Help! Stubborn Antispyware Soldier Infection

sakurasan · 10-01-2006, 11:56 PM

Hi this is my first post to this site - so happy to have found you after many false leads trying to solve this problem! I am running Windows XP and followed all the first steps. My computer is infected with Antispyware Soldier - getting all the popups, take over of my desktop image, etc, etc. I got rid of it once b4 but somehow it is back. Hope you can help! thanks

Here is my logfile:

Logfile of HijackThis v1.99.1
Scan saved at 12:40:23 AM, on 10/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sumsw32.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Webshots\webshots.scr
C:\Download\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_11_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_11_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [XHGWFKUF] c:\windows\system32\xhgwfkuf.exe /install
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [/AutoLaunch] C:\Program Files\PHILIPS\PSADMM\DMM\bin\AutoLaunch.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://las.mlxchange.com/Control/Mul...ctComboBox.cab
O16 - DPF: {5EB6A98B-F75B-4AC7-821D-BAD2C29D18C2} (CVALAXObj Class) - https://www.crystalvoicelive.com/download/CVALAX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100385933556
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1143384714807
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://las.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://las.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.comp...io5_3_11_0.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)

fredmh · 10-02-2006, 05:48 AM

Hello sakurasan, and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst,
and I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.

Please be patient with me during this time.

sakurasan · 10-02-2006, 10:43 AM

thanks fred i will be patient

fredmh · 10-02-2006, 06:28 PM

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools,
then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more
likely additional infections will result.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

----------------------------------------

DOWNLOADS

ATF CLEANER

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

AVG Anti-Spyware 7.5

Please download AVG Anti-Spyware 7.5

Install AVG Anti-Spyware 7.5.
Double-click the icon on Desktop to launch AVG A-S 7.5
On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
I also recommend changing the "Update interval" to something more reasonable like 12 hours.

SMITFRAUD

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

CWSHREDDER

Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree.
Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file,
choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

----------------------------------------

DISABLE ANTI-SPYWARE APPLICATIONS

Please disable these Anti-Spyware programs as they may interfere with this fix. You may re-enable them after we clean your system.

Windows Defender

Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.

Open Windows Defender.
Click on Tools>Options.
Scroll down and uncheck "Use real-time protection (recommended)".
After you uncheck this, click on the Save button and close Windows Defender.

S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

----------------------------------------

SAFE MODE RE-BOOT

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list).
In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [XHGWFKUF] c:\windows\system32\xhgwfkuf.exe /install

Please remember to close all other windows, including browsers then click Fix checked.

----------------------------------------

UNHIDE HIDDEN FILES

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

----------------------------------------

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

c:\windows\system32\xhgwfkuf.exe

----------------------------------------

SmitFraud - OPTION 2

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

----------------------------------------

RUNNING SCANNERS

ATF CLEANER

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program

AVG Anti-Spyware 7.5

Run AVG A-s with it's updated definitions: (...it's important that all windows must be closed)
This scan can take quite a while to run, so be prepared.
Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
When the scan is complete click Recommended Action and change it to Quarantine.
Then click Apply all actions.

Once finished, click the Save report button, then click Save Report As and save it to your desktop.

Note: DO NOT USE the computer while AVG A/S is scanning. If Explorer or the Control Panel are opened some malware types will
reinfect your system or will not be cleaned properly.

----------------------------------------

SECURE DESKTOP

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

"Security Info"

"Warning Message"

"Security Desktop"

"Warning Homepage"

"Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

----------------------------------------
SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------

SmitFraud - OPTION 3

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford.
For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

----------------------------------------

ON-LINE SCANS

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

----------------------------------------

FOLLOW-UP

Please return and post these items:

c:rapport.txt from SmitFraud
AVG A/S scan
Panda scan
A new HJT log run in Normal Mode

Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

sakurasan · 10-03-2006, 09:13 PM

Took all steps - here are the requested reports - thanks again! Oh PS, when I asked for updates on AVG (did it several times over a number of hours) it says they are not available.

SmitFraudFix v2.104

Scan done at 21:38:44.12, Tue 10/03/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\alexaie.dll FOUND !
C:\WINDOWS\alxie328.dll FOUND !
C:\WINDOWS\alxtb1.dll FOUND !
C:\WINDOWS\BTGrab.dll FOUND !
C:\WINDOWS\dlmax.dll FOUND !
C:\WINDOWS\Pynix.dll FOUND !
C:\WINDOWS\susp.exe FOUND !
C:\WINDOWS\System32fab.exe FOUND !
C:\WINDOWS\yod.htm FOUND !
C:\WINDOWS\ZServ.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\a.exe FOUND !
C:\WINDOWS\system32\alxres.dll FOUND !
C:\WINDOWS\system32\bridge.dll FOUND !
C:\WINDOWS\system32\dailytoolbar.dll FOUND !
C:\WINDOWS\system32\jao.dll FOUND !
C:\WINDOWS\system32\lfd.dat FOUND !
C:\WINDOWS\system32\oiso.bin FOUND !
C:\WINDOWS\system32\questmod.dll FOUND !
C:\WINDOWS\system32\runsrv32.dll FOUND !
C:\WINDOWS\system32\runsrv32.exe FOUND !
C:\WINDOWS\system32\smaexp32.dll FOUND !
C:\WINDOWS\system32\sumsw32.exe FOUND !
C:\WINDOWS\system32\taskdir~.exe FOUND !
C:\WINDOWS\system32\tcpservice2.exe FOUND !
C:\WINDOWS\system32\txfdb32.dll FOUND !
C:\WINDOWS\system32\udpmod.dll FOUND !
C:\WINDOWS\system32\wstart.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:08:53 PM 10/3/2006

+ Scan result:

HKLM\SOFTWARE\Alexa Internet -> Adware.Alexa : Ignored.
HKLM\SOFTWARE\Classes\AlxTB.BHO -> Adware.Alexa : Ignored.
HKLM\SOFTWARE\Classes\PopMenu.Menu -> Adware.Alexa : Ignored.
HKLM\SOFTWARE\Classes\Popup.PopupKiller -> Adware.Alexa : Ignored.
HKLM\SOFTWARE\Classes\jao.jao -> Adware.BlazeFind : Ignored.
HKLM\SOFTWARE\Classes\AppID\DailyToolbar.DLL -> Adware.DailyToolbar : Ignored.
HKLM\SOFTWARE\Classes\DailyToolbar.IEBand -> Adware.DailyToolbar : Ignored.
HKLM\SOFTWARE\Classes\DailyToolbar.SysMgr -> Adware.DailyToolbar : Ignored.
HKLM\SOFTWARE\Classes\IEToolbar.AffiliateCtl -> Adware.DailyToolbar : Ignored.
HKLM\SOFTWARE\DailyToolbar -> Adware.DailyToolbar : Ignored.
HKLM\SOFTWARE\NIX Solutions -> Adware.DailyToolbar : Ignored.
HKLM\SOFTWARE\NIX Solutions\DailyToolbar -> Adware.DailyToolbar : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{F1FABE79-25FC-46de-8C5A-2C6DB9D64333} -> Adware.Generic : Ignored.
HKLM\SOFTWARE\Classes\Interface\{900FBC20-6AEE-4E05-ABA9-AC46E309C029} -> Adware.Generic : Ignored.
HKLM\SOFTWARE\Classes\TypeLib\{8B076501-1D1B-4B26-9492-FDB8EEE00D7F} -> Adware.Generic : Ignored.
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} -> Adware.Generic : Ignored.
HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B53455DB-5527-4041-AC41-F86E6947AA47} -> Adware.Generic : Ignored.
HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\bmeb -> Adware.Ilookup : Ignored.
HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\bmeb\assoc2 -> Adware.Ilookup : Ignored.
HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\bmeb\kws -> Adware.Ilookup : Ignored.
HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\bmeb\sit -> Adware.Ilookup : Ignored.
HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\bmeb\size -> Adware.Ilookup : Ignored.
HKLM\SOFTWARE\RespondMiter -> Adware.VX2 : Ignored.
C:\WINDOWS\Temp\ASHeuristic\hotfix_exe.vir -> Adware.WebSearch : Ignored.
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Ignored.
HKLM\SOFTWARE\Pinfo -> Dialer.Generic : Ignored.
HKLM\SOFTWARE\Pinfo\Dialers -> Dialer.Generic : Ignored.
HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\Pinfo -> Dialer.Generic : Ignored.
HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\Pinfo\Dialers -> Dialer.Generic : Ignored.
HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\Pinfo\Dialers\Lisa -> Dialer.Generic : Ignored.
C:\WINDOWS\system32\rlnberfu.exe -> Downloader.Small.dkt : Ignored.
C:\WINDOWS\system32\urrqhpbk.exe -> Downloader.VB.aeq : Ignored.
C:\WINDOWS\system32\ohylguic.exe -> Downloader.VB.anw : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{E52DEDBB-D168-4BDB-B229-C48160800E81} -> Hijacker.Generic : Ignored.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e52dedbb-d168-4bdb-b229-c48160800e81} -> Hijacker.Generic : Ignored.
HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E52DEDBB-D168-4BDB-B229-C48160800E81} -> Hijacker.Generic : Ignored.
C:\WINDOWS\system32\wgcnjvea.tjo -> Hijacker.Small.js : Ignored.
:mozilla.255:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.247realmedia : Ignored.
:mozilla.256:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.247realmedia : Ignored.
:mozilla.106:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.107:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.109:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.110:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.111:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.112:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.113:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.114:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.224:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.415:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.427:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.476:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@broadspancommerce.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@buycom.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@folica.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@gmditech.112.2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@highbeam.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@indigio.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@microsoftwlmessengermkt.112.2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[2].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@sento.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@tgn.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@thomasvillefurniture.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\WINDOWS\Temp\Cookies\owner@112.2o7[2].txt -> TrackingCookie.2o7 : Ignored.
:mozilla.141:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adbrite : Ignored.
:mozilla.142:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adbrite : Ignored.
:mozilla.583:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adjuggler : Ignored.
:mozilla.584:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adjuggler : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@admarketplace[1].txt -> TrackingCookie.Admarketplace : Ignored.
:mozilla.42:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adrevolver : Ignored.
:mozilla.43:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adrevolver : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[1].txt -> TrackingCookie.Adrevolver : Ignored.
:mozilla.271:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adtech : Ignored.
:mozilla.272:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adtech : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@www.adtrak[1].txt -> TrackingCookie.Adtrak : Ignored.
:mozilla.47:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Advertising : Ignored.
:mozilla.48:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Advertising : Ignored.
:mozilla.50:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Advertising : Ignored.
:mozilla.52:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Advertising : Ignored.
:mozilla.55:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Advertising : Ignored.
:mozilla.30:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Atdmt : Ignored.
:mozilla.561:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Bridgetrack : Ignored.
:mozilla.562:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Bridgetrack : Ignored.
:mozilla.563:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Bridgetrack : Ignored.
:mozilla.564:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Bridgetrack : Ignored.
:mozilla.565:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Bridgetrack : Ignored.
:mozilla.566:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Bridgetrack : Ignored.
:mozilla.567:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Bridgetrack : Ignored.
:mozilla.299:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Burstnet : Ignored.
:mozilla.612:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Burstnet : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@burstnet[1].txt -> TrackingCookie.Burstnet : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@www.burstnet[1].txt -> TrackingCookie.Burstnet : Ignored.
:mozilla.46:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored.
:mozilla.51:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored.
:mozilla.53:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored.
:mozilla.54:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored.
:mozilla.152:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Clickbank : Ignored.
:mozilla.83:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Com : Ignored.
:mozilla.31:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Doubleclick : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfliald5obo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wgl4ahdpmkp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkycnc5ecp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnygmd5skq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnyskcpkhp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnysoazsgq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Ignored.
:mozilla.280:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Falkag : Ignored.
:mozilla.281:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Falkag : Ignored.
:mozilla.282:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Falkag : Ignored.
:mozilla.283:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Falkag : Ignored.
:mozilla.235:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Fastclick : Ignored.
:mozilla.236:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Fastclick : Ignored.
:mozilla.555:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Goclick : Ignored.
:mozilla.556:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Goclick : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@c.goclick[2].txt -> TrackingCookie.Goclick : Ignored.
:mozilla.153:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Googleadservices : Ignored.
:mozilla.639:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Googleadservices : Ignored.
:mozilla.225:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Hitbox : Ignored.
:mozilla.226:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Hitbox : Ignored.
:mozilla.227:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Hitbox : Ignored.
:mozilla.588:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Liveperson : Ignored.
:mozilla.589:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Liveperson : Ignored.
:mozilla.590:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Liveperson : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@image.masterstats[1].txt -> TrackingCookie.Masterstats : Ignored.
:mozilla.115:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Mediaplex : Ignored.
:mozilla.221:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Overture : Ignored.
:mozilla.222:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Overture : Ignored.
:mozilla.223:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Overture : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@data2.perf.overture[1].txt -> TrackingCookie.Overture : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@data4.perf.overture[2].txt -> TrackingCookie.Overture : Ignored.
:mozilla.267:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.
:mozilla.268:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.
:mozilla.269:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.
:mozilla.270:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Ignored.
:mozilla.92:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Qksrv : Ignored.
:mozilla.93:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Qksrv : Ignored.
:mozilla.79:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Questionmarket : Ignored.
:mozilla.80:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Questionmarket : Ignored.
:mozilla.81:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Questionmarket : Ignored.
:mozilla.41:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Ru4 : Ignored.
:mozilla.44:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Ru4 : Ignored.
:mozilla.45:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Ru4 : Ignored.
:mozilla.477:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored.
:mozilla.478:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored.
:mozilla.479:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored.
:mozilla.480:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored.
:mozilla.481:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored.
:mozilla.320:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Sexcounter : Ignored.
:mozilla.321:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Sexcounter : Ignored.
:mozilla.322:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Sexcounter : Ignored.
:mozilla.323:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Sexcounter : Ignored.
:mozilla.265:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Specificclick : Ignored.
:mozilla.266:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Specificclick : Ignored.
:mozilla.199:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Statcounter : Ignored.
:mozilla.200:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Statcounter : Ignored.
:mozilla.201:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Statcounter : Ignored.
:mozilla.202:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Statcounter : Ignored.
:mozilla.203:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Statcounter : Ignored.
:mozilla.72:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Tacoda : Ignored.
:mozilla.73:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Tacoda : Ignored.
:mozilla.74:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Tacoda : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt -> TrackingCookie.Tacoda : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Ignored.
:mozilla.49:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Trafficmp : Ignored.
:mozilla.497:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Tribalfusion : Ignored.
:mozilla.238:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Valueclick : Ignored.
:mozilla.512:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Web-stat : Ignored.
:mozilla.513:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Web-stat : Ignored.
:mozilla.514:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Web-stat : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@web-stat[2].txt -> TrackingCookie.Web-stat : Ignored.
:mozilla.540:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored.
:mozilla.541:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored.
:mozilla.542:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Ignored.
:mozilla.535:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Zedo : Ignored.
:mozilla.536:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Zedo : Ignored.
:mozilla.537:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Zedo : Ignored.

