vroomsearch popup problem

[dragonballfan]

I ran the issues part of ccleaner, and it found over 500 issues, which i backed up first, than deleted. Ran it again to be safe, and it found 54 more issues which i backed up and than deleted. I also ran those files in kill box like you said, but findit still finds it....i also did the hosts thing, but when i opened it up on notepad, nothing was there. Is that a bad thing?

here's the findit log:

Microsoft Windows 2000 [Version 5.00.2195]
The current date is: Tue 05/24/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is CCFB-26C6

Directory of C:\WINNT\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is CCFB-26C6

Directory of C:\WINNT\system32

05/22/2005 05:23p 3,262 porn1234.ico
05/22/2005 05:23p 3,262 girl12.ico
05/22/2005 05:23p 4,286 kill evidence 21.ico
05/22/2005 05:23p 4,286 kill internet popups1.ico
05/22/2005 05:23p 4,286 moviesgreen.ico
5 File(s) 19,382 bytes
0 Dir(s) 13,225,541,632 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\




here's the mwav log:

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\Downloaded Program Files\d_loader.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\Downloaded Program Files\ttinst.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\system32\gpstool.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AAA8135F-D41A-4e85-A40F-58E6BE393E6F}" refers to invalid object "417F2800-62F5-4385-82E1-7FE61500CB3D". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.


my computer is running fine as far as i can tell...it's just sometimes when i'm viewing pages in this forum, i get a popup saying that my active x security settings do not allow certain items to be displayed correctly...i've never had that happen before.

can i uninstall ewido? it seems to slow my puter down on startup.

thanks again

[POADB]

Reboot to Safe mode and use killbox to kill these:

C:\WINNT\system32\porn1234.ico
C:\WINNT\system32\girl12.ico
C:\WINNT\system32\kill evidence 21.ico
C:\WINNT\system32\kill internet popups1.ico
C:\WINNT\system32\moviesgreen.ico

Navigate into the registry as you did before and delete the item in Bold:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Ext\CLSID\

A question - what 'host thing' are you referring to? If it was HOSTERs - it should not have opened up in notepad, it should have been an EXE.

Run the scans again in Normal Mode. No need for an mwave this time.. just a Findit and an HJT scan please.

PS - as long as you have virus protection, you may uninstall ewido.

[dragonballfan]

Quote:

Originally Posted by Ried

Go to c:\winnt\system32\drivers\etc and open up the hosts file (no extensions) up in Notepad. There should be a bunch of lines with a # in front of them followed by a single line like:

127.0.0.1 localhost

If you have anything after that, please post them here.

that's the host thing I was talking about. when i did that, notepad was blank.

here's the new findit log:

Microsoft Windows 2000 [Version 5.00.2195]
The current date is: Wed 05/25/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is CCFB-26C6

Directory of C:\WINNT\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is CCFB-26C6

Directory of C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»».



and here's the new hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 8:12:55 AM, on 5/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Browser MOUSE\mouse32a.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.1\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Keno by pogo - http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1...datePortal.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe


End of KRC HijackThis Analyzer Log.
====================================================================

[POADB]

Excellent, thank you. And an update on hows things are now?

[dragonballfan]

everything is great!!! thank you very much...

mwav still finds things though. is that ok?

Also, could you please tell me why vroomsearch got in my system in the first place? I have spywareguard and spywareblaster, but it got through.
Hotbarsearch gets through all the time too.

Will IESPYAD help? I get confused about how to install that program, also, which one would I use? There's two of em.

I would like to use mozilla/firefox, but when I installed before, windows kept shutting it down. Any suggestions?

I still keep getting a popup about my ActiveX control settings don't allow somethings to be viewed correctly..But I've never messed with the settings!
And I've never had that happen before. So far, it has only happened when I come to this site.


Thanks Again....

[Ried]

Hi,

Would you please post up another Mwav for review. Let's be sure everything is gone. The Startdreck also is still under review.

The popup you are getting about ActiveX is actually a 'good' thing. Your system is blocking it from being placed on your PC.

Regarding which IESpyad to use:
(https://netfiles.uiuc.edu/ehowes/www/resource.htm)
The original IE-SPYAD installs to the Registry location for the current user of the PC; IE-SPYAD2 installs to the global machine location, thus affecting all users and accounts on the PC.

