:07 PM: Found Spy Cookie: stlyrics cookie
2:07 PM: ashley@www.stlyrics[2].txt (ID = 3462)
2:07 PM: Found Spy Cookie: xiti cookie
2:07 PM: ashley@xiti[2].txt (ID = 3717)
2:07 PM: Found Spy Cookie: yadro cookie
2:07 PM: ashley@yadro[1].txt (ID = 3743)
2:07 PM: ashley@yieldmanager[1].txt (ID = 3749)
2:07 PM: ashley@z1.adserver[1].txt (ID = 2142)
2:07 PM: Found Spy Cookie: zedo cookie
2:07 PM: ashley@zedo[2].txt (ID = 3762)
2:07 PM: amy@2o7[1].txt (ID = 1957)
2:07 PM: amy@about[1].txt (ID = 2037)
2:07 PM: amy@adopt.specificclick[2].txt (ID = 3400)
2:07 PM: amy@ads.pointroll[2].txt (ID = 3148)
2:07 PM: amy@advertising[2].txt (ID = 2175)
2:07 PM: amy@as-us.falkag[1].txt (ID = 2650)
2:07 PM: amy@atdmt[2].txt (ID = 2253)
2:07 PM: amy@atwola[1].txt (ID = 2255)
2:07 PM: Found Spy Cookie: a cookie
2:07 PM: amy@a[1].txt (ID = 2027)
2:07 PM: amy@belnk[1].txt (ID = 2292)
2:07 PM: amy@bluestreak[1].txt (ID = 2314)
2:07 PM: amy@bs.serving-sys[1].txt (ID = 2330)
2:07 PM: Found Spy Cookie: goclick cookie
2:07 PM: amy@c.goclick[2].txt (ID = 2733)
2:07 PM: amy@centrport[2].txt (ID = 2374)
2:07 PM: Found Spy Cookie: hitslink cookie
2:07 PM: amy@counter.hitslink[2].txt (ID = 2790)
2:07 PM: amy@coxhsi.112.2o7[1].txt (ID = 1958)
2:07 PM: Found Spy Cookie: 360i cookie
2:07 PM: amy@ct.360i[1].txt (ID = 1962)
2:07 PM: amy@data.coremetrics[1].txt (ID = 2472)
2:07 PM: amy@dist.belnk[2].txt (ID = 2293)
2:07 PM: amy@edge.ru4[1].txt (ID = 3269)
2:07 PM: amy@entertaining.about[2].txt (ID = 2038)
2:07 PM: amy@fastclick[1].txt (ID = 2651)
2:07 PM: amy@gateway.122.2o7[1].txt (ID = 1958)
2:07 PM: Found Spy Cookie: humanclick cookie
2:07 PM: amy@hc2.humanclick[1].txt (ID = 2810)
2:07 PM: amy@nextag[1].txt (ID = 5014)
2:07 PM: amy@perf.overture[1].txt (ID = 3106)
2:07 PM: amy@questionmarket[1].txt (ID = 3217)
2:07 PM: amy@realmedia[1].txt (ID = 3235)
2:07 PM: amy@revenue[1].txt (ID = 3257)
2:07 PM: amy@sel.as-us.falkag[2].txt (ID = 2650)
2:07 PM: Found Spy Cookie: servedby advertising cookie
2:07 PM: amy@servedby.advertising[1].txt (ID = 3335)
2:07 PM: amy@serving-sys[2].txt (ID = 3343)
2:07 PM: amy@tripod[1].txt (ID = 3591)
2:07 PM: amy@z1.adserver[1].txt (ID = 2142)
2:07 PM: amy@zedo[1].txt (ID = 3762)
2:07 PM: me@ask[1].txt (ID = 2245)
2:07 PM: me@belnk[1].txt (ID = 2292)
2:07 PM: me@dist.belnk[2].txt (ID = 2293)
2:07 PM: me@spylog[1].txt (ID = 3415)
2:07 PM: me@statcounter[2].txt (ID = 3447)
2:07 PM: me@tribalfusion[2].txt (ID = 3589)
2:07 PM: Cookie Sweep Complete, Elapsed Time: 00:00:10
2:07 PM: Starting File Sweep
2:52 PM: Warning: Failed to open file "c:\documents and settings\me\my documents\my videos\new folder\33.zip:zone.identifier". The system cannot find the file specified
2:52 PM: Found Adware: coolwebsearch (cws)
2:52 PM: dc1.url (ID = 54373)
2:52 PM: dc2.url (ID = 54472)
2:52 PM: Found Adware: directrevenue-abetterinternet
2:52 PM: a0023077.inf (ID = 83267)
2:52 PM: a0023085.inf (ID = 83180)
2:52 PM: a0023087.inf (ID = 83223)
2:52 PM: a0023089.inf (ID = 83267)
2:52 PM: a0023075.inf (ID = 83180)
2:52 PM: a0024303.ini (ID = 83499)
2:52 PM: a0023076.inf (ID = 83223)
2:54 PM: File Sweep Complete, Elapsed Time: 00:47:13
2:54 PM: Full Sweep has completed. Elapsed time 00:46:55
2:54 PM: Traces Found: 166
3:01 PM: Removal process initiated
3:02 PM: Quarantining All Traces: directrevenue-abetterinternet
3:02 PM: Quarantining All Traces: popuper
3:02 PM: Quarantining All Traces: security2k hijacker
3:02 PM: Quarantining All Traces: trojan-downloader-zlob
3:02 PM: Quarantining All Traces: coolwebsearch (cws)
3:02 PM: Quarantining All Traces: 2o7.net cookie
3:02 PM: Quarantining All Traces: 360i cookie
3:02 PM: Quarantining All Traces: 64.62.232 cookie
3:02 PM: Quarantining All Traces: 888 cookie
3:02 PM: Quarantining All Traces: a cookie
3:02 PM: Quarantining All Traces: about cookie
3:02 PM: Quarantining All Traces: addynamix cookie
3:02 PM: Quarantining All Traces: adecn cookie
3:02 PM: Quarantining All Traces: adjuggler cookie
3:02 PM: Quarantining All Traces: adknowledge cookie
3:02 PM: Quarantining All Traces: ad-logics cookie
3:02 PM: Quarantining All Traces: adorigin cookie
