Possible Spamming Virus

dland · 08-05-2007, 09:23 PM

I recently received an email from a postmaster saying that a spam email that had been sent by my account was sent to a user that could not be reached. Since I don't spam people, I assumed that I had contracted a virus that is using my email for its own nefarious purposes (unless the postmaster email is a fake). Anyway, this prompted me to run some long-overdue spyware scans which revealed a lot of issues with my system. I used Spybot and Adaware to remove quite a few but Panda Active Scan still found a lot. Here is my HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:13:47 PM, on 8/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\CVSNT\cvslock.exe
C:\Program Files\CVSNT\cvsservice.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\HiJackThis\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index....10292&ttid=104
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CheckIt 86 - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.akamai.net
O15 - Trusted Zone: http://*.live.com
O15 - Trusted Zone: http://*.netlibrary.com
O15 - Trusted Zone: http://*.start.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://ampfemail.ampadvisor.aexp.co...om0/iNotes.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1152030466531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1152030460656
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/def...utLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc03.custhelp.com/7520-b.../java/RntX.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{974A6EBD-595C-4796-B43F-04B6D928C155}: NameServer = 10.9.2.200 10.9.2.205
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

--
End of file - 9448 bytes

Here is my Panda log:

Incident Status Location

Virus:trj/downloader.aee Disinfected Operating system
Adware:adware/ipinsight Not disinfected c:\windows\inf\polall1r.inf
Adware:adware/ncase Not disinfected c:\windows\didduid.ini
Adware:adware/sidesearch Not disinfected c:\windows\sepsd.bin
Adware:adware/portalscan Not disinfected c:\program files\STC
Adware:adware/iedriver Not disinfected Windows Registry
Adware:adware/sahagent Not disinfected Windows Registry
Adware:adware/delfinmedia Not disinfected Windows Registry
Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Ahy0J.exe
Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\AyeYd.exe
Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Cxmql42.exe
Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Fah1q5.exe
Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\HuoTdA.exe
Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Ioq3SEW6.exe
Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Jlyov72.exe
Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Lus22B.exe
Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\QlsO0A55.exe
Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Sacm.exe
Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Szep85ln.exe
Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\VsbW.exe
Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Xay5.exe
Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Zaf85.exe
Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Zvn6.exe
Adware:Adware/PurityScan Not disinfected C:\!Submit\enth.exe
Adware:Adware/Midaddle Not disinfected C:\!Submit\n489jdP.exe
Adware:Adware/StatBlaster Not disinfected C:\!Submit\s2aP6Ra8.exe
Adware:Adware/BrowserAid Not disinfected C:\dist1_1_00.exe
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.com.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.2o7.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.ccbill.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.go.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.xiti.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[server.iad.liveperson.net/hc/73488016]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Profiles\default\aesw3y7k.slt\cookies.txt[.2o7.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Profiles\default\aesw3y7k.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Profiles\default\aesw3y7k.slt\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Profiles\default\aesw3y7k.slt\cookies.txt[.go.com/]
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Profiles\default\aesw3y7k.slt\cookies.txt[.paycounter.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Profiles\default\aesw3y7k.slt\cookies.txt[.questionmarket.com/]
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Profiles\default\aesw3y7k.slt\cookies.txt[.webpower.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Profiles\default\aesw3y7k.slt\cookies.txt[.yadro.ru/]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-21cc6023.zip[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-21cc6023.zip[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-21cc6023.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-21cc6023.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-73d6fff5.zip[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-73d6fff5.zip[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-73d6fff5.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-73d6fff5.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6604b080-3a0e8367.zip[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6604b080-3a0e8367.zip[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6604b080-3a0e8367.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6604b080-3a0e8367.zip[Installer.class]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\David K. Land\Cookies\dave@com[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\David K. Land\Cookies\dave@go[2].txt
Spyware:Cookie/MetriWeb Not disinfected C:\Documents and Settings\David K. Land\Cookies\dave@metriweb[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\David K. Land\Cookies\david_k._land@go[2].txt
Adware:Adware/Midaddle Not disinfected C:\Documents and Settings\David K. Land\My Documents\HijackThis\backups\backup-20041222-201638-280.dll
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.ads.addynamix.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.atwola.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[citi.bridgetrack.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.phg.hitbox.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.fortunecity.com/]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.targetnet.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.ath.belnk.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.go.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.bfast.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[counter.hitslink.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.statse.webtrendslive.com/dcsx41mnd5twkf8wyp5mo4xok_6c8d]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.centrport.net/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.tickle.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.target.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[statse.webtrendslive.com/S131024]
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.rightmedia.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@112.2o7[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@247realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@adrevolver[3].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@ads.addynamix[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@ads.pointroll[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@atwola[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@bluestreak[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@burstnet[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@c5.zedo[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@centrport[2].txt
Spyware:Cookie/DelfinMedia Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@delfinproject[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@ehg-dig.hitbox[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@fastclick[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@go[2].txt
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@linksynergy[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@overture[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@questionmarket[2].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@rightmedia[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@server.iad.liveperson[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@stat.onestat[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@statcounter[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@tribalfusion[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@www.burstbeacon[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@zedo[1].txt
Adware:Adware/StartPage.BR Not disinfected C:\FINDnFIX\Files2\un.exe
Adware:Adware/IEDriver Not disinfected C:\Overpro323.exe
Virus:Generic Malware Disinfected C:\Program Files\GameSpy Arcade\Services\_common\PortraitLoader.dll
Virus:Trj/Downloader.gen Disinfected C:\Program Files\Internet Explorer\blvbdhuy.exe
Adware:Adware/Midaddle Not disinfected C:\WINDOWS\Temp\addit.exe[clicks.dll]
Adware:Adware/Midaddle Not disinfected C:\WINDOWS\Temp\addit.exe[Updater.exe]
Adware:Adware/IEDriver Not disinfected C:\WINDOWS\Temp\all_files10.exe[Overpro323.exe]
Virus:Trj/Downloader.OE Not disinfected C:\WINDOWS\Temp\all_files10.exe[Overpro323.exe][dp-him.exe]
Adware:Adware/IEDriver Not disinfected C:\WINDOWS\Temp\all_files10.exe[Overpro323.exe][IEHost.EXE]
Adware:Adware/IEDriver Not disinfected C:\WINDOWS\Temp\all_files10.exe[Overpro323.exe][Searchx.htm]
Adware:Adware/IEDriver Not disinfected C:\WINDOWS\Temp\all_files10.exe[Overpro323.exe][terrabyte.exe]
Adware:Adware/IEDriver Not disinfected C:\WINDOWS\Temp\all_files10.exe[Overpro323.exe][ms.exe]
Spyware:Spyware/Apropos Not disinfected C:\WINDOWS\Temp\all_files10.exe[july14_loader.exe]
Adware:Adware/eZula Not disinfected C:\WINDOWS\Temp\all_files10.exe[ezStub.exe]
Virus:Trj/CHost.A Not disinfected C:\WINDOWS\Temp\all_files10.exe[EXACTADVERTISING.exe]
Adware:Adware/BrowserAid Not disinfected C:\WINDOWS\Temp\all_files10.exe[dist1_1_00.exe]
Adware:Adware/Midaddle Not disinfected Personal Folders\Sent Items\HJT forum files\n489jdP.zip[n489jdP.exe]
Adware:Adware/StatBlaster Not disinfected Personal Folders\Sent Items\HJT forum files\s2aP6Ra8.zip[s2aP6Ra8.exe]
Virus:Trj/Downloader.ADH Disinfected Personal Folders\Sent Items\HJT forum files\winpack.zip[winpack.exe]
Adware:Adware/ESyndicate Not disinfected Personal Folders\Sent Items\HJT forum files\esyn.zip[esyn.dll]
Adware:Adware/PurityScan Not disinfected Personal Folders\Sent Items\HJT forum files\enth.zip[enth.exe]
Adware:Adware/PurityScan Not disinfected Personal Folders\Sent Items\HJT forum files\drm.zip[drm.dll]
Adware:Adware/Midaddle Not disinfected Personal Folders\Sent Items\Files from http://forums.spywareinfo.com\n489jdP.zip[n489jdP.exe]
Adware:Adware/StatBlaster Not disinfected Personal Folders\Sent Items\Files from http://forums.spywareinfo.com\s2aP6Ra8.zip[s2aP6Ra8.exe]
Virus:Trj/Downloader.ADH Disinfected Personal Folders\Sent Items\Files from http://forums.spywareinfo.com\winpack.zip[winpack.exe]
Adware:Adware/PurityScan Not disinfected Personal Folders\Sent Items\Files from http://forums.spywareinfo.com\enth.zip[enth.exe]
Adware:Adware/ESyndicate Not disinfected Personal Folders\Sent Items\Files from http://forums.spywareinfo.com\esyn.zip[esyn.dll]
Adware:Adware/PurityScan Not disinfected Personal Folders\Sent Items\Files from http://forums.spywareinfo.com\drm.zip[drm.dll]

Thanks for the help,
Dave

dland · 08-09-2007, 01:14 PM

Bump.