::Report end

Panda Scan:

Incident Status Location

Adware:Adware/AntispywareSoldier Not disinfected C:\WINDOWS\system32\sumsw32.exe
Adware:adware/superspider Not disinfected c:\windows\system32\a.exe
Adware:adware/alexa-toolbar Not disinfected c:\windows\system32\alxres.dll
Spyware:spyware/bridge Not disinfected c:\windows\system32\bridge.dll
Adware:adware/dailytoolbar Not disinfected c:\windows\system32\dailytoolbar.dll
Adware:adware/antivirus-gold Not disinfected c:\windows\system32\runsrv32.exe
Adware:adware/admess Not disinfected c:\windows\system32\tcpservice2.exe
Adware:adware/topspyware Not disinfected c:\windows\system32\txfdb32.dll
Adware:adware/btgrab Not disinfected c:\windows\BTGrab.dll
Adware:adware/transponder Not disinfected c:\windows\dlmax.dll
Adware:adware/gator Not disinfected c:\windows\GatorFDDLI.log
Spyware:spyware/betterinet Not disinfected c:\windows\susp.exe
Adware:adware/thespyguard Not disinfected c:\windows\yod.htm
Adware:adware/wintools Not disinfected Windows Registry
Adware:adware/ilookup Not disinfected Windows Registry
Spyware:spyware/dluca Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry
Dialer:dialer.du Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7B55BB05-0B4D-44FD-81A6-B136188F5DEB}
Adware:adware/savenow Not disinfected Windows Registry
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.advertising.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.com.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.overture.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.valueclick.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.adtech.de/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.atwola.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.kinghost.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.tickle.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[c.goclick.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[server.iad.liveperson.net/hc/76103330]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@burstnet[1].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@c.goclick[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@dist.belnk[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Owner\Cookies\owner@kinghost[1].txt
Spyware:Cookie/SpywareStormer Not disinfected C:\Documents and Settings\Owner\Cookies\owner@spywarestormer[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\Cache\633285D9d01[SmitfraudFix/Process.exe]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad.yieldmanager[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@burstnet[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@com[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@dist.belnk[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@www.burstbeacon[2].txt
Possible Virus. Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\hotfix.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Adware:Adware/Trymedia Not disinfected C:\Downloads\Sudoku_ML_Setup-dm[1].exe
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Virus:Trj/Gagar.K Disinfected C:\WINDOWS\system32\hjoixavs.exe
Virus:Trj/Gagar.AG Disinfected C:\WINDOWS\system32\igdhpvdz.exe
Virus:Trj/Gagar.Y Disinfected C:\WINDOWS\system32\nvayszkr.exe
Adware:Adware/AntispywareSoldier Not disinfected C:\WINDOWS\system32\ohylguic.exe
Virus:Trj/Gagar.K Disinfected C:\WINDOWS\system32\ruzqyjbf.exe
Adware:Adware/TitanShield Not disinfected C:\WINDOWS\system32\urrqhpbk.exe
Virus:Trj/Gagar.P Disinfected C:\WINDOWS\system32\uyemogzx.exe
Spyware:Cookie/2o7 Not disinfected C:\WINDOWS\Temp\Cookies\owner@112.2o7[2].txt

Logfile of HijackThis v1.99.1
Scan saved at 10:05:44 PM, on 10/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sumsw32.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Webshots\webshots.scr
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Download\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_11_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_11_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [XHGWFKUF] c:\windows\system32\xhgwfkuf.exe /install
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [/AutoLaunch] C:\Program Files\PHILIPS\PSADMM\DMM\bin\AutoLaunch.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://las.mlxchange.com/Control/Mul...ctComboBox.cab
O16 - DPF: {5EB6A98B-F75B-4AC7-821D-BAD2C29D18C2} (CVALAXObj Class) - https://www.crystalvoicelive.com/download/CVALAX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100385933556
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1143384714807
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://las.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://las.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.comp...io5_3_11_0.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)

fredmh · 10-04-2006, 10:01 AM

It appears that you may have misunderstood the instructions on my last post, as all the original malware is still in place.

1. Option 1 of the SmitfraudFix tool was used instead of Option 2.
2. AVG Anti Spyware settings were not set to allow it to Quarantine what it found.

Let's try it again so we can get your system clean

----------------------------------------

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.

The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more
likely additional infections will result.

----------------------------------------

DOWNLOADS

AVG Anti-Spyware 7.5

Double-click the icon on Desktop to launch AVG A-S 7.5
On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
I also recommend changing the "Update interval" to something more reasonable like 12 hours.

CWSHREDDER

Your system is infected with Cool Web Search. You must download and run this tool

Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree.
Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file,
choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

----------------------------------------

DISABLE ANTI-SPYWARE APPLICATIONS

Please disable these Anti-Spyware programs as they may interfere with this fix. You may re-enable them after we clean your system.

Windows Defender

Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.

Open Windows Defender.
Click on Tools>Options.
Scroll down and uncheck "Use real-time protection (recommended)".
After you uncheck this, click on the Save button and close Windows Defender.

S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

----------------------------------------

SAFE MODE RE-BOOT

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list).
In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

These are all still in place. They MUST be deleted

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [XHGWFKUF] c:\windows\system32\xhgwfkuf.exe /install

Please remember to close all other windows, including browsers then click Fix checked.

----------------------------------------

UNHIDE HIDDEN FILES

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

----------------------------------------

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

This file MUST be deleted

c:\windows\system32\xhgwfkuf.exe

----------------------------------------

SmitFraud - OPTION 2

We need to use Option #2 as it will clean the infection for us.

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

----------------------------------------

RUNNING SCANNERS

AVG Anti-Spyware 7.5

Please ensure you're allowing AVG Anti Spyware to do it's job. Please note the settings below

Run AVG A-s with it's updated definitions: (...it's important that all windows must be closed)
This scan can take quite a while to run, so be prepared.
Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
When the scan is complete click Recommended Action and change it to Quarantine.
Then click Apply all actions.

Once finished, click the Save report button, then click Save Report As and save it to your desktop.

Note: DO NOT USE the computer while AVG A/S is scanning. If Explorer or the Control Panel are opened some malware types will
reinfect your system or will not be cleaned properly.

----------------------------------------

SECURE DESKTOP

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

"Security Info"

"Warning Message"

"Security Desktop"

"Warning Homepage"

"Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

----------------------------------------
SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------

SmitFraud - OPTION 3

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford.
For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

----------------------------------------

ON-LINE SCANS

Kaspersky - Extended

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect.
We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

----------------------------------------

FOLLOW-UP

Please return and post these items:

c:rapport.txt from SmitFraud
AVG A/S scan
Kaspersky scan
A new HJT log run in Normal Mode

Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

sakurasan · 10-04-2006, 02:54 PM

I will do what you have posted in this last reply - sorry for confusion it seems that as i was going thru the directions i must have scrolled down and skipped straight to the smitfraud opt 3 section by mistake; as a separate note, my itunes and realplayer both are not working properly (I am selecting and telling it to play and nothing happens) - could it have anything to do with the malware?

fredmh · 10-04-2006, 03:17 PM

Possibly. After we get the system cleaned, if they still don't work properly, we can send you to another forum for help.

sakurasan · 10-04-2006, 05:14 PM

Here are my confirmations of what steps I took and immediate results/comments (see purple text):

AVG Anti-Spyware 7.5

DONE

CWSHREDDER

Your system is infected with Cool Web Search. You must download and run this tool

DONE – same as last time I get this message after scan is complete:

Scan is complete!
CoolWebSearch was not found on this system.

----------------------------------------

DISABLE ANTI-SPYWARE APPLICATIONS

Please disable these Anti-Spyware programs as they may interfere with this fix. You may re-enable them after we clean your system.

Windows Defender

DONE (did it last time)

S& D Spybot's Tea Timer

DONE (sorry I misunderstood and thought this was a separate program I did not have)

----------------------------------------

SAFE MODE RE-BOOT

DONE

----------------------------------------

FIXES AND DELETIONS

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

DONE – note that I stopped here in going thru your updated instructions because I ran the scan and fix 3 times and these 2 entries will not go away (I did close all windows as you instructed as well):
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

I will wait for your response on what to do about this since you said that each step must be complete in full and in order for the clean up to work – thanks!

fredmh · 10-04-2006, 06:17 PM

We put the anti-spyware instructions in each time, because some users re-enable after each pass. This is fine while waiting for the next fix.

Please continue where you left off.

sakurasan · 10-05-2006, 02:17 PM

Here are my confirmations that I did each of the steps and immediate results/comments (see purple text) – reports follow below that - I hope we are close now!

AVG Anti-Spyware 7.5
DONE

CWSHREDDER

Your system is infected with Cool Web Search. You must download and run this tool

DONE – same as last time I get this message after scan is complete:

Scan is complete!
CoolWebSearch was not found on this system.

----------------------------------------

DISABLE ANTI-SPYWARE APPLICATIONS

Please disable these Anti-Spyware programs as they may interfere with this fix. You may re-enable them after we clean your system.

Windows Defender

DONE (did it last time)

S& D Spybot's Tea Timer

DONE (sorry I misunderstood and thought this was a separate program I did not have)

----------------------------------------

SAFE MODE RE-BOOT

DONE

----------------------------------------

FIXES AND DELETIONS

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

DONE – note that I ran the scan and fix 3 times and these 2 entries will not go away (I did close all windows as you instructed as well):
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

----------------------------------------

UNHIDE HIDDEN FILES

DONE

----------------------------------------

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

This file MUST be deleted

DONE – file was not there.

----------------------------------------

SmitFraud - OPTION 2

We need to use Option #2 as it will clean the infection for us.

DONE

----------------------------------------

RUNNING SCANNERS

AVG Anti-Spyware 7.5

DONE

----------------------------------------

SECURE DESKTOP

DONE (none of those items was on the “web” page and the box was already unticked)

----------------------------------------
SYSTEM RE-BOOT

Reboot into Normal Mode.

DONE

----------------------------------------

SmitFraud - OPTION 3

DONE
----------------------------------------

ON-LINE SCANS

Kaspersky - Extended

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

DONE

----------------------------------------

FOLLOW-UP

Please return and post these items:

c:rapport.txt from SmitFraud

SmitFraudFix v2.81

Scan done at 22:24:26.28, Wed 10/04/2006
Run from C:\Download\smitfraudfix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

AVG A/S scan

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:04:33 AM 10/5/2006

+ Scan result:

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP880\A0092218.exe -> Adware.GAINNetwork : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP880\A0092216.exe -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B53455DB-5527-4041-AC41-F86E6947AA47} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\bmeb -> Adware.Ilookup : Cleaned with backup (quarantined).
HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\bmeb\assoc2 -> Adware.Ilookup : Cleaned with backup (quarantined).
HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\bmeb\kws -> Adware.Ilookup : Cleaned with backup (quarantined).
HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\bmeb\sit -> Adware.Ilookup : Cleaned with backup (quarantined).
HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\bmeb\size -> Adware.Ilookup : Cleaned with backup (quarantined).
C:\Downloads\Sudoku_ML_Setup-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\ASHeuristic\hotfix_exe.vir -> Adware.WebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Pinfo -> Dialer.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Pinfo\Dialers -> Dialer.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\Pinfo -> Dialer.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\Pinfo\Dialers -> Dialer.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\Pinfo\Dialers\Lisa -> Dialer.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP880\A0092215.exe -> Downloader.Small.cjk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP880\A0092732.exe -> Downloader.Small.dam : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP880\A0092735.exe -> Downloader.Small.dam : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP880\A0092209.exe -> Downloader.Small.dbx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP880\A0092210.exe -> Downloader.Small.dbx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP880\A0092736.exe -> Downloader.Small.dkt : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rlnberfu.exe -> Downloader.Small.dkt : Cleaned with backup (quarantined).
C:\WINDOWS\system32\urrqhpbk.exe -> Downloader.VB.aeq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP880\A0092213.exe -> Downloader.VB.ajp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP880\A0092214.exe -> Downloader.VB.ajp : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ohylguic.exe -> Downloader.VB.anw : Cleaned with backup (quarantined).
HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E52DEDBB-D168-4BDB-B229-C48160800E81} -> Hijacker.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wgcnjvea.tjo -> Hijacker.Small.js : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sumsw32.exe -> Not-A-Virus.Hoax.Win32.Renos.fe : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP880\A0092910.exe -> Not-A-Virus.SpamTool.Win32.Agent.g : Cleaned with backup (quarantined).
:mozilla.272:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.273:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.128:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.129:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.131:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.132:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.133:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.134:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.135:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.136:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.241:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.432:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.444:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.487:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@broadspancommerce.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@buycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@folica.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@gmditech.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@highbeam.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@indigio.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@microsoftwlmessengermkt.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@sento.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@tgn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@thomasvillefurniture.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\WINDOWS\Temp\Cookies\owner@112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.162:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.163:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.24:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.589:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.590:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned.
:mozilla.69:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.70:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.288:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.289:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@www.adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned.
:mozilla.37:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.38:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.39:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.40:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.41:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.25:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.567:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.568:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.569:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.570:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.571:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.572:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.573:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.316:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.618:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.73:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.75:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.76:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.77:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.173:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned.
:mozilla.105:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@com[2].txt -> TrackingCookie.Com : Cleaned.
:mozilla.58:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfliald5obo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wgl4ahdpmkp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkycnc5ecp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnygmd5skq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnyskcpkhp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnysoazsgq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.297:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.298:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.299:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.300:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.252:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.253:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.561:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Goclick : Cleaned.
:mozilla.562:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
:mozilla.174:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.645:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.242:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.243:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.244:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned.
:mozilla.594:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.595:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.596:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.36:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.238:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.239:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.240:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
:mozilla.284:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.285:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.286:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.287:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.114:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.115:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.101:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.102:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.103:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.68:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.71:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.72:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.488:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.489:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.490:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.491:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.492:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.337:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.338:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.339:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.340:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.282:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.283:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.216:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.217:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.218:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.219:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.220:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.94:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.95:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.96:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned.
:mozilla.74:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.45:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.46:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.255:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
:mozilla.522:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.523:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.524:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.546:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.547:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.548:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.541:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.542:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.543:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP859\A0090383.exe -> Trojan.Small : Cleaned with backup (quarantined).

::Report end

Kaspersky scan

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, October 05, 2006 2:57:02 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 5/10/2006
Kaspersky Anti-Virus database records: 229186
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
I:\
J:\
K:\
L:\

Scan Statistics:
Total number of scanned objects: 112846
Number of viruses found: 9
Number of infected objects: 18 / 0
Number of suspicious objects: 5
Duration of the scan process: 01:24:09

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd000.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-10012006-171400.log Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Microsoft\Word\AutoRecovery save of updated hjt instruction.asd Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Process.exe Object is locked skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\Cache\633285D9d01/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\Cache\633285D9d01 ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\me_7CEzLG8vSjHIi2u Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\me_AsM1nAbC996M7Pa Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\me_cBEOriDon7DwiBn Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\me_Et0UvUszneeUhGM Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\me_zgi3WxSaEUQzm0h Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF1C9F.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF1CE4.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF5116.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF7EB2.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\My Documents\herrick files\personal.pst/Personal Folders/101/17 Apr 2003 15:39 from Sstei:Seton Hall.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Owner\My Documents\herrick files\personal.pst/Personal Folders/101/11 Apr 2003 15:37 from jsmit:This page requires javascript..rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Owner\My Documents\herrick files\personal.pst/Personal Folders/101/10 Apr 2003 15:03 from dbass:Lawlessness prevailed and looting c.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Owner\My Documents\herrick files\personal.pst/Personal Folders/101/27 Mar 2003 16:42 from rpalu:.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Owner\My Documents\herrick files\personal.pst Mail MS Mail: suspicious - 4 skipped
C:\Documents and Settings\Owner\My Documents\updated hjt instruction.doc Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Download\smitfraudfix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.me Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.mm Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP880\A0092733.exe Infected: Trojan-Downloader.Win32.Small.dkt skipped
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP880\A0092734.exe Infected: Packed.Win32.Tibs.a skipped
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP880\A0092927.exe Infected: Trojan-Downloader.Win32.Small.dkt skipped
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP880\A0092928.exe Infected: Trojan-Downloader.Win32.VB.anw skipped
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP880\A0092929.exe Infected: Trojan-Downloader.Win32.VB.aeq skipped
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP880\A0092930.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP880\A0092931.exe Infected: not-virus:Hoax.Win32.Renos.fe skipped
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP880\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\ivppdhgt.exe Infected: Packed.Win32.Tibs.a skipped
C:\WINDOWS\system32\rcehkfuc.exe Infected: Packed.Win32.Tibs.a skipped
C:\WINDOWS\system32\sorwindq.exe Infected: Trojan-Downloader.Win32.Small.dkt skipped
C:\WINDOWS\system32\vcxgcaiz.exe Infected: Trojan-Downloader.Win32.Small.dkt skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.

A new HJT log run in Normal Mode

Logfile of HijackThis v1.99.1
Scan saved at 3:11:10 PM, on 10/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Download\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_11_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_11_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [/AutoLaunch] C:\Program Files\PHILIPS\PSADMM\DMM\bin\AutoLaunch.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://las.mlxchange.com/Control/Mul...ctComboBox.cab
O16 - DPF: {5EB6A98B-F75B-4AC7-821D-BAD2C29D18C2} (CVALAXObj Class) - https://www.crystalvoicelive.com/download/CVALAX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100385933556
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1143384714807
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://las.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://las.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.comp...io5_3_11_0.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)

fredmh · 10-05-2006, 08:35 PM

Your logs are looking much better. We're almost there

----------------------------------------

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\system32\ivppdhgt.exe
C:\WINDOWS\system32\rcehkfuc.exe
C:\WINDOWS\system32\sorwindq.exe
C:\WINDOWS\system32\vcxgcaiz.exe

----------------------------------------

Clear IE's Cookies and Cache

Close all instances of Outlook Express and Internet Explorer.
Go to Control Panel » Internet Options » General tab.
Click the Delete Cookies.
Next to it, Click the Delete Files button.
When prompted, place a check in: Delete all offline content, click OK.

Clear Firefox' Cookies

Open Firefox.
Click Tools » Options.
Click the Privacy tab, then the Cookies tab.
Click the Clear Cookies Now button.
Then click OK to exit.

Clean Temporary Files

Go to Start » Run » type: cleanmgr » OK.
Choose (C:) and then click OK.
Make sure these are the only ones that are checked :
- Temporary Internet Files
- Temporary Files
- Recycle Bin
Click OK to remove them.
Click Yes to confirm the deletion.

Empty AVG A/S Quarantine

Launch AVG Anti-Spyware
Click on Show Quarantine
Click on Select All
Click on Remove finally
Close AVG A/S

----------------------------------------

ComboFix

1. Download this file - You MUST save it to your desktop

http://download.bleepingcomputer.com/sUBs/combofix.exe

or

http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------

Java out of Date

We need to update your Java as it is out of date. The older version is a security risk, as malware writers
exploit the weaknesses in it's code. The current version is 1.5.09

Updating Java :

Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9 - http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.

----------------------------------------

Windows XP - Reset Hidden Files

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

----------------------------------------

Clean-out and Reset System Restore

This will clean out any junk or malicious files left behind in System Restore

To turn off System Restore click Start > Right Click My Computer > Properties.
Click the System Restore tab and Check
"Turn off System Restore" or "Turn off System Restore on all drives" Click Apply.
When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.
Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties.
Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
Click Apply, and then OK.

This will create a new Restore Point.

sakurasan · 10-07-2006, 11:20 AM

followed all instructions - on last, when I right click my computer/properties, I get a message titled “rundll32.exe – unable to locate component” that says “this application has failed to start because framedyn.dll was not found. Re-installing the application may fix this problem”

I click OK 3 times and then the box does open – however when I go to SR and check that box when I get to the part where you tell it “yes” to go ahead it responds with a message titled “system restore” which says “system restore encountered an error trying to enable/disable one or more drives. Please restart your machine and try again”

I did restart and try again but no change.

fredmh · 10-07-2006, 12:42 PM

Ok. I'll work on that problem. Were you able to run commbofix? If so could you please post that log.

sakurasan · 10-07-2006, 05:36 PM

Owner - 06-10-07 10:21:55.93 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-07 to 2006-10-07 ))))))))))))))))))))))))))))))))))

2006-10-05 14:59 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-10-05 14:59 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-10-05 14:59 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-10-05 14:59 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-10-03 17:34 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-07 10:21 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-03 19:25 -------- d-------- C:\Program Files\WinZip
2006-10-03 19:25 -------- d-------- C:\Program Files\Windows Defender
2006-10-03 19:24 -------- d-------- C:\Program Files\Webshots
2006-10-03 19:21 -------- d-------- C:\Program Files\QuickTime
2006-10-03 19:17 -------- d-------- C:\Program Files\Multimedia Card Reader
2006-10-03 19:17 -------- d-------- C:\Program Files\MSN Messenger
2006-10-03 19:16 -------- d-------- C:\Program Files\Motorola Phone Tools
2006-10-03 19:14 -------- d-------- C:\Program Files\Messenger
2006-10-03 19:13 -------- d-------- C:\Program Files\iTunes
2006-10-03 19:12 -------- d-------- C:\Program Files\Internet Explorer
2006-10-03 19:07 -------- d-------- C:\Program Files\eFax Messenger 4.2
2006-10-03 17:34 -------- d-------- C:\Program Files\Grisoft
2006-10-01 20:17 -------- d-------- C:\Program Files\Easy Internet signup
2006-10-01 19:15 -------- d-------- C:\Program Files\XoftSpy
2006-10-01 16:52 -------- d-------- C:\Program Files\Enigma Software Group
2006-09-25 18:29 -------- d-------- C:\Program Files\FlashFXP
2006-09-24 11:49 -------- d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2006-09-23 13:46 -------- d-------- C:\Documents and Settings\Owner\Application Data\eFax Messenger
2006-08-21 06:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 03:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 03:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-17 11:09 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2006-07-27 07:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 02:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-12 09:50 1319 --a------ C:\Documents and Settings\Owner\Application Data\AdobeDLM.log

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\backupnotify.exe"
"NVIEW"="rundll32.exe nview.dll,nViewLoadHook"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\""
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"RealPlayer"="\"C:\\Program Files\\Real\\RealOne Player\\realplay.exe\" /RunUPGToolCommandReBoot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\\\Unload\\hpqcmon.exe"
"HPHUPD05"="c:\\Program Files\\Hewlett-Packard\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"AutoTKit"="C:\\hp\\bin\\AUTOTKIT.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet /keeploaded /nodetect"
"Sunkist2k"="C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AlcxMonitor"="ALCXMNTR.EXE"
"QuickFinder Scheduler"="\"c:\\Program Files\\WordPerfect Office 11\\Programs\\QFSCHD110.EXE\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_01\\bin\\jusched.exe"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"SideWinderTrayV4"="C:\\PROGRA~1\\MI948F~1\\GAMECO~1\\Common\\SWTrayV4.exe"
"/AutoLaunch"="C:\\Program Files\\PHILIPS\\PSADMM\\DMM\\bin\\AutoLaunch.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McAgent.exe"
"eFax 4.2"="\"C:\\Program Files\\eFax Messenger 4.2\\J2GDllCmd.exe\" /R"
"SpyHunter"="C:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonceex]
@=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Aim6]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLLaunch"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1142815478\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"command"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RealPlayer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realplay"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Real\\RealOne Player\\realplay.exe\" /RunUPGToolCommandReBoot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061004-175852-286
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
backup-20061004-175852-891
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
backup-20061004-175640-579
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
backup-20061004-175640-496
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
backup-20061004-174958-569
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
backup-20061004-174958-746
R3 - Default URLSearchHook is missing
backup-20061004-174958-932
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20061004-174958-840
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
backup-20061004-174958-836
O4 - HKLM\..\Run: [XHGWFKUF] c:\windows\system32\xhgwfkuf.exe /install
backup-20061004-174958-757
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
backup-20061004-174958-537
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
backup-20060826-085456-585
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
backup-20060826-085456-180
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
backup-20060826-085456-257
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
backup-20060826-085456-532
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
backup-20060826-085456-175
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
backup-20060826-085456-957
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
backup-20060826-085456-345
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
backup-20060826-085456-341
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
backup-20060826-085456-540
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
backup-20060826-085456-252
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
backup-20060826-085456-209
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
backup-20060826-085456-202
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
backup-20060826-085456-262
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
backup-20060826-085456-437
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Sat 10/07/2006 10:22:17.79
ComboFix.txt

fredmh · 10-07-2006, 08:34 PM

Microsoft has a page dedicated to your problem:

http://support.microsoft.com/kb/319114

Please try that and let me know what happens.

sakurasan · 10-08-2006, 09:35 AM

ok thxx i went to the web page you listed and got the fix - system restore point has been reset, so pls advise when you can!! oh btw could you also let me know the best way to prevent this kind of infection in the future esp. in light of the fact that the computer is used occasionally to visit adult entertainment sites ;)

fredmh · 10-08-2006, 09:41 AM

I will post a list of things you can do in my closing speach.

fredmh · 10-08-2006, 07:21 PM

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

SpyHunter

From Spywaew Warrior: http://www.spywarewarrior.com/rogue_anti-spyware.htm

Note on Enigma SpyHunter: Enigma's SpyHunter anti-spyware application was listed on this page primarily because of the company's history of employing
aggressive, deceptive advertising (1, 2, 3, 4, 5). The company was also known for exploiting the name "spybot" in its domain names and online advertising.
These objectionable business practices were employed primarily from late-2002 to mid-2004.
Sometime during summer of 2004 the company halted the most obnoxious and objectionable aspects of its online advertising. It also unloaded all the
"spybot" domains (which were promptly picked up by Paretologic for its XoftSpy anti-spyware application).
While there are still unresolved allegations that SpyHunter transmits the Windows Product ID from users' PCs (1), we can no longer classify this
application as "rogue/suspect." Nonetheless, SpyHunter -- at least in its current state -- cannot be recommended because of its mediocre performance
as an anti-spyware scanner. Testing indicates that it does not recognize some well-known spyware installations and has difficulty removing critical
spyware/adware files even from those it does recognize.

Given the many excellent competing anti-spyware applications that are available (some for free),
users would do better looking elsewhere for trustworthy anti-spyware protection. A list of programs is provided in this post.

----------------------------------------

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\Enigma Software Group

----------------------------------------

Congratulations. Your logs are now clean. Please read through the information which follows.

----------------------------------------

RE-ENABLE ANTI-SPYWARE APPLICATIONS

If you were instructed to dis-able Anti-spyware applications during this fix, you may re-enable them

----------------------------------------

Please read through the following information to help protect your computer in the future.

KEEP YOUR OPERATING SYSTEM UPDATED

Please ensure that you have already patched your system against the recent WMF exploit. Go to this page to get the KB912919 patch

MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser
up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft
and download all the critical updates to help prevent possible re-infection.

ENABLE WINDOWS AUTO UPDATE

Go to Start>Run - type wuaucpl.cpl
tick on the checkbox - "Keep my computer up to date"
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

TOOLS TO HELP KEEP YOUR SYSTEM CLEAN

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.

Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

SpywareGuard to catch and block spyware before it can execute.

SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its
TeaTimer option.
This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with
the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here

AD-AWARE Download and install Ad-Aware. You should use this program to scan
your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product
can be found here

IE-SPYAD IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.

Download IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain

A tutorial for IE-SPYAD can be found here

MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file
with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to
those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

Download Host.zip to your desktop.
From your Desktop right-click (hosts.zip) and select:
Extract All from the menu.
Click Next, click Next, select the option:
"Show Extracted files"
Click Finish

This will open the newly created hosts folder on your Desktop.

Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated
HOSTS file to the correct location on your machine.

MCAFEE SITE ADVISOR SITE ADVISOR is a free IE plug-in (also suport for Firefox browser)
which is used in conjunction with the Google search engine. It advises which web sites are considered safe and which sites could pose a problem.
It also shows what problems were encountered with each site, such as malicious downloads, spam, and related links.

ANTI-VIRUS AND FIREWALL PROGRAMS

ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine.
This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online antivirus scanners: Anti-Spyware Tutorial

Here are some very good free Antivirus products which are available:

Avast!
AVG

If you do not have a firewall, here are 4 free ones available for personal use:

Understanding and Using Firewalls

INFORMATIONAL READING

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

PC SAFETY AND SECURITY
HOW DID I GET INFECTED IN THE FIRST PLACE?
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
INVASION OF THE COMPUTER SNATCHERS
The Cookie Concept

Please respond one more time and let me know you received this post so it can be marked resolved

10-01-2006, 11:56 PM	#1 (permalink)
sakurasan Registered User Join Date: Oct 2006 Posts: 12 OS: winxp	Help! Stubborn Antispyware Soldier Infection Hi this is my first post to this site - so happy to have found you after many false leads trying to solve this problem! I am running Windows XP and followed all the first steps. My computer is infected with Antispyware Soldier - getting all the popups, take over of my desktop image, etc, etc. I got rid of it once b4 but somehow it is back. Hope you can help! thanks Here is my logfile: Logfile of HijackThis v1.99.1 Scan saved at 12:40:23 AM, on 10/2/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Softex\OmniPass\Omniserv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Softex\OmniPass\OPXPApp.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\sumsw32.exe C:\windows\system\hpsysdrv.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe C:\WINDOWS\System32\hphmon05.exe C:\HP\KBD\KBD.EXE C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Microsoft Money\System\mnyexpr.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\eFax Messenger 4.2\J2GTray.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe C:\Program Files\Webshots\webshots.scr C:\Download\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file) O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file) O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file) O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_11_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file) O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file) O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file) O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_11_0.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe O4 - HKLM\..\Run: [XHGWFKUF] c:\windows\system32\xhgwfkuf.exe /install O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe O4 - HKLM\..\Run: [/AutoLaunch] C:\Program Files\PHILIPS\PSADMM\DMM\bin\AutoLaunch.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://las.mlxchange.com/Control/Mul...ctComboBox.cab O16 - DPF: {5EB6A98B-F75B-4AC7-821D-BAD2C29D18C2} (CVALAXObj Class) - https://www.crystalvoicelive.com/download/CVALAX.CAB O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100385933556 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1143384714807 O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://las.mlxchange.com/Control/MLXClientUtils.cab O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://las.mlxchange.com/Control/IRCSharc.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.comp...io5_3_11_0.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)

10-02-2006, 06:28 PM	#4 (permalink)
fredmh Analyst, Security Team ; TSF Supporter Join Date: May 2006 Location: Phila,Pa Posts: 2,335 OS: XP	Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. ---------------------------------------- The fixes we will use are specific to your problems and should only be used for this issue on this machine. Please only use this topic to reply to. Do not start another thread. If any other issues arise let me know. The process is not instant. Please continue to review my answers until I tell you your machine is clear. Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more likely additional infections will result. Absence of symptoms does not mean that everything is clear. So lets do this to the end! ---------------------------------------- DOWNLOADS ATF CLEANER Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only AVG Anti-Spyware 7.5 Please download AVG Anti-Spyware 7.5 Install AVG Anti-Spyware 7.5. Double-click the icon on Desktop to launch AVG A-S 7.5 On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. I also recommend changing the "Update interval" to something more reasonable like 12 hours. SMITFRAUD Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so! CWSHREDDER Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. ---------------------------------------- DISABLE ANTI-SPYWARE APPLICATIONS Please disable these Anti-Spyware programs as they may interfere with this fix. You may re-enable them after we clean your system. Windows Defender Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries. Open Windows Defender. Click on Tools>Options. Scroll down and uncheck "Use real-time protection (recommended)". After you uncheck this, click on the Save button and close Windows Defender. S& D Spybot's Tea Timer While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean. Open Spybot Search & Destroy. In the Mode menu click "Advanced mode" if not already selected. Choose "Yes" at the Warning prompt. Expand the "Tools" menu. Click "Resident". Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box. In the File menu click "Exit" to exit Spybot Search & Destroy. ---------------------------------------- SAFE MODE RE-BOOT Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. ---------------------------------------- FIXES AND DELETIONS Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [XHGWFKUF] c:\windows\system32\xhgwfkuf.exe /install *Please remember to close all other windows, including browsers then click Fix checked.* ---------------------------------------- UNHIDE HIDDEN FILES Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. ---------------------------------------- Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. c:\windows\system32\xhgwfkuf.exe ---------------------------------------- SmitFraud - OPTION 2 Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. ---------------------------------------- RUNNING SCANNERS ATF CLEANER Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program AVG Anti-Spyware 7.5 Run AVG A-s with it's updated definitions: (...it's important that all windows must be closed) This scan can take quite a while to run, so be prepared. Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions. Once finished, click the Save report button, then click Save Report As and save it to your desktop. Note: DO NOT USE the computer while AVG A/S is scanning. If Explorer or the Control Panel are opened some malware types will reinfect your system or will not be cleaned properly. ---------------------------------------- SECURE DESKTOP Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present: "Security Info" "Warning Message" "Security Desktop" "Warning Homepage" "Desktop Uninstall" Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. ---------------------------------------- SYSTEM RE-BOOT Reboot into Normal Mode. ---------------------------------------- SmitFraud - OPTION 3 Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. ---------------------------------------- ON-LINE SCANS Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan ---------------------------------------- FOLLOW-UP Please return and post these items: c:rapport.txt from SmitFraud AVG A/S scan Panda scan A new HJT log run in Normal Mode Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

10-03-2006, 09:13 PM	#5 (permalink)
sakurasan Registered User Join Date: Oct 2006 Posts: 12 OS: winxp	here are the items you asked for Took all steps - here are the requested reports - thanks again! Oh PS, when I asked for updates on AVG (did it several times over a number of hours) it says they are not available. SmitFraudFix v2.104 Scan done at 21:38:44.12, Tue 10/03/2006 Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS C:\WINDOWS\alexaie.dll FOUND ! C:\WINDOWS\alxie328.dll FOUND ! C:\WINDOWS\alxtb1.dll FOUND ! C:\WINDOWS\BTGrab.dll FOUND ! C:\WINDOWS\dlmax.dll FOUND ! C:\WINDOWS\Pynix.dll FOUND ! C:\WINDOWS\susp.exe FOUND ! C:\WINDOWS\System32fab.exe FOUND ! C:\WINDOWS\yod.htm FOUND ! C:\WINDOWS\ZServ.dll FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 C:\WINDOWS\system32\a.exe FOUND ! C:\WINDOWS\system32\alxres.dll FOUND ! C:\WINDOWS\system32\bridge.dll FOUND ! C:\WINDOWS\system32\dailytoolbar.dll FOUND ! C:\WINDOWS\system32\jao.dll FOUND ! C:\WINDOWS\system32\lfd.dat FOUND ! C:\WINDOWS\system32\oiso.bin FOUND ! C:\WINDOWS\system32\questmod.dll FOUND ! C:\WINDOWS\system32\runsrv32.dll FOUND ! C:\WINDOWS\system32\runsrv32.exe FOUND ! C:\WINDOWS\system32\smaexp32.dll FOUND ! C:\WINDOWS\system32\sumsw32.exe FOUND ! C:\WINDOWS\system32\taskdir~.exe FOUND ! C:\WINDOWS\system32\tcpservice2.exe FOUND ! C:\WINDOWS\system32\txfdb32.dll FOUND ! C:\WINDOWS\system32\udpmod.dll FOUND ! C:\WINDOWS\system32\wstart.dll FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32 »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 10:08:53 PM 10/3/2006 + Scan result: HKLM\SOFTWARE\Alexa Internet -> Adware.Alexa : Ignored. HKLM\SOFTWARE\Classes\AlxTB.BHO -> Adware.Alexa : Ignored. HKLM\SOFTWARE\Classes\PopMenu.Menu -> Adware.Alexa : Ignored. HKLM\SOFTWARE\Classes\Popup.PopupKiller -> Adware.Alexa : Ignored. HKLM\SOFTWARE\Classes\jao.jao -> Adware.BlazeFind : Ignored. HKLM\SOFTWARE\Classes\AppID\DailyToolbar.DLL -> Adware.DailyToolbar : Ignored. HKLM\SOFTWARE\Classes\DailyToolbar.IEBand -> Adware.DailyToolbar : Ignored. HKLM\SOFTWARE\Classes\DailyToolbar.SysMgr -> Adware.DailyToolbar : Ignored. HKLM\SOFTWARE\Classes\IEToolbar.AffiliateCtl -> Adware.DailyToolbar : Ignored. HKLM\SOFTWARE\DailyToolbar -> Adware.DailyToolbar : Ignored. HKLM\SOFTWARE\NIX Solutions -> Adware.DailyToolbar : Ignored. HKLM\SOFTWARE\NIX Solutions\DailyToolbar -> Adware.DailyToolbar : Ignored. HKLM\SOFTWARE\Classes\CLSID\{F1FABE79-25FC-46de-8C5A-2C6DB9D64333} -> Adware.Generic : Ignored. HKLM\SOFTWARE\Classes\Interface\{900FBC20-6AEE-4E05-ABA9-AC46E309C029} -> Adware.Generic : Ignored. HKLM\SOFTWARE\Classes\TypeLib\{8B076501-1D1B-4B26-9492-FDB8EEE00D7F} -> Adware.Generic : Ignored. HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} -> Adware.Generic : Ignored. HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B53455DB-5527-4041-AC41-F86E6947AA47} -> Adware.Generic : Ignored. HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\bmeb -> Adware.Ilookup : Ignored. HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\bmeb\assoc2 -> Adware.Ilookup : Ignored. HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\bmeb\kws -> Adware.Ilookup : Ignored. HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\bmeb\sit -> Adware.Ilookup : Ignored. HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\bmeb\size -> Adware.Ilookup : Ignored. HKLM\SOFTWARE\RespondMiter -> Adware.VX2 : Ignored. C:\WINDOWS\Temp\ASHeuristic\hotfix_exe.vir -> Adware.WebSearch : Ignored. HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Ignored. HKLM\SOFTWARE\Pinfo -> Dialer.Generic : Ignored. HKLM\SOFTWARE\Pinfo\Dialers -> Dialer.Generic : Ignored. HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\Pinfo -> Dialer.Generic : Ignored. HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\Pinfo\Dialers -> Dialer.Generic : Ignored. HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\Pinfo\Dialers\Lisa -> Dialer.Generic : Ignored. C:\WINDOWS\system32\rlnberfu.exe -> Downloader.Small.dkt : Ignored. C:\WINDOWS\system32\urrqhpbk.exe -> Downloader.VB.aeq : Ignored. C:\WINDOWS\system32\ohylguic.exe -> Downloader.VB.anw : Ignored. HKLM\SOFTWARE\Classes\CLSID\{E52DEDBB-D168-4BDB-B229-C48160800E81} -> Hijacker.Generic : Ignored. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e52dedbb-d168-4bdb-b229-c48160800e81} -> Hijacker.Generic : Ignored. HKU\S-1-5-21-223492011-3476413771-3814268486-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E52DEDBB-D168-4BDB-B229-C48160800E81} -> Hijacker.Generic : Ignored. C:\WINDOWS\system32\wgcnjvea.tjo -> Hijacker.Small.js : Ignored. :mozilla.255:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.247realmedia : Ignored. :mozilla.256:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.247realmedia : Ignored. :mozilla.106:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored. :mozilla.107:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored. :mozilla.109:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored. :mozilla.110:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored. :mozilla.111:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored. :mozilla.112:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored. :mozilla.113:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored. :mozilla.114:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored. :mozilla.224:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored. :mozilla.415:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored. :mozilla.427:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored. :mozilla.476:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.2o7 : Ignored. C:\Documents and Settings\Owner\Cookies\owner@broadspancommerce.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored. C:\Documents and Settings\Owner\Cookies\owner@buycom.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored. C:\Documents and Settings\Owner\Cookies\owner@folica.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored. C:\Documents and Settings\Owner\Cookies\owner@gmditech.112.2o7[1].txt -> TrackingCookie.2o7 : Ignored. C:\Documents and Settings\Owner\Cookies\owner@highbeam.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored. C:\Documents and Settings\Owner\Cookies\owner@indigio.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored. C:\Documents and Settings\Owner\Cookies\owner@microsoftwlmessengermkt.112.2o7[1].txt -> TrackingCookie.2o7 : Ignored. C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[2].txt -> TrackingCookie.2o7 : Ignored. C:\Documents and Settings\Owner\Cookies\owner@sento.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored. C:\Documents and Settings\Owner\Cookies\owner@tgn.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored. C:\Documents and Settings\Owner\Cookies\owner@thomasvillefurniture.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored. C:\WINDOWS\Temp\Cookies\owner@112.2o7[2].txt -> TrackingCookie.2o7 : Ignored. :mozilla.141:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adbrite : Ignored. :mozilla.142:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adbrite : Ignored. :mozilla.583:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adjuggler : Ignored. :mozilla.584:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adjuggler : Ignored. C:\Documents and Settings\Owner\Cookies\owner@admarketplace[1].txt -> TrackingCookie.Admarketplace : Ignored. :mozilla.42:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adrevolver : Ignored. :mozilla.43:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adrevolver : Ignored. C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[1].txt -> TrackingCookie.Adrevolver : Ignored. :mozilla.271:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adtech : Ignored. :mozilla.272:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Adtech : Ignored. C:\Documents and Settings\Owner\Cookies\owner@www.adtrak[1].txt -> TrackingCookie.Adtrak : Ignored. :mozilla.47:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Advertising : Ignored. :mozilla.48:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Advertising : Ignored. :mozilla.50:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Advertising : Ignored. :mozilla.52:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Advertising : Ignored. :mozilla.55:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Advertising : Ignored. :mozilla.30:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Atdmt : Ignored. :mozilla.561:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Bridgetrack : Ignored. :mozilla.562:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Bridgetrack : Ignored. :mozilla.563:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Bridgetrack : Ignored. :mozilla.564:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Bridgetrack : Ignored. :mozilla.565:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Bridgetrack : Ignored. :mozilla.566:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Bridgetrack : Ignored. :mozilla.567:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Bridgetrack : Ignored. :mozilla.299:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Burstnet : Ignored. :mozilla.612:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Burstnet : Ignored. C:\Documents and Settings\Owner\Cookies\owner@burstnet[1].txt -> TrackingCookie.Burstnet : Ignored. C:\Documents and Settings\Owner\Cookies\owner@www.burstnet[1].txt -> TrackingCookie.Burstnet : Ignored. :mozilla.46:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored. :mozilla.51:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored. :mozilla.53:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored. :mozilla.54:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored. :mozilla.152:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Clickbank : Ignored. :mozilla.83:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Com : Ignored. :mozilla.31:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Doubleclick : Ignored. C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfliald5obo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Ignored. C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wgl4ahdpmkp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Ignored. C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkycnc5ecp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Ignored. C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnygmd5skq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Ignored. C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnyskcpkhp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Ignored. C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnysoazsgq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Ignored. C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Ignored. :mozilla.280:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Falkag : Ignored. :mozilla.281:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Falkag : Ignored. :mozilla.282:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Falkag : Ignored. :mozilla.283:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Falkag : Ignored. :mozilla.235:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Fastclick : Ignored. :mozilla.236:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Fastclick : Ignored. :mozilla.555:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Goclick : Ignored. :mozilla.556:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Goclick : Ignored. C:\Documents and Settings\Owner\Cookies\owner@c.goclick[2].txt -> TrackingCookie.Goclick : Ignored. :mozilla.153:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Googleadservices : Ignored. :mozilla.639:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Googleadservices : Ignored. :mozilla.225:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Hitbox : Ignored. :mozilla.226:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Hitbox : Ignored. :mozilla.227:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Hitbox : Ignored. :mozilla.588:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Liveperson : Ignored. :mozilla.589:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Liveperson : Ignored. :mozilla.590:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Liveperson : Ignored. C:\Documents and Settings\Owner\Cookies\owner@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Ignored. C:\Documents and Settings\Owner\Cookies\owner@image.masterstats[1].txt -> TrackingCookie.Masterstats : Ignored. :mozilla.115:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Mediaplex : Ignored. :mozilla.221:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Overture : Ignored. :mozilla.222:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Overture : Ignored. :mozilla.223:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Overture : Ignored. C:\Documents and Settings\Owner\Cookies\owner@data2.perf.overture[1].txt -> TrackingCookie.Overture : Ignored. C:\Documents and Settings\Owner\Cookies\owner@data4.perf.overture[2].txt -> TrackingCookie.Overture : Ignored. :mozilla.267:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Pointroll : Ignored. :mozilla.268:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Pointroll : Ignored. :mozilla.269:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Pointroll : Ignored. :mozilla.270:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Pointroll : Ignored. C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Ignored. :mozilla.92:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Qksrv : Ignored. :mozilla.93:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Qksrv : Ignored. :mozilla.79:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Questionmarket : Ignored. :mozilla.80:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Questionmarket : Ignored. :mozilla.81:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Questionmarket : Ignored. :mozilla.41:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Ru4 : Ignored. :mozilla.44:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Ru4 : Ignored. :mozilla.45:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Ru4 : Ignored. :mozilla.477:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored. :mozilla.478:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored. :mozilla.479:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored. :mozilla.480:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored. :mozilla.481:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored. :mozilla.320:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Sexcounter : Ignored. :mozilla.321:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Sexcounter : Ignored. :mozilla.322:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Sexcounter : Ignored. :mozilla.323:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Sexcounter : Ignored. :mozilla.265:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Specificclick : Ignored. :mozilla.266:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Specificclick : Ignored. :mozilla.199:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Statcounter : Ignored. :mozilla.200:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Statcounter : Ignored. :mozilla.201:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Statcounter : Ignored. :mozilla.202:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Statcounter : Ignored. :mozilla.203:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Statcounter : Ignored. :mozilla.72:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Tacoda : Ignored. :mozilla.73:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Tacoda : Ignored. :mozilla.74:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Tacoda : Ignored. C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt -> TrackingCookie.Tacoda : Ignored. C:\Documents and Settings\Owner\Cookies\owner@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Ignored. :mozilla.49:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Trafficmp : Ignored. :mozilla.497:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Tribalfusion : Ignored. :mozilla.238:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Valueclick : Ignored. :mozilla.512:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Web-stat : Ignored. :mozilla.513:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Web-stat : Ignored. :mozilla.514:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Web-stat : Ignored. C:\Documents and Settings\Owner\Cookies\owner@web-stat[2].txt -> TrackingCookie.Web-stat : Ignored. :mozilla.540:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored. :mozilla.541:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored. :mozilla.542:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored. C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Ignored. :mozilla.535:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Zedo : Ignored. :mozilla.536:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Zedo : Ignored. :mozilla.537:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt -> TrackingCookie.Zedo : Ignored. ::Report end Panda Scan: Incident Status Location Adware:Adware/AntispywareSoldier Not disinfected C:\WINDOWS\system32\sumsw32.exe Adware:adware/superspider Not disinfected c:\windows\system32\a.exe Adware:adware/alexa-toolbar Not disinfected c:\windows\system32\alxres.dll Spyware:spyware/bridge Not disinfected c:\windows\system32\bridge.dll Adware:adware/dailytoolbar Not disinfected c:\windows\system32\dailytoolbar.dll Adware:adware/antivirus-gold Not disinfected c:\windows\system32\runsrv32.exe Adware:adware/admess Not disinfected c:\windows\system32\tcpservice2.exe Adware:adware/topspyware Not disinfected c:\windows\system32\txfdb32.dll Adware:adware/btgrab Not disinfected c:\windows\BTGrab.dll Adware:adware/transponder Not disinfected c:\windows\dlmax.dll Adware:adware/gator Not disinfected c:\windows\GatorFDDLI.log Spyware:spyware/betterinet Not disinfected c:\windows\susp.exe Adware:adware/thespyguard Not disinfected c:\windows\yod.htm Adware:adware/wintools Not disinfected Windows Registry Adware:adware/ilookup Not disinfected Windows Registry Spyware:spyware/dluca Not disinfected Windows Registry Adware:adware/wupd Not disinfected Windows Registry Dialer:dialer.du Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7B55BB05-0B4D-44FD-81A6-B136188F5DEB} Adware:adware/savenow Not disinfected Windows Registry Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.adrevolver.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.advertising.com/] Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.trafficmp.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.advertising.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.advertising.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.advertising.com/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.com.com/] Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.qksrv.net/] Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.apmebf.com/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.2o7.net/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.clickbank.net/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.statcounter.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.realmedia.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.perf.overture.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.overture.com/] Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.hitbox.com/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.fastclick.net/] Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.valueclick.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.247realmedia.com/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.adtech.de/] Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.adultfriendfinder.com/] Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.as-eu.falkag.net/] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.atwola.com/] Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.burstnet.com/] Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.cs.sexcounter.com/] Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.kinghost.com/] Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.maxserving.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.serving-sys.com/] Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.tickle.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.xiti.com/] Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[.zedo.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[c.goclick.com/] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[server.iad.liveperson.net/] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\cookies.txt[server.iad.liveperson.net/hc/76103330] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@belnk[1].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@burstnet[1].txt Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@c.goclick[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@dist.belnk[2].txt Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Owner\Cookies\owner@kinghost[1].txt Spyware:Cookie/SpywareStormer Not disinfected C:\Documents and Settings\Owner\Cookies\owner@spywarestormer[2].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\212rgtns.default\Cache\633285D9d01[SmitfraudFix/Process.exe] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad.yieldmanager[2].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@atwola[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@belnk[1].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@burstnet[2].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@com[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@dist.belnk[2].txt Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@www.burstbeacon[2].txt Possible Virus. Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\hotfix.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\SmitfraudFix.zip[SmitfraudFix/Process.exe] Adware:Adware/Trymedia Not disinfected C:\Downloads\Sudoku_ML_Setup-dm[1].exe Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe Virus:Trj/Gagar.K Disinfected C:\WINDOWS\system32\hjoixavs.exe Virus:Trj/Gagar.AG Disinfected C:\WINDOWS\system32\igdhpvdz.exe Virus:Trj/Gagar.Y Disinfected C:\WINDOWS\system32\nvayszkr.exe Adware:Adware/AntispywareSoldier Not disinfected C:\WINDOWS\system32\ohylguic.exe Virus:Trj/Gagar.K Disinfected C:\WINDOWS\system32\ruzqyjbf.exe Adware:Adware/TitanShield Not disinfected C:\WINDOWS\system32\urrqhpbk.exe Virus:Trj/Gagar.P Disinfected C:\WINDOWS\system32\uyemogzx.exe Spyware:Cookie/2o7 Not disinfected C:\WINDOWS\Temp\Cookies\owner@112.2o7[2].txt Logfile of HijackThis v1.99.1 Scan saved at 10:05:44 PM, on 10/3/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Softex\OmniPass\Omniserv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Softex\OmniPass\OPXPApp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\sumsw32.exe C:\windows\system\hpsysdrv.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe C:\WINDOWS\System32\hphmon05.exe C:\HP\KBD\KBD.EXE C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Microsoft Money\System\mnyexpr.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\eFax Messenger 4.2\J2GTray.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Webshots\webshots.scr C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Download\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file) O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file) O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file) O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_11_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file) O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file) O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file) O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_11_0.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe O4 - HKLM\..\Run: [XHGWFKUF] c:\windows\system32\xhgwfkuf.exe /install O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe O4 - HKLM\..\Run: [/AutoLaunch] C:\Program Files\PHILIPS\PSADMM\DMM\bin\AutoLaunch.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://las.mlxchange.com/Control/Mul...ctComboBox.cab O16 - DPF: {5EB6A98B-F75B-4AC7-821D-BAD2C29D18C2} (CVALAXObj Class) - https://www.crystalvoicelive.com/download/CVALAX.CAB O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100385933556 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1143384714807 O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://las.mlxchange.com/Control/MLXClientUtils.cab O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://las.mlxchange.com/Control/IRCSharc.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.comp...io5_3_11_0.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)

10-04-2006, 10:01 AM	#6 (permalink)
fredmh Analyst, Security Team ; TSF Supporter Join Date: May 2006 Location: Phila,Pa Posts: 2,335 OS: XP	It appears that you may have misunderstood the instructions on my last post, as all the original malware is still in place. 1. Option 1 of the SmitfraudFix tool was used instead of Option 2. 2. AVG Anti Spyware settings were not set to allow it to Quarantine what it found. Let's try it again so we can get your system clean ---------------------------------------- Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. ---------------------------------------- The fixes we will use are specific to your problems and should only be used for this issue on this machine. Please only use this topic to reply to. Do not start another thread. If any other issues arise let me know. The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end! Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more likely additional infections will result. ---------------------------------------- DOWNLOADS AVG Anti-Spyware 7.5 Double-click the icon on Desktop to launch AVG A-S 7.5 On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. I also recommend changing the "Update interval" to something more reasonable like 12 hours. CWSHREDDER Your system is infected with Cool Web Search. You must download and run this tool Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. ---------------------------------------- DISABLE ANTI-SPYWARE APPLICATIONS Please disable these Anti-Spyware programs as they may interfere with this fix. You may re-enable them after we clean your system. Windows Defender Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries. Open Windows Defender. Click on Tools>Options. Scroll down and uncheck "Use real-time protection (recommended)". After you uncheck this, click on the Save button and close Windows Defender. S& D Spybot's Tea Timer While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean. Open Spybot Search & Destroy. In the Mode menu click "Advanced mode" if not already selected. Choose "Yes" at the Warning prompt. Expand the "Tools" menu. Click "Resident". Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box. In the File menu click "Exit" to exit Spybot Search & Destroy. ---------------------------------------- SAFE MODE RE-BOOT Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. ---------------------------------------- FIXES AND DELETIONS Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) These are all still in place. They MUST be deleted R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [XHGWFKUF] c:\windows\system32\xhgwfkuf.exe /install *Please remember to close all other windows, including browsers then click Fix checked.* ---------------------------------------- UNHIDE HIDDEN FILES Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. ---------------------------------------- Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. This file MUST be deleted c:\windows\system32\xhgwfkuf.exe ---------------------------------------- SmitFraud - OPTION 2 We need to use Option #2 as it will clean the infection for us. Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. ---------------------------------------- RUNNING SCANNERS AVG Anti-Spyware 7.5 Please ensure you're allowing AVG Anti Spyware to do it's job. Please note the settings below Run AVG A-s with it's updated definitions: (...it's important that all windows must be closed) This scan can take quite a while to run, so be prepared. Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions. Once finished, click the Save report button, then click Save Report As and save it to your desktop. Note: DO NOT USE the computer while AVG A/S is scanning. If Explorer or the Control Panel are opened some malware types will reinfect your system or will not be cleaned properly. ---------------------------------------- SECURE DESKTOP Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present: "Security Info" "Warning Message" "Security Desktop" "Warning Homepage" "Desktop Uninstall" Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. ---------------------------------------- SYSTEM RE-BOOT Reboot into Normal Mode. ---------------------------------------- SmitFraud - OPTION 3 Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. ---------------------------------------- ON-LINE SCANS Kaspersky - Extended Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan ---------------------------------------- FOLLOW-UP Please return and post these items: c:rapport.txt from SmitFraud AVG A/S scan Kaspersky scan A new HJT log run in Normal Mode Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

10-04-2006, 05:14 PM	#9 (permalink)
sakurasan Registered User Join Date: Oct 2006 Posts: 12 OS: winxp	had to stop in the middle - pls read asap Here are my confirmations of what steps I took and immediate results/comments (see purple text): AVG Anti-Spyware 7.5 DONE CWSHREDDER Your system is infected with Cool Web Search. You must download and run this tool DONE – same as last time I get this message after scan is complete: Scan is complete! CoolWebSearch was not found on this system. ---------------------------------------- DISABLE ANTI-SPYWARE APPLICATIONS Please disable these Anti-Spyware programs as they may interfere with this fix. You may re-enable them after we clean your system. Windows Defender DONE (did it last time) S& D Spybot's Tea Timer DONE (sorry I misunderstood and thought this was a separate program I did not have) ---------------------------------------- SAFE MODE RE-BOOT DONE ---------------------------------------- FIXES AND DELETIONS Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) DONE – note that I stopped here in going thru your updated instructions because I ran the scan and fix 3 times and these 2 entries will not go away (I did close all windows as you instructed as well): R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = I will wait for your response on what to do about this since you said that each step must be complete in full and in order for the clean up to work – thanks!

10-02-2006, 05:48 AM	#2 (permalink)
fredmh Analyst, Security Team ; TSF Supporter Join Date: May 2006 Location: Phila,Pa Posts: 2,335 OS: XP	Hello sakurasan, and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible. You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply. Please be patient with me during this time.

10-02-2006, 10:43 AM	#3 (permalink)
sakurasan Registered User Join Date: Oct 2006 Posts: 12 OS: winxp	thanks fred i will be patient

10-04-2006, 02:54 PM	#7 (permalink)
sakurasan Registered User Join Date: Oct 2006 Posts: 12 OS: winxp	I will do what you have posted in this last reply - sorry for confusion it seems that as i was going thru the directions i must have scrolled down and skipped straight to the smitfraud opt 3 section by mistake; as a separate note, my itunes and realplayer both are not working properly (I am selecting and telling it to play and nothing happens) - could it have anything to do with the malware?

10-04-2006, 03:17 PM	#8 (permalink)
fredmh Analyst, Security Team ; TSF Supporter Join Date: May 2006 Location: Phila,Pa Posts: 2,335 OS: XP	Possibly. After we get the system cleaned, if they still don't work properly, we can send you to another forum for help.

10-04-2006, 06:17 PM	#10 (permalink)
fredmh Analyst, Security Team ; TSF Supporter Join Date: May 2006 Location: Phila,Pa Posts: 2,335 OS: XP	We put the anti-spyware instructions in each time, because some users re-enable after each pass. This is fine while waiting for the next fix. Please continue where you left off.

10-05-2006, 08:35 PM	#12 (permalink)
fredmh Analyst, Security Team ; TSF Supporter Join Date: May 2006 Location: Phila,Pa Posts: 2,335 OS: XP	Your logs are looking much better. We're almost there ---------------------------------------- Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\system32\ivppdhgt.exe C:\WINDOWS\system32\rcehkfuc.exe C:\WINDOWS\system32\sorwindq.exe C:\WINDOWS\system32\vcxgcaiz.exe ---------------------------------------- Clear IE's Cookies and Cache Close all instances of Outlook Express and Internet Explorer. Go to Control Panel » Internet Options » General tab. Click the Delete Cookies. Next to it, Click the Delete Files button. When prompted, place a check in: Delete all offline content, click OK. Clear Firefox' Cookies Open Firefox. Click Tools » Options. Click the Privacy tab, then the Cookies tab. Click the Clear Cookies Now button. Then click OK to exit. Clean Temporary Files Go to Start » Run » type: cleanmgr » OK. Choose (C:) and then click OK. Make sure these are the only ones that are checked : Temporary Internet Files Temporary Files Recycle Bin Click OK to remove them. Click Yes to confirm the deletion. Empty AVG A/S Quarantine Launch AVG Anti-Spyware Click on Show Quarantine Click on Select All Click on Remove finally Close AVG A/S ---------------------------------------- ComboFix 1. Download this file - You MUST save it to your desktop http://download.bleepingcomputer.com/sUBs/combofix.exe or http://www.techsupportforum.com/sectools/combofix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ---------------------------------------- Java out of Date We need to update your Java as it is out of date. The older version is a security risk, as malware writers exploit the weaknesses in it's code. The current version is 1.5.09 Updating Java : Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9 - http://java.sun.com/javase/downloads/index.jsp Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". Click the "Download" button to the right. Check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version. ---------------------------------------- Windows XP - Reset Hidden Files Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. ---------------------------------------- Clean-out and Reset System Restore This will clean out any junk or malicious files left behind in System Restore To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK. This will create a new Restore Point.

10-07-2006, 11:20 AM	#13 (permalink)
sakurasan Registered User Join Date: Oct 2006 Posts: 12 OS: winxp	snag followed all instructions - on last, when I right click my computer/properties, I get a message titled “rundll32.exe – unable to locate component” that says “this application has failed to start because framedyn.dll was not found. Re-installing the application may fix this problem” I click OK 3 times and then the box does open – however when I go to SR and check that box when I get to the part where you tell it “yes” to go ahead it responds with a message titled “system restore” which says “system restore encountered an error trying to enable/disable one or more drives. Please restart your machine and try again” I did restart and try again but no change.

10-07-2006, 12:42 PM	#14 (permalink)
fredmh Analyst, Security Team ; TSF Supporter Join Date: May 2006 Location: Phila,Pa Posts: 2,335 OS: XP	Ok. I'll work on that problem. Were you able to run commbofix? If so could you please post that log.

10-07-2006, 05:36 PM	#15 (permalink)
sakurasan Registered User Join Date: Oct 2006 Posts: 12 OS: winxp	combofix log Owner - 06-10-07 10:21:55.93 Service Pack 2 ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Owner\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2006-09-07 to 2006-10-07 )))))))))))))))))))))))))))))))))) 2006-10-05 14:59 53,248 --a------ C:\WINDOWS\system32\Process.exe 2006-10-05 14:59 40,960 --a------ C:\WINDOWS\system32\swsc.exe 2006-10-05 14:59 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2006-10-05 14:59 135,168 --a------ C:\WINDOWS\system32\swreg.exe 2006-10-03 17:34 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-10-07 10:21 -------- d-------- C:\Program Files\Mozilla Firefox 2006-10-03 19:25 -------- d-------- C:\Program Files\WinZip 2006-10-03 19:25 -------- d-------- C:\Program Files\Windows Defender 2006-10-03 19:24 -------- d-------- C:\Program Files\Webshots 2006-10-03 19:21 -------- d-------- C:\Program Files\QuickTime 2006-10-03 19:17 -------- d-------- C:\Program Files\Multimedia Card Reader 2006-10-03 19:17 -------- d-------- C:\Program Files\MSN Messenger 2006-10-03 19:16 -------- d-------- C:\Program Files\Motorola Phone Tools 2006-10-03 19:14 -------- d-------- C:\Program Files\Messenger 2006-10-03 19:13 -------- d-------- C:\Program Files\iTunes 2006-10-03 19:12 -------- d-------- C:\Program Files\Internet Explorer 2006-10-03 19:07 -------- d-------- C:\Program Files\eFax Messenger 4.2 2006-10-03 17:34 -------- d-------- C:\Program Files\Grisoft 2006-10-01 20:17 -------- d-------- C:\Program Files\Easy Internet signup 2006-10-01 19:15 -------- d-------- C:\Program Files\XoftSpy 2006-10-01 16:52 -------- d-------- C:\Program Files\Enigma Software Group 2006-09-25 18:29 -------- d-------- C:\Program Files\FlashFXP 2006-09-24 11:49 -------- d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer 2006-09-23 13:46 -------- d-------- C:\Documents and Settings\Owner\Application Data\eFax Messenger 2006-08-21 06:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll 2006-08-21 03:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe 2006-08-21 03:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys 2006-08-17 11:09 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM 2006-07-27 07:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll 2006-07-21 02:24 72704 --a------ C:\WINDOWS\system32\hlink.dll 2006-07-12 09:50 1319 --a------ C:\Documents and Settings\Owner\Application Data\AdobeDLM.log (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BackupNotify"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\backupnotify.exe" "NVIEW"="rundll32.exe nview.dll,nViewLoadHook" "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\"" "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" "RealPlayer"="\"C:\\Program Files\\Real\\RealOne Player\\realplay.exe\" /RunUPGToolCommandReBoot" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe" "HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe" "CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\\\Unload\\hpqcmon.exe" "HPHUPD05"="c:\\Program Files\\Hewlett-Packard\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe" "HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe" "KBD"="C:\\HP\\KBD\\KBD.EXE" "AutoTKit"="C:\\hp\\bin\\AUTOTKIT.EXE" "Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup" "nwiz"="nwiz.exe /installquiet /keeploaded /nodetect" "Sunkist2k"="C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe" "PS2"="C:\\WINDOWS\\system32\\ps2.exe" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "AlcxMonitor"="ALCXMNTR.EXE" "QuickFinder Scheduler"="\"c:\\Program Files\\WordPerfect Office 11\\Programs\\QFSCHD110.EXE\"" "SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_01\\bin\\jusched.exe" "HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\"" "iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r" "SideWinderTrayV4"="C:\\PROGRA~1\\MI948F~1\\GAMECO~1\\Common\\SWTrayV4.exe" "/AutoLaunch"="C:\\Program Files\\PHILIPS\\PSADMM\\DMM\\bin\\AutoLaunch.exe" "MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe" "MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McAgent.exe" "eFax 4.2"="\"C:\\Program Files\\eFax Messenger 4.2\\J2GDllCmd.exe\" /R" "SpyHunter"="C:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter.exe" "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide" "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonceex] @="" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000000 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe" [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "CDRAutoRun"=dword:00000000 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "CDRAutoRun"=dword:00000000 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Aim6] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="AOLLaunch" "hkey"="HKCU" "command"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HostManager] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="AOLSoftware" "hkey"="HKLM" "command"="C:\\Program Files\\Common Files\\AOL\\1142815478\\ee\\AOLSoftware.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\mmtask] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="mmtask" "hkey"="HKLM" "command"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MMTray] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="mm_tray" "hkey"="HKLM" "command"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MsnMsgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="MsnMsgr" "hkey"="HKCU" "command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RealPlayer] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="realplay" "hkey"="HKCU" "command"="\"C:\\Program Files\\Real\\RealOne Player\\realplay.exe\" /RunUPGToolCommandReBoot" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Yahoo! Pager] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ypager" "hkey"="HKCU" "command"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet" "inimapping"="0" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ backup-20061004-175852-286 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = backup-20061004-175852-891 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = backup-20061004-175640-579 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = backup-20061004-175640-496 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = backup-20061004-174958-569 O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) backup-20061004-174958-746 R3 - Default URLSearchHook is missing backup-20061004-174958-932 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = backup-20061004-174958-840 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank backup-20061004-174958-836 O4 - HKLM\..\Run: [XHGWFKUF] c:\windows\system32\xhgwfkuf.exe /install backup-20061004-174958-757 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = backup-20061004-174958-537 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = backup-20060826-085456-585 O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe backup-20060826-085456-180 O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab backup-20060826-085456-257 O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe backup-20060826-085456-532 O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe backup-20060826-085456-175 O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe backup-20060826-085456-957 O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab backup-20060826-085456-345 O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll backup-20060826-085456-341 O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe backup-20060826-085456-540 O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe backup-20060826-085456-252 O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe backup-20060826-085456-209 O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe backup-20060826-085456-202 O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe backup-20060826-085456-262 O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask backup-20060826-085456-437 O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\MP Scheduled Scan.job C:\WINDOWS\tasks\Symantec NetDetect.job Completion time: Sat 10/07/2006 10:22:17.79 ComboFix.txt

10-07-2006, 08:34 PM	#16 (permalink)
fredmh Analyst, Security Team ; TSF Supporter Join Date: May 2006 Location: Phila,Pa Posts: 2,335 OS: XP	Microsoft has a page dedicated to your problem: http://support.microsoft.com/kb/319114 Please try that and let me know what happens. Last edited by fredmh; 10-07-2006 at 08:35 PM.

10-08-2006, 09:35 AM	#17 (permalink)
sakurasan Registered User Join Date: Oct 2006 Posts: 12 OS: winxp	ok thxx i went to the web page you listed and got the fix - system restore point has been reset, so pls advise when you can!! oh btw could you also let me know the best way to prevent this kind of infection in the future esp. in light of the fact that the computer is used occasionally to visit adult entertainment sites ;)

10-08-2006, 09:41 AM	#18 (permalink)
fredmh Analyst, Security Team ; TSF Supporter Join Date: May 2006 Location: Phila,Pa Posts: 2,335 OS: XP	I will post a list of things you can do in my closing speach.

10-08-2006, 07:21 PM	#19 (permalink)
fredmh Analyst, Security Team ; TSF Supporter Join Date: May 2006 Location: Phila,Pa Posts: 2,335 OS: XP	Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: SpyHunter From Spywaew Warrior: http://www.spywarewarrior.com/rogue_anti-spyware.htm Note on Enigma SpyHunter: Enigma's SpyHunter anti-spyware application was listed on this page primarily because of the company's history of employing aggressive, deceptive advertising (1, 2, 3, 4, 5). The company was also known for exploiting the name "spybot" in its domain names and online advertising. These objectionable business practices were employed primarily from late-2002 to mid-2004. Sometime during summer of 2004 the company halted the most obnoxious and objectionable aspects of its online advertising. It also unloaded all the "spybot" domains (which were promptly picked up by Paretologic for its XoftSpy anti-spyware application). While there are still unresolved allegations that SpyHunter transmits the Windows Product ID from users' PCs (1), we can no longer classify this application as "rogue/suspect." Nonetheless, SpyHunter -- at least in its current state -- cannot be recommended because of its mediocre performance as an anti-spyware scanner. Testing indicates that it does not recognize some well-known spyware installations and has difficulty removing critical spyware/adware files even from those it does recognize. Given the many excellent competing anti-spyware applications that are available (some for free), users would do better looking elsewhere for trustworthy anti-spyware protection. A list of programs is provided in this post. ---------------------------------------- Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Program Files\Enigma Software Group ---------------------------------------- Congratulations. Your logs are now clean. Please read through the information which follows. ---------------------------------------- RE-ENABLE ANTI-SPYWARE APPLICATIONS If you were instructed to dis-able Anti-spyware applications during this fix, you may re-enable them ---------------------------------------- Please read through the following information to help protect your computer in the future. KEEP YOUR OPERATING SYSTEM UPDATED Please ensure that you have already patched your system against the recent WMF exploit. Go to this page to get the KB912919 patch MICROSOFT UPDATES It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection. ENABLE WINDOWS AUTO UPDATE Go to Start>Run - type wuaucpl.cpl tick on the checkbox - "Keep my computer up to date" Under settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". TOOLS TO HELP KEEP YOUR SYSTEM CLEAN Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items SpywareGuard to catch and block spyware before it can execute. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here IE-SPYAD IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. Download IE-SpyAD - Extract the contents to a new folder From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list. Then return to the main menu. Select option #4 - Add the old porn sites domain A tutorial for IE-SPYAD can be found here MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files" Click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. MCAFEE SITE ADVISOR SITE ADVISOR is a free IE plug-in (also suport for Firefox browser) which is used in conjunction with the Google search engine. It advises which web sites are considered safe and which sites could pose a problem. It also shows what problems were encountered with each site, such as malicious downloads, spam, and related links. ANTI-VIRUS AND FIREWALL PROGRAMS ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners: Anti-Spyware Tutorial Here are some very good free Antivirus products which are available: Avast! AVG If you do not have a firewall, here are 4 free ones available for personal use: Understanding and Using Firewalls ZoneAlarm Avast Antivirus/Firewall Tiny Personal Firewall OutPost Firewall INFORMATIONAL READING In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles: PC SAFETY AND SECURITY HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER INVASION OF THE COMPUTER SNATCHERS The Cookie Concept Please respond one more time and let me know you received this post so it can be marked resolved