3:02 PM: Quarantining All Traces: adrevolver cookie
3:02 PM: Quarantining All Traces: ads.adsag cookie
3:02 PM: Quarantining All Traces: adserver cookie
3:02 PM: Quarantining All Traces: advertising cookie
3:02 PM: Quarantining All Traces: apmebf cookie
3:02 PM: Quarantining All Traces: ask cookie
3:02 PM: Quarantining All Traces: atlas dmt cookie
3:02 PM: Quarantining All Traces: atwola cookie
3:02 PM: Quarantining All Traces: banner cookie
3:02 PM: Quarantining All Traces: belnk cookie
3:02 PM: Quarantining All Traces: bluestreak cookie
3:02 PM: Quarantining All Traces: bravenet cookie
3:02 PM: Quarantining All Traces: bs.serving-sys cookie
3:02 PM: Quarantining All Traces: burstbeacon cookie
3:02 PM: Quarantining All Traces: burstnet cookie
3:02 PM: Quarantining All Traces: casalemedia cookie
3:02 PM: Quarantining All Traces: cc214142 cookie
3:02 PM: Quarantining All Traces: centrport net cookie
3:02 PM: Quarantining All Traces: clickagents cookie
3:02 PM: Quarantining All Traces: clickandtrack cookie
3:02 PM: Quarantining All Traces: clickbank cookie
3:02 PM: Quarantining All Traces: clickzs cookie
3:02 PM: Quarantining All Traces: commission junction cookie
3:02 PM: Quarantining All Traces: coremetrics cookie
3:02 PM: Quarantining All Traces: did-it cookie
3:02 PM: Quarantining All Traces: empnads cookie
3:02 PM: Quarantining All Traces: experclick cookie
3:02 PM: Quarantining All Traces: falkag cookie
3:02 PM: Quarantining All Traces: fastclick cookie
3:02 PM: Quarantining All Traces: findwhat cookie
3:02 PM: Quarantining All Traces: goclick cookie
3:02 PM: Quarantining All Traces: hbmediapro cookie
3:02 PM: Quarantining All Traces: hitslink cookie
3:02 PM: Quarantining All Traces: hotbar cookie
3:02 PM: Quarantining All Traces: humanclick cookie
3:02 PM: Quarantining All Traces: hypertracker.com cookie
3:02 PM: Quarantining All Traces: ic-live cookie
3:02 PM: Quarantining All Traces: maxserving cookie
3:02 PM: Quarantining All Traces: nextag cookie
3:02 PM: Quarantining All Traces: offeroptimizer cookie
3:02 PM: Quarantining All Traces: onestat.com cookie
3:02 PM: Quarantining All Traces: one-time-offer cookie
3:02 PM: Quarantining All Traces: overture cookie
3:02 PM: Quarantining All Traces: paypopup cookie
3:02 PM: Quarantining All Traces: pointroll cookie
3:02 PM: Quarantining All Traces: pro-market cookie
3:02 PM: Quarantining All Traces: qksrv cookie
3:02 PM: Quarantining All Traces: questionmarket cookie
3:02 PM: Quarantining All Traces: realmedia cookie
3:02 PM: Quarantining All Traces: reunion cookie
3:02 PM: Quarantining All Traces: revenue.net cookie
3:02 PM: Quarantining All Traces: rn11 cookie
3:02 PM: Quarantining All Traces: ru4 cookie
3:02 PM: Quarantining All Traces: screensavers.com cookie
3:02 PM: Quarantining All Traces: servedby advertising cookie
3:02 PM: Quarantining All Traces: server.iad.liveperson cookie
3:02 PM: Quarantining All Traces: serving-sys cookie
3:02 PM: Quarantining All Traces: shop@home cookie
3:02 PM: Quarantining All Traces: specificclick.com cookie
3:02 PM: Quarantining All Traces: spylog cookie
3:02 PM: Quarantining All Traces: statcounter cookie
3:02 PM: Quarantining All Traces: stlyrics cookie
3:02 PM: Quarantining All Traces: targetnet cookie
3:02 PM: Quarantining All Traces: tickle cookie
3:02 PM: Quarantining All Traces: tradedoubler cookie
3:02 PM: Quarantining All Traces: trafficmp cookie
3:02 PM: Quarantining All Traces: tribalfusion cookie
3:02 PM: Quarantining All Traces: tripod cookie
3:02 PM: Quarantining All Traces: websponsors cookie
3:02 PM: Quarantining All Traces: webtrendslive cookie
3:02 PM: Quarantining All Traces: xiti cookie
3:02 PM: Quarantining All Traces: yadro cookie
3:02 PM: Quarantining All Traces: yieldmanager cookie
3:02 PM: Quarantining All Traces: zedo cookie
3:20 PM: Removal process completed. Elapsed time 00:19:03
********
2:00 PM: | Start of Session, Sunday, November 20, 2005 |
2:00 PM: Spy Sweeper started
2:00 PM: Your spyware definitions have been updated.
2:01 PM: | End of Session, Sunday, November 20, 2005 |