Ried · 08-10-2007, 10:01 PM

Hello Dave,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

You sure have a lot of junk on this system that your onboard tools have left behind.

Download AVG Anti Spyware

Install AVG Anti Spyware

Double-click the icon on Desktop to launch AVG
On the main Status screen, under Your Computer's Security, click Resident Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Do Not Automatically generate report after every scan"

When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.
-----------------------------------------------------------------------

Download and install CleanUp! but do not run it yet. (Not Recommended for XP64).

--------------------------------------------------------------------

Close any open browsers.

--------------------------------------------------------------------

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.

Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.

--------------------------------------------------------------------

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

-----------------------------------------------------------------------

Reboot your system.

-----------------------------------------------------------------------

Run another online scan at Panda and save the results.

-----------------------------------------------------------------------

Desktop.

What DSS will do:

create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review.
DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
Please attach extra.txt to your post.

To attach a file to a new post, simply

Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:
C:\Deckard\System Scanner\extra.txt
Click Upload.

Please include the following in your next reply:

AVG A-S report
Panda results
main.txt
an attached extra.txt

Did you recently send some zipped sample files to Spywareinfo?

dland · 08-11-2007, 09:20 AM

Ried,

Thanks for the help. I got to the part referencing DSS and wasn't sure what to do. It almost looks like some of the post is missing. Could you further explain please?

Thanks,
Dave

Ried · 08-11-2007, 10:16 AM

My apologies, Dave. The link did indeed get cut off in my editing.

Download Deckard's System Scanner (DSS) to your Desktop.

dland · 08-11-2007, 01:30 PM

Ried,

Thanks again for the help. Unfortunately, I didn't read the instructions closely enough and messed up some a few of the AVG Anti Spyware steps. I didn't turn of Resident Shield or set the Recommended Action to Quarantine before I ran the scanner. The infected files it found were deleted, not quarantined. I apologize; hopefully I didn't mess up my chances for help.

Also, I did not send any files to Spywareinfo. I sure hope my computer isn't sending people things on my behalf.

Anyway, here are the logs you asked for:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:45:36 AM 8/11/2007

+ Scan result:

HKU\S-1-5-21-823518204-1482476501-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E1412445-4FF8-410E-8D24-F2CF86B171A4} -> Adware.Generic : Cleaned.
HKU\S-1-5-21-823518204-1482476501-839522115-1015\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned.
HKLM\SOFTWARE\MaxSpeed -> Adware.Maxspeed : Cleaned.
C:\Documents and Settings\David K. Land\My Documents\HijackThis\backups\backup-20041222-201638-280.dll -> Adware.Midaddle : Cleaned.
C:\!Submit\n489jdP.exe -> Adware.Midadle : Cleaned.
C:\Program Files\MaxSpeed -> Adware.SideFind : Cleaned.
C:\!Submit\s2aP6Ra8.exe -> Adware.WinFetcher : Cleaned.
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1091\A0058166.exe -> Downloader.Agent.a : Cleaned.
C:\Overpro323.exe -> Downloader.Agent.ac : Cleaned.
C:\dist1_1_00.exe -> Downloader.Agent.ec : Cleaned.
C:\!PeperFix\Ahy0J.exe -> Downloader.VB.em : Cleaned.
C:\!PeperFix\AyeYd.exe -> Downloader.VB.em : Cleaned.
C:\!PeperFix\Cxmql42.exe -> Downloader.VB.em : Cleaned.
C:\!PeperFix\Fah1q5.exe -> Downloader.VB.em : Cleaned.
C:\!PeperFix\HuoTdA.exe -> Downloader.VB.em : Cleaned.
C:\!PeperFix\Ioq3SEW6.exe -> Downloader.VB.em : Cleaned.
C:\!PeperFix\Jlyov72.exe -> Downloader.VB.em : Cleaned.
C:\!PeperFix\Lus22B.exe -> Downloader.VB.em : Cleaned.
C:\!PeperFix\QlsO0A55.exe -> Downloader.VB.em : Cleaned.
C:\!PeperFix\Sacm.exe -> Downloader.VB.em : Cleaned.
C:\!PeperFix\Szep85ln.exe -> Downloader.VB.em : Cleaned.
C:\!PeperFix\VsbW.exe -> Downloader.VB.em : Cleaned.
C:\!PeperFix\Xay5.exe -> Downloader.VB.em : Cleaned.
C:\!PeperFix\Zaf85.exe -> Downloader.VB.em : Cleaned.
C:\!PeperFix\Zvn6.exe -> Downloader.VB.em : Cleaned.
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1100\A0060400.exe -> Downloader.Wirefall : Cleaned.
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1091\A0058165.dll -> Dropper.Small.sf : Cleaned.
C:\FINDnFIX\Files2\un.exe -> Hijacker.StartPage : Cleaned.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Ignored.
C:\FINDnFIX\keys1\NirComLine.exe -> Not-A-Virus.RemoteAdmin.Win32.NirCmdLine.14 : Ignored.
:mozilla.10:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.16:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.17:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.18:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.19:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.20:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.21:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.22:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.23:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.24:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.25:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.26:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.27:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.28:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.29:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.30:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.31:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.32:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.33:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.34:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.35:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.36:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.37:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.38:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.39:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.40:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.473:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.6:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.72:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.7:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.8:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.9:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.131:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.202:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.203:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.313:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.314:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.45:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.46:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.50:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.51:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.52:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.49:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.446:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.499:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.247:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.323:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.324:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.233:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.482:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Centrport : Cleaned.
:mozilla.483:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Centrport : Cleaned.
:mozilla.484:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Centrport : Cleaned.
:mozilla.485:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Centrport : Cleaned.
:mozilla.432:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Clickagents : Cleaned.
:mozilla.433:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Clickagents : Cleaned.
:mozilla.434:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Clickagents : Cleaned.
:mozilla.435:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Clickagents : Cleaned.
:mozilla.436:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Clickagents : Cleaned.
:mozilla.109:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.547:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.366:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.373:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.44:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.410:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.534:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.272:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.158:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.159:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.415:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Fortunecity : Cleaned.
:mozilla.416:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Fortunecity : Cleaned.
:mozilla.205:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.206:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.207:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.208:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.413:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.456:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.457:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.458:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.459:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.406:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Information : Cleaned.
:mozilla.111:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.132:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.248:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.249:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.250:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.41:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.42:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.43:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.398:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.185:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.186:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.188:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.189:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.133:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.134:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.361:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.407:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.369:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.370:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.371:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.372:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.348:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.325:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.326:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.327:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.328:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.408:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.160:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.161:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.162:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.163:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.173:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.174:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.418:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.419:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.191:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.192:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.193:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.190:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.450:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.461:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.535:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.144:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.145:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.146:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.147:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.265:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.266:C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.