Read How Did I Get Infected In The First Place?. You need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard, to prevent spyware intrusions. IE-Spyad is another excellent program that places over 4000 websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. All of the above have good free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

[dragonballfan]

here's the mwav log:

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\Downloaded Program Files\d_loader.exe". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\Downloaded Program Files\ttinst.dll". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\system32\gpstool.dll". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{AAA8135F-D41A-4e85-A40F-58E6BE393E6F}" refers to invalid object "417F2800-62F5-4385-82E1-7FE61500CB3D". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.


I installed the IE-SPYAD, and I already have zonealarm, avg antivirus, spywareguard, and spyblaster...But that vroomsearch still got through.

Thanks again for your help!!

[POADB]

OK - please download ccleaner from this location: http://www.ccleaner.com/ccdownload.asp

This would also be a good time to update Adaware and Spybot and run them. Fix anything they find. If you do not have the programs installed already, download them now. I will issue instruction on exactyle how to set them up below:

Please download Ad-aware at http://www.lavasoftusa.com/ and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go to http://www.lavasoftusa.com/software/...2cleaner.shtml to download the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware at http://www.greyknight17.com/spyware.htm#adaware for better scan results. Run the scan and fix everything that it finds.

Download and install Spybot S&D http://security.kolla.de/. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available.

Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Now go to Tools->Resident and make sure that TeaTimer is checked. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings.

Now click on the 'Spybot-S&D' option on the top left to go back to the main screen. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the 'Fix Selected Problems' button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix http://majorgeeks.com/download4392.html and install it over the current Spybot installation.

When you are done - it's important you check your system again. Infact - if you are still experiencing problems - bring us a NEW Start Dreck log to look at.

[dragonballfan]

I already had ccleaner, adaware, and spybot.(just had to check teatimer)
I ran all three. ccleaner did it's cleanup, and adaware and spybot found nothing. The only thing i'm concerned about is what mwav is finding. Here's the new startdreck log: (how did the other one look?):


StartDreck (build 2.1.7 public stable) - 2005-05-26 @ 07:47:02 (GMT -05:00)
Platform: Windows 2000 (Win NT 5.0.2195 Service Pack 4)
Internet Explorer: 6.0.2800.1106
Logged in as ruben at SUPERMAN

»Registry
»Run Keys
»Current User
»Run
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
»RunOnce
»Default User
»Run
*AVG7_Run=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
»RunOnce
*^SetupICWDesktop=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
»Local Machine
»Run
*Synchronization Manager=mobsync.exe /logon
*FLMOFFICE4DMOUSE=C:\Program Files\Browser MOUSE\mouse32a.exe
*AVG7_CC=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
*AVG7_EMC=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
*Zone Labs Client=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINNT\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=C:\WINNT\System32\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINNT\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINNT\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINNT\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINNT\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINNT\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Internet Explorer Access/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath="C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express Access/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath="C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+EnableRevocation/{6A5110B5-E14B-4268-A065-EF89FF33C325}
*StubPath=regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub
+Address Book 5/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\System32\ie4uinit.exe
+CRLUpdate/{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}
*StubPath=%SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 5.1\Reader\ActiveX\AcroIEHelper.ocx
*SpywareGuardDLBLOCK.CBrowserHelper/{4A368E80-174F-4872-96B5-0B27DDD11DB2}
`InprocServer32=C:\Program Files\SpywareGuard\dlprotect.dll
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll
»Internet Explorer
»Current User
*Local Page=C:\WINNT\System32\blank.htm
*Start Page=http://www.cox.net/
*Window Title=Microsoft Internet Explorer provided by Cox High Speed Internet
+SearchUrl
*provider=yaho
»Default User
*Start Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
»Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Local Page=c:\winnt\system32\blank.htm
*Start Page=about:blank
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
+SearchUrl
»ShellServiceObjectDelayLoad (LM)
*Network.ConnectionTray={7007ACCF-3202-11D1-AAD2-00805FC1270E}
`InprocServer32=C:\WINNT\system32\NETSHELL.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=userinit.exe
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\ruben\Start Menu\Programs\Startup\SpywareGuard.lnk
»Default User
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect
*C:\msdos.sys
*C:\config.sys
*C:\WINNT\system32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
*C:\WINNT\system32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
*C:\WINNT\wininit.ini
`[Rename]
`NUL=
`NUL=C:\WINNT\System32\azt16.vxd
`NUL=C:\WINNT\System32\cs32ba11.drv
`NUL=C:\WINNT\System32\csfm.drv
`NUL=C:\WINNT\System32\cwaudio.vxd
`NUL=C:\WINNT\System32\cs4232ld.vxd
`NUL=C:\WINNT\System32\cwconfig.vxd
`NUL=C:\WINNT\System32\csopl.drv
`NUL=C:\WINNT\System32\cw4232.vxd
`NUL=C:\WINNT\System32\cspcple.dll
`NUL=C:\WINNT\System32\csmidi.drv
`NUL=C:\WINNT\System32\csmidi.vxd
`NUL=C:\WINNT\System32\csjoy.vxd
`NUL=C:\WINNT\System32\csjoy2.vxd
`NUL=C:\WINNT\System32\cwbaudio.wcm
`NUL=C:\WINNT\System32\cwbaudld.vxd
`NUL=C:\WINNT\System32\cwbjoy2.vxd
`NUL=C:\WINNT\System32\vwstream.vxd
`NUL=C:\WINNT\System32\wstream.dll
`NUL=C:\WINNT\System32\cwbaudio.drv
`NUL=C:\WINNT\System32\cwbaudix.vxd
`NUL=C:\WINNT\System32\cwbfm.drv
`NUL=C:\WINNT\System32\cwbmidi.drv
`NUL=C:\WINNT\System32\cwbmidi.vxd
`NUL=C:\WINNT\System32\cwbpcple.dll
`NUL=C:\WINNT\System32\cwbjoy.vxd
`NUL=C:\WINNT\System32\cwdaudio.wcm
`NUL=C:\WINNT\System32\cwdaudio.drv
`NUL=C:\WINNT\System32\cwdaudix.vxd
`NUL=C:\WINNT\System32\cwdfm.drv
`NUL=C:\WINNT\System32\cwdmidi.drv
`NUL=C:\WINNT\System32\cwdmidi.vxd
`NUL=C:\WINNT\System32\cwdpcple.dll
`NUL=C:\WINNT\System32\cwdjoy.vxd
`NUL=C:\WINNT\msgloop.exe
`NUL=C:\WINNT\cwbaudio.bin
`NUL=C:\WINNT\cwbmix.exe
`NUL=C:\WINNT\cwbinit.exe
`NUL=C:\WINNT\cwb3dsnd.exe
`NUL=C:\WINNT\cwbaudio.wcm
`NUL=C:\WINNT\cwbaudio.ini
`NUL=C:\WINNT\cs4232c.exe
`NUL=C:\WINNT\cs4232.ini
`NUL=C:\WINNT\cwaudio.bin
`NUL=C:\WINNT\cs32mix.exe
`NUL=C:\WINNT\cs32ba11.ini
`NUL=C:\WINNT\cs31baip.exe
`NUL=C:\WINNT\cs31baop.exe
`NUL=C:\WINNT\resource.bin
`NUL=C:\WINNT\cs32res.bin
`NUL=C:\WINNT\cs36res.bin
`NUL=C:\WINNT\cs4232.wcm
`NUL=C:\WINNT\cw3dsnd.exe
`NUL=C:\WINNT\cwb3dsnd.exe
`NUL=C:\WINNT\cwdaudio.bin
`NUL=C:\WINNT\cwdmix.exe
`NUL=C:\WINNT\cwdinit.exe
`NUL=C:\WINNT\cwd3dsnd.exe
`NUL=C:\WINNT\cwdaudio.wcm
`NUL=C:\WINNT\cwdaudio.ini
`NUL=C:\WINNT\cwd3dsnd.exe
`NUL=C:\WINNT\System32\Drivers\cwbwdm.sys
`NUL=C:\WINNT\System32\Drivers\cwbaudio.bin
`NUL=C:\WINNT\System32\Drivers\cwbase.sys
`NUL=C:\WINNT\System32\Drivers\cwsb.sys
`NUL=C:\WINNT\System32\Drivers\cwbmidi.sys
`NUL=C:\WINNT\System32\Drivers\cwcwdm.sys
`NUL=C:\WINNT\inf\catalog\wdmaudio.cat
`NUL=C:\WINNT\System32\CWCMMSYS.DRV
`NUL=C:\WINNT\System32\CWCMMSYS.VXD
`NUL=C:\WINNT\System32\CWCMPEG.AX
`NUL=C:\WINNT\System32\CWCPROXY.VXD
`NUL=C:\WINNT\System32\CWCSPUD.VXD
`NUL=C:\WINNT\System32\CWCSPUD3.VXD
`NUL=C:\WINNT\System32\CWCDSND.VXD
`NUL=C:\WINNT\System32\CWCMCRND.AX
`NUL=C:\WINNT\System32\CWCBOSE.VXD
`NUL=C:\WINNT\System32\CWCBOSE.VXD
`NUL=C:\WINNT\System32\CWCMCRND.AX
`NUL=C:\WINNT\System32\CWHALMGR.VXD
`NUL=C:\WINNT\System32\CWHDSND.DLL
`NUL=C:\WINNT\System32\CWHINFO.DLL
`NUL=C:\WINNT\System32\CWHINFO.VXD
`NUL=C:\WINNT\System32\CWHLOADR.VXD
`NUL=C:\WINNT\System32\CWCLANG.DLL
`NUL=C:\WINNT\System32\CWCENUM.VXD
`NUL=C:\WINNT\System32\CWCECHO.VXD
`NUL=C:\WINNT\System32\A3D.DLL
`NUL=C:\WINNT\System32\A3D.VXD
`NUL=C:\WINNT\System32\CWCAC3.AX
`NUL=C:\WINNT\System32\CWCPROPS.CPL
`NUL=C:\WINNT\System32\CRLDS3D.VXD
`NUL=C:\WINNT\CWCDATA\CWCSPOS.OSP
`NUL=C:\WINNT\CWCDATA\CWCBASE.OSP
`NUL=C:\WINNT\CWCDATA\CWCWT.OSP
`NUL=C:\WINNT\CWCDATA\PIANO.DAT
`NUL=C:\WINNT\CWCDATA\CWCAC3.OSP
`NUL=C:\WINNT\CWCDATA\CWCBOSE.REG
`NUL=C:\WINNT\CWCDATA\CWCMPEG.OSP
`NUL=C:\WINNT\CWCDATA\HRTFINFO.WAV
`NUL=C:\WINNT\CWCDATA\CWCFRONT.BOS
`NUL=C:\WINNT\CWCDATA\CWCFXSPK.BOS
`NUL=C:\WINNT\CWCDATA\CWCHRTF.DAT
`NUL=C:\WINNT\CWCDATA\CWCMIDI.EXE
`NUL=C:\WINNT\CWCDATA\CWCSPAT.BOS
`NUL=C:\WINNT\CWCDATA\CWCSURRD.BOS
`NUL=C:\WINNT\CWCDATA\CWCVRSPK.BOS
`NUL=C:\WINNT\CWCDATA\CWCWTDOS.OSP
`NUL=C:\WINNT\CWCDATA\CWCWTSMP.DAT
`NUL=C:\WINNT\CWCDATA\CWCBASE.A3D
`NUL=C:\WINNT\CWCDATA\CWCHRTF.22
`NUL=C:\WINNT\CWCDATA\CWCHRTF.44
`NUL=C:\WINNT\CWCDATA\CWCHRTF.V22
`NUL=C:\WINNT\CWCDATA\CWCHRTF.V44
`NUL=C:\WINNT\CWCDATA\DX5CORE.EXE
`NUL=C:\WINNT\CWCDATA\CWCSPUD.DAT
`NUL=C:\WINNT\CWCDATA\cwcspkph.osp
`NUL=C:\WINNT\System32\cwcoproc.vxd
`NUL=C:\WINNT\System32\cwcpass.vxd
`NUL=C:\WINNT\System32\cwcsbpro.vxd
`NUL=C:\WINNT\System32\cwcjoy.vxd
`NUL=C:\WINNT\System32\CWGMSG.VXD
`NUL=C:\WINNT\System32\cwcfm.drv
`NUL=C:\WINNT\System32\cwcwtsmp.dat
`NUL=C:\WINNT\CWCDATA\CWCDOS.EXE
`NUL=C:\WINNT\CWCDATA\CWCSPUD.DAT
`NUL=C:\WINNT\CWCDATA\CWCDOS.OSP
`NUL=C:\WINNT\CWCDATA\CWCSPAT.OSP
`NUL=C:\WINNT\CWCDATA\CWCDGAME.OSP
`NUL=C:\WINNT\CWCDATA\CWCDATAC.OSP
`NUL=C:\WINNT\CWCDATA\CWCA3DI.OSP
`NUL=C:\WINNT\CWCDATA\CWC4612.OSP
`NUL=C:\WINNT\CWCDATA\CWC4610.OSP
`NUL=C:\WINNT\CWCDATA\CWC3D.OSP
`NUL=C:\WINNT\CWCDATA\CWCBASE.OSP
`NUL=C:\WINNT\CWCDATA\CWCAUDIO.WCM
`NUL=C:\WINNT\CWCDATA\CWCBASE.A3D
`NUL=C:\WINNT\CWCDATA\CWCASYNC.OSP
`NUL=C:\WINNT\CWCDATA\CWCFM.OSP
`NUL=C:\WINNT\CWCDATA\CWCDDMA.OSP
`NUL=C:\WINNT\CWCDATA\CWCIOTRP.OSP
`NUL=C:\WINNT\CWCDATA\CWCSBFG.OSP
`NUL=C:\WINNT\CWCDATA\CWCPCPCI.OSP
`NUL=C:\WINNT\CWCDATA\CWCEQ.OSP
`NUL=C:\WINNT\CWCDATA\CWCS3DDD.OSP
`NUL=C:\WINNT\CWCDATA\CWCS3DMC.OSP
`NUL=C:\WINNT\CWCDATA\CWCS3DMX.OSP
`NUL=C:\WINNT\CWCDATA\CWCS3DPS.OSP
`NUL=C:\WINNT\CWCDATA
`C:\WINNT\System32\DSOUND.DLL=C:\WINNT\System32\MSDSOUND.DLL
`NUL=C:\WINNT\System32\Drivers\cwcwdm.sys
`NUL=C:\WINNT\System32\Drivers\cwcos.sys
`NUL=C:\WINNT\System32\Drivers\cwcspud.sys
`NUL=C:\WINNT\inf\catalog\wdmaudio.cat
*C:\WINNT\system32\drivers\etc\hosts
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINNT\system32\win.com
*C:\WINNT\explorer.exe
»%PATH% Companion Files
+C:\dvdplay.exe
*C:\WINNT\system32\dvdplay.exe
+C:\WINNT\system32\TASKMGR.COM
*C:\WINNT\system32\TASKMGR.EXE
+C:\WINNT\system32\notepad.exe
*C:\WINNT\NOTEPAD.EXE
+C:\WINNT\system32\taskman.exe
*C:\WINNT\TASKMAN.EXE
+C:\WINNT\system32\winhlp32.exe
*C:\WINNT\winhlp32.exe
+C:\WINNT\regedit.com
*C:\WINNT\regedit.exe
»System/Drivers
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
*C:\Program Files\Microsoft Office\Office\STARTUP\MSCREATE.DIR
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User


Another question...When is a good time to delete the backups that I created with CCleaner? Since I have CCleaner, should I still keep using CleanUp?

My computer is working is working good. I haven't visited many sites since I started getting help from ya'all though. (I'm nervous about something else that might get on my puter)

Thanks again...

[Ried]

Hi,

Make sure this is still in effect:

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

Search All Files/Folders for Altnet and delete anything you find.

The rest are just orphaned regisistry entries. Just clean again with Cclaner.

[dragonballfan]

I found where Altnet is. It's in the ActiveScan folder under PAV.SIG .
I opened it up onto notepad, and now it's on the notepad. Was that a bad thing? Can't I just take off the ActiveScan?

When you say to be sure that Display the contents of system folders
is checked, I can't find it to check it. Show hidden.... that's enabled.

will be waiting for your reply....

[Ried]

No...don't delete that.

"Panda's virus signatures are in the file PAV.SIG, which is contained in both PCPAV.CAB, the file you automatically download the first time you run our virus scanner, and also in PAV.ZIP, the file you manually download to update the virus signatures." http://www.pcpitstop.com/antivirus/AVmore.asp

Then it's nothing to worry about. Your logs are clean and if there are no more problems you should be good to go.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools/programs provided.

[dragonballfan]

Thanks for all your help!!!!

by the way...you never did answer my question about when I should delete the backups ccleaner creates.

thanks again..

[POADB]

You can delete them since your computer is now clean..

[dragonballfan]

ok, thank you!........