Ewido

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{0519A9C9-064A-4cbc-BC47-D0EACD581477} -> Spyware.Icoo : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{465A59EC-20E5-4fca-A38A-E5EC3C480218} -> Spyware.Icoo : Cleaned with backup
HKLM\SOFTWARE\Classes\icoou.ICOODManager\CLSID\\ -> Spyware.Icoo : Cleaned with backup
HKLM\SOFTWARE\Classes\icoou.ICOODManager.1\CLSID\\ -> Spyware.Icoo : Cleaned with backup
HKLM\SOFTWARE\Classes\icooue.ICOOEHandler.1\CLSID\\ -> Spyware.Icoo : Cleaned with backup
HKLM\SOFTWARE\Classes\icooue.ICOOExternal\CLSID\\ -> Spyware.Icoo : Cleaned with backup
C:\!KillBox\svchosts.dll -> Not-A-Virus.Downloader.Win32.Spax.a : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@counter.hitslink[2].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@coxhsi.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@ehg-console.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@ehg-kohls.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@ehg-legalmatch.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@gateway.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@sel.as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@a.shopathomeselect[1].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@ad-logics[1].txt -> Spyware.Cookie.Ad-logics : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@adorigin[2].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@as-eu.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@clickagents[1].txt -> Spyware.Cookie.Clickagents : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@commission-junction[2].txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@coxhsi.112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@cz8.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@ehg-mbm.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@ehg-shoes.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@gateway.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@hypertracker[2].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@mt.valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@pro-market[2].txt -> Spyware.Cookie.Pro-market : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@rotator.adjuggler[2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@server.iad.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@shopathomeselect[1].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@spylog[1].txt -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@stat.onestat[2].txt -> Spyware.Cookie.Onestat : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@statse.webtrendslive[1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@targetnet[1].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@vip.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@www.shopathomeselect[2].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Ashley\Cookies\ashley@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Me\Cookies\me@stats.adbrite[2].txt -> Spyware.Cookie.Adbrite : Cleaned with backup
C:\WINDOWS\system32\1024\ld9E66.tmp -> TrojanDropper.Small.ahg : Cleaned with backup





Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 3:32:29 PM, on 11/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\aim\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Documents and Settings\Me\My Documents\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/av ... _homepage/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 151.164.228.114:8000
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINDOWS\system32\hp8A4E.tmp
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: Kremlin Sentry.LNK = C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
PatrickRN
Active Member
 
Posts: 5
Joined: November 20th, 2005, 11:58 am

Unread postby Susan528 » November 20th, 2005, 5:14 pm

Hello RickRN,

STEP 1.
======
Submit File to Jotti
Please click on Jotti
Use the "Browse" button and locate the following file on your computer:
C:\WINDOWS\system32\hp8A4E.tmp
Click the "Submit" button.
Please copy and post (reply) with the results

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html

Please also check the properties of those files (right-click and select properties from the popupmenu). Look if you can find some company information, etc.

Disable SpySweeper:
You have SpySweeper installed. While this is a great program, we need to temporarily disable (not uninstall) the program because it might stop our fix.
  • Open it click >Options over to the left then >program options>Uncheck "load at windows startup"
  • Over to the left click "shields" and uncheck all there.
  • Uncheck" home page shield".
  • Uncheck ''automatically restore default without notification".

After all of the fixes are complete it is very important that you enable SpySweeper again.

Disable Trojan Hunter Guard:
Please disable Trojan Hunter Guard, as it may interfere with the fix.
To disable Trojan Hunter Guard:
  • Go to TrojanHunter Guard in the lower right corner of your screen. It is a light blue icon with a magnifying glass that can be difficult to see but the handle is red.
  • Right click it and select settings. Uncheck "Load at startup" and "Enabled"
Once your log is clean you can re-enable Trojan Hunter Guard.

Hijackthis

  • Please set your system to show all files; please see here if you're unsure how to do this.
  • Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
    O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINDOWS\system32\hp8A4E.tmp
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

    Click on Fix Checked when finished and exit HijackThis.
  • Reboot into Safe Mode: please see here if you are not sure how to do this.

    Using Windows Explorer, locate the following files/folders, and delete them:
    C:\WINDOWS\system32\hp8A4E.tmp
    Exit Explorer, and reboot as normal afterwards.


Post back a fresh HijackThis log and we will take another look. Please let me know how your computer is running.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby PatrickRN » November 20th, 2005, 9:17 pm

Thanks so much, this seemed to have solved the problem although:

C:\WINDOWS\system32\hp8A4E.tmp
was not found in safe mode. I looked at the properties file on it prior to running it through Jotti and there was no info.

Here is the Jotti log:
Service load: 0% 100%

File: hp8A4E.tmp
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 9e6491588d13c4e79172f75ca2528369
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/StartPage.ADH
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan-Downloader.Agent.11 (paranoid heuristics) (probable variant)
PatrickRN
Active Member
 
Posts: 5
Joined: November 20th, 2005, 11:58 am

Unread postby Susan528 » November 20th, 2005, 9:32 pm

Hello PatrickRN,

Please post another hijackthis log. I believe everything is fine but want to make sure before I give you the final clean-up.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby PatrickRN » November 21st, 2005, 7:31 pm

thanks, you've been a huge help.