::Report end

---Panda results---

Incident Status Location

Adware:adware/ipinsight Not disinfected c:\windows\inf\polall1r.inf
Adware:adware/ncase Not disinfected c:\windows\didduid.ini
Adware:adware/sidesearch Not disinfected c:\windows\sepsd.bin
Adware:adware/portalscan Not disinfected c:\program files\STC
Adware:adware/iedriver Not disinfected Windows Registry
Adware:adware/sahagent Not disinfected Windows Registry
Adware:Adware/PurityScan Not disinfected C:\!Submit\enth.exe
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-21cc6023.zip[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-21cc6023.zip[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-21cc6023.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-21cc6023.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-73d6fff5.zip[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-73d6fff5.zip[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-73d6fff5.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-73d6fff5.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6604b080-3a0e8367.zip[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6604b080-3a0e8367.zip[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6604b080-3a0e8367.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6604b080-3a0e8367.zip[Installer.class]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.ath.belnk.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.go.com/]
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.rightmedia.net/]
Adware:Adware/Midaddle Not disinfected Personal Folders\Sent Items\HJT forum files\n489jdP.zip[n489jdP.exe]
Adware:Adware/StatBlaster Not disinfected Personal Folders\Sent Items\HJT forum files\s2aP6Ra8.zip[s2aP6Ra8.exe]
Adware:Adware/ESyndicate Not disinfected Personal Folders\Sent Items\HJT forum files\esyn.zip[esyn.dll]
Adware:Adware/PurityScan Not disinfected Personal Folders\Sent Items\HJT forum files\enth.zip[enth.exe]
Adware:Adware/PurityScan Not disinfected Personal Folders\Sent Items\HJT forum files\drm.zip[drm.dll]
Adware:Adware/Midaddle Not disinfected Personal Folders\Sent Items\Files from http://forums.spywareinfo.com\n489jdP.zip[n489jdP.exe]
Adware:Adware/StatBlaster Not disinfected Personal Folders\Sent Items\Files from http://forums.spywareinfo.com\s2aP6Ra8.zip[s2aP6Ra8.exe]
Adware:Adware/PurityScan Not disinfected Personal Folders\Sent Items\Files from http://forums.spywareinfo.com\enth.zip[enth.exe]
Adware:Adware/ESyndicate Not disinfected Personal Folders\Sent Items\Files from http://forums.spywareinfo.com\esyn.zip[esyn.dll]
Adware:Adware/PurityScan Not disinfected Personal Folders\Sent Items\Files from http://forums.spywareinfo.com\drm.zip[drm.dll]

---main.txt---

Deckard's System Scanner v20070809.63
Run by Dave on 2007-08-11 at 15:13:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
107: 2007-08-11 20:13:16 UTC - RP1106 - Deckard's System Scanner Restore Point
106: 2007-08-10 19:15:18 UTC - RP1105 - System Checkpoint
105: 2007-08-09 18:33:12 UTC - RP1104 - Software Distribution Service 3.0
104: 2007-08-08 13:51:22 UTC - RP1103 - Software Distribution Service 3.0
103: 2007-08-07 13:28:30 UTC - RP1102 - Software Distribution Service 3.0

-- First Restore Point --
1: 2007-05-14 14:00:58 UTC - RP1000 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-08-11 15:15:32
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16473)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\CVSNT\cvslock.exe
C:\Program Files\CVSNT\cvsservice.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\David K. Land\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index....10292&ttid=104
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CheckIt 86 - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NAVSHEXT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NAVSHEXT.DLL
O4 - HKEY_LOCAL_MACHINE\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKEY_LOCAL_MACHINE\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKEY_LOCAL_MACHINE\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\Program Files\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\Program Files\CheckIt\86\CheckIt86.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://akamai.net (HKCU)
O15 - Trusted Zone: http://live.com (HKCU)
O15 - Trusted Zone: http://netlibrary.com (HKCU)
O15 - Trusted Zone: http://start.com (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://ampfemail.ampadvisor.aexp.co...om0/iNotes.cab
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1152030466531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1152030460656
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} () - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/def...utLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc03.custhelp.com/7520-b.../java/RntX.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.0.0812.00.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.0.0812.00.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - "C:\Program Files\CVSNT\cvslock.exe"
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - "C:\Program Files\CVSNT\cvsservice.exe"
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini"

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R3 SndTDriverV32 - c:\windows\system32\drivers\sndtdriverv32.sys <Not Verified; Windows (R) 2000/XP; Windows (R) 2000/XP Driver>

S3 NAL (Nal Service ) - c:\windows\system32\drivers\iqvw32.sys <Not Verified; Intel Corporation; Intel(R) iQVW32.SYS>
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; NetGroup - Politecnico di Torino; WinPcap Netgroup Packet Filter Driver>
S3 PacketNTx (Packet helper driver) - c:\windows\system32\drivers\packetntx.sys <Not Verified; Sumix Co.; Sumix Packet Helper Driver>
S3 PLCNDIS5 (PLCNDIS5 NDIS Protocol Driver) - c:\windows\system32\plcndis5.sys <Not Verified; Intellon, Inc.; PCAUSA Rawether for Windows>
S3 PSSdk21 - c:\windows\system32\drivers\hnpssdk.drv (file missing)
S3 tbhsd (Tunebite High-Speed Dubbing) - c:\windows\system32\drivers\tbhsd.sys <Not Verified; RapidSolution Software AG; Tunebite High-Speed Dubbing>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>
R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 cvslock (CVSNT Locking Service 2.5.03.2382) - "c:\program files\cvsnt\cvslock.exe"
R2 cvsnt (CVSNT Dispatch service 2.5.03.2382) - "c:\program files\cvsnt\cvsservice.exe" <Not Verified; March Hare Software Ltd; cvsnt>

S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; NetGroup - Politecnico di Torino; Remote Packet Capture Daemon>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2702&SUBSYS_8D891028&REV_01\4&19FD8D60&0&40F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2702&SUBSYS_8D891028&REV_01\4&19FD8D60&0&40F0
Service:

-- Scheduled Tasks -------------------------------------------------------------

2007-08-11 09:51:52 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2004-08-25 10:18:17 428 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job

-- Files created between 2007-07-11 and 2007-08-11 -----------------------------

2007-08-11 00:41:39 0 d-------- C:\Documents and Settings\David K. Land\Application Data\Grisoft
2007-08-11 00:20:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-08-05 19:56:51 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-05 19:41:53 0 d-------- C:\WINDOWS\network diagnostic
2007-08-05 16:08:05 0 d-------- C:\HiJackThis
2007-08-05 16:01:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-08-05 16:01:07 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-05 15:52:29 0 d-------- C:\Program Files\SpywareBlaster
2007-08-04 17:39:28 0 d-------- C:\Program Files\WndTabs.com
2007-08-02 14:18:26 0 d-------- C:\Documents and Settings\David K. Land\Application Data\pdf995
2007-08-02 14:16:31 0 d-------- C:\Documents and Settings\All Users\Application Data\pdf995
2007-08-02 14:16:30 249856 --a------ C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2007-08-02 14:16:30 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2007-08-02 14:15:52 0 d-------- C:\Program Files\pdf995
2007-07-29 12:13:54 0 d-------- C:\TJRescue
2007-07-29 12:10:41 0 d-------- C:\Documents and Settings\David K. Land\Application Data\SmartFTP
2007-07-29 12:10:10 0 d-------- C:\Program Files\SmartFTP Client
2007-07-28 15:08:41 44544 --a------ C:\WINDOWS\system32\r3dgif89.dll <Not Verified; ; Gif89 Module>
2007-07-28 15:08:40 0 d-------- C:\Risen3D
2007-07-28 01:38:47 0 d--h----- C:\WINDOWS\PIF
2007-07-27 23:49:51 417792 --a------ C:\WINDOWS\system32\MsRepl35.dll <Not Verified; Microsoft Corporation; Microsoft® Access>
2007-07-27 23:49:51 262144 --a------ C:\WINDOWS\system32\MSRD2x35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2007-07-27 23:49:47 0 d-------- C:\Program Files\windoom
2007-07-27 23:49:28 29696 --a------ C:\WINDOWS\system32\VB5StKit.dll <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-07-27 23:49:28 71680 --a------ C:\WINDOWS\ST5UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-07-27 23:45:02 0 d-------- C:\windoom
2007-07-26 23:03:11 0 d-------- C:\chocolate-doom-0.1.1 <CHOCOL~1.1>
2007-07-25 23:27:55 0 d-------- C:\Documents and Settings\David K. Land\Application Data\WinRAR
2007-07-25 23:27:16 1207026 --a------ C:\wrar370.exe
2007-07-25 23:26:19 0 d-------- C:\doomsrc
2007-07-25 11:40:28 0 d-------- C:\Documents and Settings\David K. Land\Application Data\ZoomBrowser EX
2007-07-25 11:29:54 0 d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-07-25 11:29:30 0 d-------- C:\Program Files\Canon
2007-07-25 11:16:08 0 d-------- C:\Program Files\Common Files\Canon

-- Find3M Report ---------------------------------------------------------------

2007-08-11 10:45:03 0 d-------- C:\Program Files\Windows Defender
2007-08-11 10:39:25 0 d-------- C:\Program Files\Norton AntiVirus
2007-08-11 10:24:51 0 d-------- C:\Program Files\CVSNT
2007-08-11 10:24:30 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-05 16:51:46 0 d-------- C:\Program Files\PeDevice
2007-08-05 16:01:38 0 d-------- C:\Program Files\Lavasoft
2007-08-05 16:01:07 0 d-------- C:\Program Files\Common Files
2007-07-28 12:26:43 0 d-------- C:\Program Files\SourceGear
2007-07-03 23:54:50 0 d-------- C:\Program Files\Taldren
2007-07-01 14:32:35 0 d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-07-01 14:29:34 0 d-------- C:\Documents and Settings\David K. Land\Application Data\InstallShield

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [04/03/2002 03:01 AM]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 03:00 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/17/2003 01:16 PM]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [07/17/2003 01:16 PM]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [10/06/2003 04:16 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [04/13/2005 05:48 AM]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [07/15/2005 04:48 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/25/2006 07:58 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" []
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/01/2007 04:22 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [07/29/2006 07:34 PM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [09/11/2006 04:40 AM]

C:\Documents and Settings\David K. Land\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [5/23/2006 5:17:00 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 setuid

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CheckIt 86.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CheckIt 86.lnk
backup=C:\WINDOWS\pss\CheckIt 86.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David K. Land^Start Menu^Programs^Startup^Outlook Express Monitor.lnk]
path=C:\Documents and Settings\David K. Land\Start Menu\Programs\Startup\Outlook Express Monitor.lnk
backup=C:\WINDOWS\pss\Outlook Express Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David K. Land^Start Menu^Programs^Startup^V CAST Music Monitor.lnk]
path=C:\Documents and Settings\David K. Land\Start Menu\Programs\Startup\V CAST Music Monitor.lnk
backup=C:\WINDOWS\pss\V CAST Music Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite.exe]
C:\Program Files\tunebite\tunebite.exe -hidden

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc

*Newly Created Service* - AVGASCLN

-- End of Deckard's System Scanner: finished at 2007-08-11 at 15:18:42 ---------

Thanks again,
Dave

Ried · 08-11-2007, 08:39 PM

Hi Dave,

No worries about AVG A-S. We recommend that you Quarantine what it finds in the unlikely event it removes somthing legit. It can then be moved back, should that occur. Any cookies it finds will automatically be deleted, for everything else it finds, try to remember to Quarantine them first.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs)

MaxSpeed

*Let me know if you had trouble uninstalling this.

--------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries:

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)

Did you set these yourself? Given the symptoms you've described, I'd like you to clear them:

O15 - Trusted Zone: http://akamai.net (HKCU)
O15 - Trusted Zone: http://live.com (HKCU)
O15 - Trusted Zone: http://netlibrary.com (HKCU)
O15 - Trusted Zone: http://start.com (HKCU)

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Please ensure Hidden files and folders are viewable:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following Files and Folders

C:\ !Submit
c:\program files\ STC
c:\windows\ didduid.ini
c:\windows\inf\ polall1r.inf
c:\windows\ sepsd.bin

--------------------------------------------------------------------

Clear Sun Java cache: (v.1.5)

Click on Start->Settings->Control Panel->Java Plug-in (If you do not see the icon, look to your left and click 'Switch to Classic View'. Click the Settings button under Internet Explorer near the bottom, and click on Delete Files and click OK and OK.

See this page for instructions on how to clear java's cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked
- Downloaded Applets
  Downloaded Applications
  Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

--------------------------------------------------------------------

Please empty your Outlook Express Sent Items folder. To do so:

Open Outlook Express
Right click on Sent Items
Select 'Empty Sent Items folder'.
Click 'Yes' at the next popup box to succesfully empty the Sent Items folder.

If there are Sent items you'd like to keep, then look for and delete these:

Files from http://forums.spywareinfo.com\drm.zip[drm.dll]
Files from http://forums.spywareinfo.com\enth.zip[enth.exe]
Files from http://forums.spywareinfo.com\esyn.zip[esyn.dll]
Files from http://forums.spywareinfo.com\n489jdP.zip[n489jdP.exe]
Files from http://forums.spywareinfo.com\s2aP6Ra8.zip[s2aP6Ra8.exe]
HJT forum files\drm.zip[drm.dll]
HJT forum files\enth.zip[enth.exe]
HJT forum files\esyn.zip[esyn.dll]
HJT forum files\n489jdP.zip[n489jdP.exe]
HJT forum files\s2aP6Ra8.zip[s2aP6Ra8.exe]

Did someone previously get assistance from another forum in cleaning this system?

-------------------------------------------------------------

Perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note for Internet Explorer 7 users**

If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

How is your system behaving?

dland · 08-12-2007, 12:17 PM

In general my system is behaving fine. The only thing that alerted me to any problems was that email that I didn't send that was returned to me.

I did get some help on an HJT forum (apparently forums.spywareinfo.com) to clean my system a few years ago. That's where the files attached to the Outlook emails were from.

Here is the Kaspersky report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, August 12, 2007 2:10:41 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 12/08/2007
Kaspersky Anti-Virus database records: 378969
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 104733
Number of viruses found: 18
Number of infected objects: 41
Number of suspicious objects: 2
Duration of the scan process: 02:37:14

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03102007-222749.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer1.zip/install.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\David K. Land\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\David K. Land\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\David K. Land\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\David K. Land\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{DB45D1BB-F886-459A-B824-6800EB2FB427} Object is locked skipped
C:\Documents and Settings\David K. Land\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\David K. Land\Local Settings\History\History.IE5\MSHist012007081220070813\index.dat Object is locked skipped
C:\Documents and Settings\David K. Land\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\David K. Land\ntuser.dat Object is locked skipped
C:\Documents and Settings\David K. Land\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\FINDnFIX\keys1\NirComLine.exe Infected: not-a-virus:RemoteAdmin.Win32.NirCmdLine.14 skipped
C:\Inetpub\wwwroot\WebApplication1\AssemblyInfo.cs Object is locked skipped
C:\Inetpub\wwwroot\WebApplication1\bin\WebApplication1.dll Object is locked skipped
C:\Inetpub\wwwroot\WebApplication1\bin\WebApplication1.pdb Object is locked skipped
C:\Inetpub\wwwroot\WebApplication1\Global.asax Object is locked skipped
C:\Inetpub\wwwroot\WebApplication1\Global.asax.cs Object is locked skipped
C:\Inetpub\wwwroot\WebApplication1\Global.asax.resx Object is locked skipped
C:\Inetpub\wwwroot\WebApplication1\Service1.asmx Object is locked skipped
C:\Inetpub\wwwroot\WebApplication1\Service1.asmx.cs Object is locked skipped
C:\Inetpub\wwwroot\WebApplication1\Service1.asmx.resx Object is locked skipped
C:\Inetpub\wwwroot\WebApplication1\test1.html Object is locked skipped
C:\Inetpub\wwwroot\WebApplication1\test2.html Object is locked skipped
C:\Inetpub\wwwroot\WebApplication1\Web.config Object is locked skipped
C:\Inetpub\wwwroot\WebApplication1\WebApplication1.csproj Object is locked skipped
C:\Inetpub\wwwroot\WebApplication1\WebApplication1.csproj.webinfo Object is locked skipped
C:\Inetpub\wwwroot\WebApplication1\WebApplication1.sln Object is locked skipped
C:\Inetpub\wwwroot\WebApplication1\WebApplication1.suo Object is locked skipped
C:\Inetpub\wwwroot\WebApplication1\WebApplication1.vsdisco Object is locked skipped
C:\Inetpub\wwwroot\WebApplication1\WebForm1.aspx.resx Object is locked skipped
C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\AssemblyInfo.cs Object is locked skipped
C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\Class1.cs Object is locked skipped
C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\db1.mdb Object is locked skipped
C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\Global.asax Object is locked skipped
C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\Global.asax.cs Object is locked skipped
C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\Global.asax.resx Object is locked skipped
C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\test.html Object is locked skipped
C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\test.txt Object is locked skipped
C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\Tester.cs Object is locked skipped
C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\Web.config Object is locked skipped
C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\WebApplication2.csproj Object is locked skipped
C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\WebApplication2.csproj.webinfo Object is locked skipped
C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\WebApplication2.vsdisco Object is locked skipped
C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\WebForm1.aspx Object is locked skipped
C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\WebForm1.aspx.cs Object is locked skipped
C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\WebForm1.aspx.resx Object is locked skipped
C:\Inetpub\wwwroot\WebApplication2\_vti_pvt\linkinfo.cnf Object is locked skipped
C:\Inetpub\wwwroot\WebApplication3\WebForm2.aspx Object is locked skipped
C:\Inetpub\wwwroot\WebApplication4\WebForm2.aspx Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\IssueTrackerStarterKit.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\IssueTrackerStarterKit_log.LDF Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\MyTimeTracker_Data.MDF Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\MyTimeTracker_Log.LDF Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\northwnd.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\northwnd.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\pubs.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\pubs_log.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\test_Data.MDF Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\test_Log.LDF Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\TimeTracker.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\TimeTracker_log.LDF Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\11922C34.exe Infected: Trojan.Win32.Qhost.bi skipped
C:\Program Files\Norton AntiVirus\Quarantine\6BB745F1 Infected: Email-Worm.Win32.Swen skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\RECYCLER\S-1-5-21-823518204-1482476501-839522115-1004\Dc1\enth.exe Infected: not-a-virus:AdWare.Win32.PurityScan.w skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1072\A0057136.exe/keys1/NirComLine.exe Infected: not-a-virus:RemoteAdmin.Win32.NirCmdLine.14 skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1072\A0057136.exe ZIP: infected - 1 skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1072\A0057165.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1072\A0057165.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1072\A0057165.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1072\A0057165.exe/file5 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1072\A0057165.exe Inno: infected - 4 skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1091\A0058164.dll Infected: Trojan-Dropper.Win32.Small.ly skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1091\A0058167.exe Infected: Trojan.Win32.Qhost.x skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1091\A0058169.exe/data0001.bin Infected: not-a-virus:AdWare.Win32.MDH.a skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1091\A0058169.exe AWInstall: infected - 1 skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1091\A0058169.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061583.exe Infected: Trojan-Downloader.Win32.VB.em skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061584.exe Infected: Trojan-Downloader.Win32.VB.em skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061585.exe Infected: Trojan-Downloader.Win32.VB.em skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061586.exe Infected: Trojan-Downloader.Win32.VB.em skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061587.exe Infected: Trojan-Downloader.Win32.VB.em skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061588.exe Infected: Trojan-Downloader.Win32.VB.em skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061589.exe Infected: Trojan-Downloader.Win32.VB.em skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061590.exe Infected: Trojan-Downloader.Win32.VB.em skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061591.exe Infected: Trojan-Downloader.Win32.VB.em skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061592.exe Infected: Trojan-Downloader.Win32.VB.em skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061593.exe Infected: Trojan-Downloader.Win32.VB.em skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061594.exe Infected: Trojan-Downloader.Win32.VB.em skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061595.exe Infected: Trojan-Downloader.Win32.VB.em skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061596.exe Infected: Trojan-Downloader.Win32.VB.em skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061597.exe Infected: Trojan-Downloader.Win32.VB.em skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061598.exe Infected: Trojan-Downloader.Win32.Agent.ec skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061600.exe/data0005 Infected: Trojan-Downloader.Win32.Agent.ac skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061600.exe/data0006 Infected: Trojan-Downloader.Win32.Turown.h skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061600.exe/data0008 Infected: Trojan-Downloader.Win32.Turown.g skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061600.exe/data0012 Infected: Trojan-Downloader.Win32.VB.cw skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061600.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061601.exe Infected: not-a-virus:AdWare.Win32.Midadle.d skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061602.exe Infected: not-a-virus:AdWare.Win32.WinFetcher.c skipped
C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1106\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{1D298612-44E1-4296-BF1D-6BCA64AC1C4B}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_80.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Ried · 08-12-2007, 05:42 PM

Hi Dave,

Kaspersky is only reporting items already quarantined by onboard tools. We'll take care of that now.

Delete the following folder:

C:\Deckard

-Empty your Recycle Bin and your Norton AntiVirus Quarantine folder.

-Launch Spybot S&D and click 'Recovery' on the left menu. Purge all items.

**************************************************

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Ensure Windows Auto Update is Enabled
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will flush out previous restore points (which contain the infections) and create a new restore point.

**************************************************************************************

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

Spyware Guard to catch and block spyware before it can execute.

IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)

Now navigate to C:\ie-spyad. Double click to open it.
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list, by typing 2
Then return to the main menu.
Select option #4 - Add the old porn sites domain, by typing 4

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u2-windowsi586-p.exe to install the newest version.

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

dland · 08-13-2007, 09:13 PM

That's great, thank you so much. The fact that there are communities out there like this where people are willing to help complete strangers for free almost restores all the faith in humanity that I lost after having so much malware loaded on to my computer.

I think I'll go make a donation now.

Thanks again!

Dave

Ried · 08-14-2007, 07:02 AM

You're most welcome, Dave. Thank you for the kind words--they are few and far between.

Best regards,

Lisa

08-05-2007, 09:23 PM	#1 (permalink)
dland Registered User Join Date: Dec 2006 Posts: 10 OS: WinXP	Possible Spamming Virus I recently received an email from a postmaster saying that a spam email that had been sent by my account was sent to a user that could not be reached. Since I don't spam people, I assumed that I had contracted a virus that is using my email for its own nefarious purposes (unless the postmaster email is a fake). Anyway, this prompted me to run some long-overdue spyware scans which revealed a lot of issues with my system. I used Spybot and Adaware to remove quite a few but Panda Active Scan still found a lot. Here is my HiJackThis log: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 11:13:47 PM, on 8/5/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\CVSNT\cvslock.exe C:\Program Files\CVSNT\cvsservice.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Google\Google Talk\googletalk.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe C:\HiJackThis\HiJackThis_v2.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index....10292&ttid=104 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: CheckIt 86 - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing) O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing) O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://.akamai.net O15 - Trusted Zone: http://.live.com O15 - Trusted Zone: http://.netlibrary.com O15 - Trusted Zone: http://.start.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://ampfemail.ampadvisor.aexp.co...om0/iNotes.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1152030466531 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1152030460656 O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/def...utLauncher.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc03.custhelp.com/7520-b.../java/RntX.cab O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{974A6EBD-595C-4796-B43F-04B6D928C155}: NameServer = 10.9.2.200 10.9.2.205 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe -- End of file - 9448 bytes Here is my Panda log: Incident Status Location Virus:trj/downloader.aee Disinfected Operating system Adware:adware/ipinsight Not disinfected c:\windows\inf\polall1r.inf Adware:adware/ncase Not disinfected c:\windows\didduid.ini Adware:adware/sidesearch Not disinfected c:\windows\sepsd.bin Adware:adware/portalscan Not disinfected c:\program files\STC Adware:adware/iedriver Not disinfected Windows Registry Adware:adware/sahagent Not disinfected Windows Registry Adware:adware/delfinmedia Not disinfected Windows Registry Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Ahy0J.exe Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\AyeYd.exe Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Cxmql42.exe Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Fah1q5.exe Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\HuoTdA.exe Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Ioq3SEW6.exe Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Jlyov72.exe Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Lus22B.exe Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\QlsO0A55.exe Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Sacm.exe Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Szep85ln.exe Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\VsbW.exe Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Xay5.exe Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Zaf85.exe Adware:Adware/MemoryWatcher Not disinfected C:\!PeperFix\Zvn6.exe Adware:Adware/PurityScan Not disinfected C:\!Submit\enth.exe Adware:Adware/Midaddle Not disinfected C:\!Submit\n489jdP.exe Adware:Adware/StatBlaster Not disinfected C:\!Submit\s2aP6Ra8.exe Adware:Adware/BrowserAid Not disinfected C:\dist1_1_00.exe Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.com.com/] Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[www.burstbeacon.com/] Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.burstnet.com/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.statcounter.com/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.112.2o7.net/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.2o7.net/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.adultfriendfinder.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.atwola.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.bs.serving-sys.com/] Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.ccbill.com/] Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.cs.sexcounter.com/] Spyware:Cookie/Go Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.go.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.overture.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.perf.overture.com/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.realmedia.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.serving-sys.com/] Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.trafficmp.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[.xiti.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[server.iad.liveperson.net/] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Firefox\Profiles\z7ce7b3d.default\cookies.txt[server.iad.liveperson.net/hc/73488016] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Profiles\default\aesw3y7k.slt\cookies.txt[.2o7.net/] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Profiles\default\aesw3y7k.slt\cookies.txt[.atwola.com/] Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Profiles\default\aesw3y7k.slt\cookies.txt[.cs.sexcounter.com/] Spyware:Cookie/Go Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Profiles\default\aesw3y7k.slt\cookies.txt[.go.com/] Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Profiles\default\aesw3y7k.slt\cookies.txt[.paycounter.com/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Profiles\default\aesw3y7k.slt\cookies.txt[.questionmarket.com/] Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Profiles\default\aesw3y7k.slt\cookies.txt[.webpower.com/] Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\David K. Land\Application Data\Mozilla\Profiles\default\aesw3y7k.slt\cookies.txt[.yadro.ru/] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-21cc6023.zip[GetAccess.class] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-21cc6023.zip[InsecureClassLoader.class] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-21cc6023.zip[Dummy.class] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-21cc6023.zip[Installer.class] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-73d6fff5.zip[GetAccess.class] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-73d6fff5.zip[InsecureClassLoader.class] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-73d6fff5.zip[Dummy.class] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-73d6fff5.zip[Installer.class] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6604b080-3a0e8367.zip[GetAccess.class] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6604b080-3a0e8367.zip[InsecureClassLoader.class] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6604b080-3a0e8367.zip[Dummy.class] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\David K. Land\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6604b080-3a0e8367.zip[Installer.class] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\David K. Land\Cookies\dave@com[1].txt Spyware:Cookie/Go Not disinfected C:\Documents and Settings\David K. Land\Cookies\dave@go[2].txt Spyware:Cookie/MetriWeb Not disinfected C:\Documents and Settings\David K. Land\Cookies\dave@metriweb[1].txt Spyware:Cookie/Go Not disinfected C:\Documents and Settings\David K. Land\Cookies\david_k._land@go[2].txt Adware:Adware/Midaddle Not disinfected C:\Documents and Settings\David K. Land\My Documents\HijackThis\backups\backup-20041222-201638-280.dll Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.2o7.net/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.112.2o7.net/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.overture.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.perf.overture.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.advertising.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.advertising.com/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.ads.addynamix.com/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.atwola.com/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.fastclick.net/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.statcounter.com/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.trafficmp.com/] Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.maxserving.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[citi.bridgetrack.com/] Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.zedo.com/] Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.z1.adserver.com/] Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.burstnet.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.serving-sys.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.realmedia.com/] Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.belnk.com/] Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[searchportal.information.com/] Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.revenue.net/] Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.apmebf.com/] Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.phg.hitbox.com/] Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.fortunecity.com/] Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.targetnet.com/] Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.ath.belnk.com/] Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.go.com/] Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.bfast.com/] Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[statse.webtrendslive.com/] Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[counter.hitslink.com/] Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.statse.webtrendslive.com/dcsx41mnd5twkf8wyp5mo4xok_6c8d] Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.centrport.net/] Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.tickle.com/] Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.bluestreak.com/] Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.target.com/] Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[statse.webtrendslive.com/S131024] Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Tamara Faraone\Application Data\Mozilla\Firefox\Profiles\8ssaeew9.default\cookies.txt[.rightmedia.net/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@112.2o7[1].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@247realmedia[1].txt Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@2o7[2].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@ad.yieldmanager[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@adrevolver[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@adrevolver[3].txt Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@ads.addynamix[1].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@ads.pointroll[1].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@advertising[2].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@atdmt[2].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@atwola[1].txt Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@bluestreak[1].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@burstnet[2].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@c5.zedo[1].txt Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@centrport[2].txt Spyware:Cookie/DelfinMedia Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@delfinproject[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@doubleclick[1].txt Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@ehg-dig.hitbox[2].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@fastclick[1].txt Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@go[2].txt Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@linksynergy[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@mediaplex[1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@overture[2].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@perf.overture[1].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@questionmarket[2].txt Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@rightmedia[2].txt Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@server.iad.liveperson[2].txt Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@stat.onestat[2].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@statcounter[1].txt Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@trafficmp[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@tribalfusion[2].txt Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@www.burstbeacon[1].txt Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@z1.adserver[1].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Tamara Faraone\Cookies\tamara faraone@zedo[1].txt Adware:Adware/StartPage.BR Not disinfected C:\FINDnFIX\Files2\un.exe Adware:Adware/IEDriver Not disinfected C:\Overpro323.exe Virus:Generic Malware Disinfected C:\Program Files\GameSpy Arcade\Services\_common\PortraitLoader.dll Virus:Trj/Downloader.gen Disinfected C:\Program Files\Internet Explorer\blvbdhuy.exe Adware:Adware/Midaddle Not disinfected C:\WINDOWS\Temp\addit.exe[clicks.dll] Adware:Adware/Midaddle Not disinfected C:\WINDOWS\Temp\addit.exe[Updater.exe] Adware:Adware/IEDriver Not disinfected C:\WINDOWS\Temp\all_files10.exe[Overpro323.exe] Virus:Trj/Downloader.OE Not disinfected C:\WINDOWS\Temp\all_files10.exe[Overpro323.exe][dp-him.exe] Adware:Adware/IEDriver Not disinfected C:\WINDOWS\Temp\all_files10.exe[Overpro323.exe][IEHost.EXE] Adware:Adware/IEDriver Not disinfected C:\WINDOWS\Temp\all_files10.exe[Overpro323.exe][Searchx.htm] Adware:Adware/IEDriver Not disinfected C:\WINDOWS\Temp\all_files10.exe[Overpro323.exe][terrabyte.exe] Adware:Adware/IEDriver Not disinfected C:\WINDOWS\Temp\all_files10.exe[Overpro323.exe][ms.exe] Spyware:Spyware/Apropos Not disinfected C:\WINDOWS\Temp\all_files10.exe[july14_loader.exe] Adware:Adware/eZula Not disinfected C:\WINDOWS\Temp\all_files10.exe[ezStub.exe] Virus:Trj/CHost.A Not disinfected C:\WINDOWS\Temp\all_files10.exe[EXACTADVERTISING.exe] Adware:Adware/BrowserAid Not disinfected C:\WINDOWS\Temp\all_files10.exe[dist1_1_00.exe] Adware:Adware/Midaddle Not disinfected Personal Folders\Sent Items\HJT forum files\n489jdP.zip[n489jdP.exe] Adware:Adware/StatBlaster Not disinfected Personal Folders\Sent Items\HJT forum files\s2aP6Ra8.zip[s2aP6Ra8.exe] Virus:Trj/Downloader.ADH Disinfected Personal Folders\Sent Items\HJT forum files\winpack.zip[winpack.exe] Adware:Adware/ESyndicate Not disinfected Personal Folders\Sent Items\HJT forum files\esyn.zip[esyn.dll] Adware:Adware/PurityScan Not disinfected Personal Folders\Sent Items\HJT forum files\enth.zip[enth.exe] Adware:Adware/PurityScan Not disinfected Personal Folders\Sent Items\HJT forum files\drm.zip[drm.dll] Adware:Adware/Midaddle Not disinfected Personal Folders\Sent Items\Files from http://forums.spywareinfo.com\n489jdP.zip[n489jdP.exe] Adware:Adware/StatBlaster Not disinfected Personal Folders\Sent Items\Files from http://forums.spywareinfo.com\s2aP6Ra8.zip[s2aP6Ra8.exe] Virus:Trj/Downloader.ADH Disinfected Personal Folders\Sent Items\Files from http://forums.spywareinfo.com\winpack.zip[winpack.exe] Adware:Adware/PurityScan Not disinfected Personal Folders\Sent Items\Files from http://forums.spywareinfo.com\enth.zip[enth.exe] Adware:Adware/ESyndicate Not disinfected Personal Folders\Sent Items\Files from http://forums.spywareinfo.com\esyn.zip[esyn.dll] Adware:Adware/PurityScan Not disinfected Personal Folders\Sent Items\Files from http://forums.spywareinfo.com\drm.zip[drm.dll] Thanks for the help, Dave

08-09-2007, 01:14 PM	#2 (permalink)
dland Registered User Join Date: Dec 2006 Posts: 10 OS: WinXP	Re: Possible Spamming Virus Bump.

08-10-2007, 10:01 PM	#3 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Re: Possible Spamming Virus Hello Dave, Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. Also be sure to carry out the instructions in the sequence listed below. ************************************************* You sure have a lot of junk on this system that your onboard tools have left behind. Download AVG Anti Spyware Install AVG Anti Spyware Double-click the icon on Desktop to launch AVG On the main Status screen, under Your Computer's Security, click Resident Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Do Not Automatically generate report after every scan" When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly. ----------------------------------------------------------------------- Download and install CleanUp! but do not run it yet. (Not Recommended for XP64)*. -------------------------------------------------------------------- Close any open browsers. -------------------------------------------------------------------- WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the "Temporary Files"* and uncheck the box for "Scan drives for file matching" if it's checked. Click OK Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted. -------------------------------------------------------------------- Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important). ----------------------------------------------------------------------- Reboot your system. ----------------------------------------------------------------------- Run another online scan at Panda and save the results. ----------------------------------------------------------------------- Desktop. What DSS will do: create a new System Restore point in Windows XP and Vista. clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives. check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed. Note: You must be logged onto an account with administrator privileges. Close all applications and windows. Double-click on dss.exe to run it, and follow the prompts. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply. Please attach extra.txt to your post. To attach a file to a new post, simply Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and copy and paste the following into the "Upload File from your Computer" box: C:\Deckard\System Scanner\extra.txt Click Upload. Please include the following in your next reply: AVG A-S report Panda results main.txt an attached extra.txt Did you recently send some zipped sample files to Spywareinfo? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-11-2007, 09:20 AM	#4 (permalink)
dland Registered User Join Date: Dec 2006 Posts: 10 OS: WinXP	Re: Possible Spamming Virus Ried, Thanks for the help. I got to the part referencing DSS and wasn't sure what to do. It almost looks like some of the post is missing. Could you further explain please? Thanks, Dave

08-11-2007, 10:16 AM	#5 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Re: Possible Spamming Virus My apologies, Dave. The link did indeed get cut off in my editing. Download Deckard's System Scanner (DSS) to your Desktop. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-11-2007, 08:39 PM	#7 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Re: Possible Spamming Virus Hi Dave, No worries about AVG A-S. We recommend that you Quarantine what it finds in the unlikely event it removes somthing legit. It can then be moved back, should that occur. Any cookies it finds will automatically be deleted, for everything else it finds, try to remember to Quarantine them first. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. Also be sure to carry out the instructions in the sequence listed below. ************************************************* Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) MaxSpeed** Let me know if you had trouble uninstalling this. -------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries: O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing) O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing) Did you set these yourself? Given the symptoms you've described, I'd like you to clear them: O15 - Trusted Zone: http://akamai.net (HKCU) O15 - Trusted Zone: http://live.com (HKCU) O15 - Trusted Zone: http://netlibrary.com (HKCU) O15 - Trusted Zone: http://start.com (HKCU) Click 'Fix Checked'* and close HijackThis. -------------------------------------------------------------------- Please ensure Hidden files and folders are viewable: Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK. -------------------------------------------------------------------- Using 'My Computer', navigate to and delete the following Files and Folders C:\ !Submit c:\program files\ STC c:\windows\ didduid.ini c:\windows\inf\ polall1r.inf c:\windows\ sepsd.bin -------------------------------------------------------------------- Clear Sun Java cache: (v.1.5) Click on Start->Settings->Control Panel->Java Plug-in (If you do not see the icon, look to your left and click 'Switch to Classic View'. Click the Settings button under Internet Explorer near the bottom, and click on Delete Files and click OK and OK. See this page for instructions on how to clear java's cache. Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 Checked Downloaded Applets Downloaded Applications Other Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel. -------------------------------------------------------------------- Please empty your Outlook Express Sent Items folder. To do so: Open Outlook Express Right click on Sent Items Select 'Empty Sent Items folder'. Click 'Yes' at the next popup box to succesfully empty the Sent Items folder. If there are Sent items you'd like to keep, then look for and delete these: Files from http://forums.spywareinfo.com\drm.zip[drm.dll] Files from http://forums.spywareinfo.com\enth.zip[enth.exe] Files from http://forums.spywareinfo.com\esyn.zip[esyn.dll] Files from http://forums.spywareinfo.com\n489jdP.zip[n489jdP.exe] Files from http://forums.spywareinfo.com\s2aP6Ra8.zip[s2aP6Ra8.exe] HJT forum files\drm.zip[drm.dll] HJT forum files\enth.zip[enth.exe] HJT forum files\esyn.zip[esyn.dll] HJT forum files\n489jdP.zip[n489jdP.exe] HJT forum files\s2aP6Ra8.zip[s2aP6Ra8.exe] Did someone previously get assistance from another forum in cleaning this system? ------------------------------------------------------------- Perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply Note for Internet Explorer 7 users If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. How is your system behaving? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-12-2007, 12:17 PM	#8 (permalink)
dland Registered User Join Date: Dec 2006 Posts: 10 OS: WinXP	Re: Possible Spamming Virus In general my system is behaving fine. The only thing that alerted me to any problems was that email that I didn't send that was returned to me. I did get some help on an HJT forum (apparently forums.spywareinfo.com) to clean my system a few years ago. That's where the files attached to the Outlook emails were from. Here is the Kaspersky report: ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Sunday, August 12, 2007 2:10:41 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 12/08/2007 Kaspersky Anti-Virus database records: 378969 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 104733 Number of viruses found: 18 Number of infected objects: 41 Number of suspicious objects: 2 Duration of the scan process: 02:37:14 Infected Object Name / Virus Name / Last Action C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03102007-222749.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer1.zip/install.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer1.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\David K. Land\Cookies\index.dat Object is locked skipped C:\Documents and Settings\David K. Land\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\David K. Land\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\David K. Land\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{DB45D1BB-F886-459A-B824-6800EB2FB427} Object is locked skipped C:\Documents and Settings\David K. Land\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\David K. Land\Local Settings\History\History.IE5\MSHist012007081220070813\index.dat Object is locked skipped C:\Documents and Settings\David K. Land\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\David K. Land\ntuser.dat Object is locked skipped C:\Documents and Settings\David K. Land\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\FINDnFIX\keys1\NirComLine.exe Infected: not-a-virus:RemoteAdmin.Win32.NirCmdLine.14 skipped C:\Inetpub\wwwroot\WebApplication1\AssemblyInfo.cs Object is locked skipped C:\Inetpub\wwwroot\WebApplication1\bin\WebApplication1.dll Object is locked skipped C:\Inetpub\wwwroot\WebApplication1\bin\WebApplication1.pdb Object is locked skipped C:\Inetpub\wwwroot\WebApplication1\Global.asax Object is locked skipped C:\Inetpub\wwwroot\WebApplication1\Global.asax.cs Object is locked skipped C:\Inetpub\wwwroot\WebApplication1\Global.asax.resx Object is locked skipped C:\Inetpub\wwwroot\WebApplication1\Service1.asmx Object is locked skipped C:\Inetpub\wwwroot\WebApplication1\Service1.asmx.cs Object is locked skipped C:\Inetpub\wwwroot\WebApplication1\Service1.asmx.resx Object is locked skipped C:\Inetpub\wwwroot\WebApplication1\test1.html Object is locked skipped C:\Inetpub\wwwroot\WebApplication1\test2.html Object is locked skipped C:\Inetpub\wwwroot\WebApplication1\Web.config Object is locked skipped C:\Inetpub\wwwroot\WebApplication1\WebApplication1.csproj Object is locked skipped C:\Inetpub\wwwroot\WebApplication1\WebApplication1.csproj.webinfo Object is locked skipped C:\Inetpub\wwwroot\WebApplication1\WebApplication1.sln Object is locked skipped C:\Inetpub\wwwroot\WebApplication1\WebApplication1.suo Object is locked skipped C:\Inetpub\wwwroot\WebApplication1\WebApplication1.vsdisco Object is locked skipped C:\Inetpub\wwwroot\WebApplication1\WebForm1.aspx.resx Object is locked skipped C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\AssemblyInfo.cs Object is locked skipped C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\Class1.cs Object is locked skipped C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\db1.mdb Object is locked skipped C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\Global.asax Object is locked skipped C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\Global.asax.cs Object is locked skipped C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\Global.asax.resx Object is locked skipped C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\test.html Object is locked skipped C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\test.txt Object is locked skipped C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\Tester.cs Object is locked skipped C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\Web.config Object is locked skipped C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\WebApplication2.csproj Object is locked skipped C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\WebApplication2.csproj.webinfo Object is locked skipped C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\WebApplication2.vsdisco Object is locked skipped C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\WebForm1.aspx Object is locked skipped C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\WebForm1.aspx.cs Object is locked skipped C:\Inetpub\wwwroot\WebApplication2\_vti_cnf\WebForm1.aspx.resx Object is locked skipped C:\Inetpub\wwwroot\WebApplication2\_vti_pvt\linkinfo.cnf Object is locked skipped C:\Inetpub\wwwroot\WebApplication3\WebForm2.aspx Object is locked skipped C:\Inetpub\wwwroot\WebApplication4\WebForm2.aspx Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL\Data\IssueTrackerStarterKit.mdf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL\Data\IssueTrackerStarterKit_log.LDF Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL\Data\mastlog.ldf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL\Data\model.mdf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL\Data\modellog.ldf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL\Data\msdbdata.mdf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL\Data\msdblog.ldf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL\Data\MyTimeTracker_Data.MDF Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL\Data\MyTimeTracker_Log.LDF Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL\Data\northwnd.ldf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL\Data\northwnd.mdf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL\Data\pubs.mdf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL\Data\pubs_log.ldf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL\Data\tempdb.mdf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL\Data\templog.ldf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL\Data\test_Data.MDF Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL\Data\test_Log.LDF Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL\Data\TimeTracker.mdf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL\Data\TimeTracker_log.LDF Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL\LOG\ERRORLOG Object is locked skipped C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped C:\Program Files\Norton AntiVirus\Quarantine\11922C34.exe Infected: Trojan.Win32.Qhost.bi skipped C:\Program Files\Norton AntiVirus\Quarantine\6BB745F1 Infected: Email-Worm.Win32.Swen skipped C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped C:\RECYCLER\S-1-5-21-823518204-1482476501-839522115-1004\Dc1\enth.exe Infected: not-a-virus:AdWare.Win32.PurityScan.w skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1072\A0057136.exe/keys1/NirComLine.exe Infected: not-a-virus:RemoteAdmin.Win32.NirCmdLine.14 skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1072\A0057136.exe ZIP: infected - 1 skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1072\A0057165.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1072\A0057165.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1072\A0057165.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1072\A0057165.exe/file5 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1072\A0057165.exe Inno: infected - 4 skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1091\A0058164.dll Infected: Trojan-Dropper.Win32.Small.ly skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1091\A0058167.exe Infected: Trojan.Win32.Qhost.x skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1091\A0058169.exe/data0001.bin Infected: not-a-virus:AdWare.Win32.MDH.a skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1091\A0058169.exe AWInstall: infected - 1 skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1091\A0058169.exe UPX: infected - 1 skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061583.exe Infected: Trojan-Downloader.Win32.VB.em skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061584.exe Infected: Trojan-Downloader.Win32.VB.em skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061585.exe Infected: Trojan-Downloader.Win32.VB.em skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061586.exe Infected: Trojan-Downloader.Win32.VB.em skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061587.exe Infected: Trojan-Downloader.Win32.VB.em skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061588.exe Infected: Trojan-Downloader.Win32.VB.em skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061589.exe Infected: Trojan-Downloader.Win32.VB.em skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061590.exe Infected: Trojan-Downloader.Win32.VB.em skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061591.exe Infected: Trojan-Downloader.Win32.VB.em skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061592.exe Infected: Trojan-Downloader.Win32.VB.em skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061593.exe Infected: Trojan-Downloader.Win32.VB.em skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061594.exe Infected: Trojan-Downloader.Win32.VB.em skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061595.exe Infected: Trojan-Downloader.Win32.VB.em skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061596.exe Infected: Trojan-Downloader.Win32.VB.em skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061597.exe Infected: Trojan-Downloader.Win32.VB.em skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061598.exe Infected: Trojan-Downloader.Win32.Agent.ec skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061600.exe/data0005 Infected: Trojan-Downloader.Win32.Agent.ac skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061600.exe/data0006 Infected: Trojan-Downloader.Win32.Turown.h skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061600.exe/data0008 Infected: Trojan-Downloader.Win32.Turown.g skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061600.exe/data0012 Infected: Trojan-Downloader.Win32.VB.cw skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061600.exe NSIS: infected - 4 skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061601.exe Infected: not-a-virus:AdWare.Win32.Midadle.d skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1105\A0061602.exe Infected: not-a-virus:AdWare.Win32.WinFetcher.c skipped C:\System Volume Information\_restore{D6444FA4-513D-49C7-A150-DECE45EBB665}\RP1106\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{1D298612-44E1-4296-BF1D-6BCA64AC1C4B}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_80.dat Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.

08-12-2007, 05:42 PM	#9 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Re: Possible Spamming Virus Hi Dave, Kaspersky is only reporting items already quarantined by onboard tools. We'll take care of that now. Delete the following folder: C:\Deckard -Empty your Recycle Bin and your Norton AntiVirus Quarantine folder. -Launch Spybot S&D and click 'Recovery' on the left menu. Purge all items. ************************************************ Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links: Reset hidden/system files and folders Windows XP =============== Click Start*. Open My Computer. * Select the Tools menu and click Folder Options. * Select the View tab. * Deselect the Show hidden files and folders option. * Select the Hide file extensions for known types option. * Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Ensure Windows Auto Update is Enabled Go to Start>Run* - type wuaucpl.cpl Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Create a new System Restore point* Click Start >> Run - type SYSDM.CPL & press Enter * Select the System Restore Tab * Tick on the checkbox - "Turn off System Restore on all drives" Click Apply * Then untick the same checkbox & click OK This will flush out previous restore points (which contain the infections) and create a new restore point. ************************************************************************************ To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Spyware Guard to catch and block spyware before it can execute. IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD) Now navigate to C:\ie-spyad. Double click to open it. From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list, by typing 2 Then return to the main menu. Select option #4 - Add the old porn sites domain, by typing 4 Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java: Download the latest version of Java Runtime Environment (JRE) 6*. Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". Click the "Download" button to the right. Check the box that says: "Accept* License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u2-windowsi586-p.exe to install the newest version. Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released. In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: PC Safety and Security--What Do I Need? HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. ----------------------------------------------------- Follow the list above and the potential for infection will reduce dramatically. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-13-2007, 09:13 PM	#10 (permalink)
dland Registered User Join Date: Dec 2006 Posts: 10 OS: WinXP	Re: Possible Spamming Virus That's great, thank you so much. The fact that there are communities out there like this where people are willing to help complete strangers for free almost restores all the faith in humanity that I lost after having so much malware loaded on to my computer. I think I'll go make a donation now. Thanks again! Dave

08-14-2007, 07:02 AM	#11 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Re: Possible Spamming Virus You're most welcome, Dave. Thank you for the kind words--they are few and far between. Best regards, Lisa __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."