Here is the log you asked for:

Logfile of HijackThis v1.99.1
Scan saved at 6:30:50 PM, on 11/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\aim\aim.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Me\My Documents\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/av ... _homepage/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 151.164.228.114:8000
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: Kremlin Sentry.LNK = C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
PatrickRN
Active Member
 
Posts: 5
Joined: November 20th, 2005, 11:58 am

Unread postby Susan528 » November 21st, 2005, 10:59 pm

Hello Patrick,

This SpyAxe infection can be nasty to clean up so I want you to do the following so we can be sure we got it all. This involves running the Ewido again but this is necessary in this fix.

Smitfraud Fix

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3. Instead of Windows loading as normal, a menu should appear
  4. Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby PatrickRN » November 22nd, 2005, 7:09 pm

Many thanks again...

Panda Scan:

Incident Status Location

Adware:adware/spyaxe Not disinfected Windows Registry
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\1024\ld6638.tmp
Virus:Trj/Deldir.A Not disinfected C:\WINDOWS\system32\oobe\emachines\Preinstall.cmd








Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 6:06:39 PM, on 11/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Documents and Settings\Me\My Documents\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/av ... _homepage/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 151.164.228.114:8000
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: Kremlin Sentry.LNK = C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

smitfiles:

smitRem © log file
version 2.7

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 11/22/2005
The current time is: 13:02:22.37

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

msvol.tlb
ld****.tmp
ncompat.tlb
mscornet.exe
hp***.tmp


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)

Ewido Log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:20:44 PM, 11/22/2005
+ Report-Checksum: 881CACD3

+ Scan result:

C:\Documents and Settings\Me\Cookies\me@cnn.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Me\Cookies\me@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Me\Cookies\me@gateway.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Me\Cookies\me@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Me\My Documents\Hijack this\backups\backup-20051120-165824-582.dll -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End
PatrickRN
Active Member
 
Posts: 5
Joined: November 20th, 2005, 11:58 am

Unread postby Susan528 » November 22nd, 2005, 9:10 pm

Hello PatrickRN,

Your log is clean. Good Work! Please follow the final clean-up instructions and tips.

STEP 1.
======
Cleanmgr
To clean temporary files:
  1. Go > start > run and type cleanmgr and click OK
  2. Scan your system for files to remove.
  3. Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
  4. Click OK to remove those files.
  5. Click Yes to confirm deletion.

STEP 2.( Windows XP only)
======
Prefetch Folder
Open C:\Windows\Prefetch\
Delete All files in this folder but not the Prefetch folder

STEP 3.- Only for Windows XP
======
System Restore for Windows XP
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
    Turn off System Restore.
  1. On the Desktop, right-click My Computer.
  2. Click Properties.
  3. Click the System Restore tab.
  4. Check Turn off System Restore.
  5. Click Apply, and then click OK.
Reboot.

Turn ON System Restore.
  1. On the Desktop, right-click My Computer.
  2. Click Properties.
  3. Click the System Restore tab.
  4. UN-Check *Turn off System Restore*.
  5. Click Apply, and then click OK.


STEP 4.
======
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

  1. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.


    See this link for a listing of some online & their stand-alone antivirus programs:
    Virus, Spyware, and Malware Protection and Removal Resources

  2. Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  3. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
    For a tutorial on Firewalls and a listing of some available ones see the link below:
    Understanding and Using Firewalls

  4. Test your Firewall - Please test your firewall and make sure it is working properly.
    Test Firewall

  5. Visit Microsoft's Windows Update Site Frequently - It is important that you visit Windows Updates regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  6. Visit the Microsoft Office Update Site Frequently-If you are running Microsoft Office, or any portion thereof, go to the Microsoft Office Update site and make sure you have at least all the critical updates installed (Free)

  7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
    A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
    A tutorial on installing & using this product can be found here:
    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    A tutorial on installing & using this product can be found here:
    Using SpywareBlaster to protect your computer from Spyware and Malware

  10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.


Follow this list and your potential for being infected again will reduce dramatically.

Thank you for allowing me to assist you.

Susan
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby NonSuch » November 30th, 2005, 8:21 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 283 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware