virsuses

Dmvgal · 10-10-2005, 12:36 PM

Hi
I am hoping you can help me. It seems that all of a sudden, I am getting a ton of viruses and BHO's. I am running windows xp and have ez firewall/antivirus from computer associates running. I have also run adaware 1.0.6.0. and spyware guard, but nothing is helping. I have spyfighter and it keeps popping up with a new BHO every few minutes. I keep scanning for viruses and more just come out of the wood work. My last virus scan showed 40 viruses under all the users on the computer They seem to be "installer.class;dummy.class; insecure.class;virifier.bug.class;a.class;getaccess.class;blackbox.class; vb.class and beyond.class" and they all seem to be a Javabyte verify exploit trojan, or a Java, shinwow.AM trojan. How can I stop these, other than shooting my husband and adult boys for going to some sites I know they should not go to.
I have downloaded and run the newest version of hijack this along with the analyzer and have attached a copy. Thanks for your tiime. Michele

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 3:24:26 PM, on 10/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\ntau.exe
C:\Program Files\Error Nuker 2004\bin\ErrorNuker.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
C:\Program Files\SpyFighter\SpyFighter.exe
C:\WINDOWS\system32\addlf.exe
C:\Program Files\Common Files\AOL\1128096398\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1128096398\ee\AOLServiceHost.exe
C:\WINDOWS\system32\ipea32.exe
C:\WINDOWS\system32\winue32.exe
C:\Documents and Settings\Owner\My Documents\Moms Stuff\hijackthis\HijackThis.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.406\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://newyork.yankees.mlb.com/NASAp...x.jsp?c_id=nyy
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dtlwd.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Class - {C2CAFF59-2CB5-AC2F-01C3-DD7DBFA12089} - C:\WINDOWS\system32\netat.dll
O2 - BHO: Class - {D26AF2AB-0F2A-822B-1267-109C8769FEDC} - C:\WINDOWS\mskm.dll
O2 - BHO: Class - {EF566E13-6825-500A-957F-C72AD1DF5E45} - C:\WINDOWS\system32\msls.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Error Nuker 2004] C:\Program Files\Error Nuker 2004\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [xp_system] C:\Program Files\TDS3\Ext.Sys\services.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [ipoj.exe] C:\WINDOWS\system32\ipoj.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128096398\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\RunOnce: [ntau.exe] C:\WINDOWS\ntau.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099174164045
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://boxerjam.skilljam.com/ssp/SSP.cab
O16 - DPF: {7D40ADF2-AD68-4959-ACEC-DA96BF5E6EB7} (SpyBouncer.SBDownloader) - http://spywareremover.spybouncer.com/downloader.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activ...oadControl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...06/mcfscan.cab
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe

End of KRC HijackThis Analyzer Log.
====================================================================

sUBs · 10-10-2005, 01:01 PM

Hello and Welcome to TSF!

LOL..You can shoot him later. Right now, I need you to stay out of prison to do this fix.

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Before proceeding any further, please create a new directory - C:\PROGRAM FILES\HIJACKTHIS\
Re-locate your HijackThis files to the new directory

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Please download these additional files/programs. Do not run them untill instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp!.exe - Install

KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

About Buster.zip - Unzip to a new folder. Update About Buster & exit the program once that is completed.

CWShredder.exe

Open CWShredder and click - I AGREE
Click - Check For Update
Close CWShredder after updating

HSFix.zip

Ewido Security Suite

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

ro.txt
Download it & rename it "ro.REG" (inclusive of the quotes)
Make sure you do not mistakenly rename it as ro.reg.txt (double extensions)

'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Launch KillBox.exe & select the following options:

delete on Reboot

Select all the filenames below & then right-click & select Copy

C:\WINDOWS\ntau.exe
C:\WINDOWS\system32\addlf.exe
C:\WINDOWS\system32\ipea32.exe
C:\WINDOWS\system32\winue32.exe
C:\WINDOWS\dtlwd.dll
C:\WINDOWS\system32\netat.dll
C:\WINDOWS\mskm.dll
C:\WINDOWS\system32\msls.dll
C:\WINDOWS\system32\ipoj.exe

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Quote:

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Next, reboot your computer in SafeMode :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

From Control Panel->Add/Remove Programs, uninstall the following programs, if present, :

SpyFighter
MyWay

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Unzip HSfix.zip & double-click on HSfix.reg. Answer Yes when prompted to merge into the registry.

Double-click on ro.REG & answer YES when prompted to merge into the Registry

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Start HijackThis & Go to Config> Misc Tools > Open ADS Spy

Checkmark/tick - "Ignore Safe System Info Streams"
Click the "Scan" button
When it has finished scanning, checkmark/tick all that it found
Click the "remove selected" button

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dtlwd.dll/sp.html#44768

(FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\****.dll/sp.htm)

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {C2CAFF59-2CB5-AC2F-01C3-DD7DBFA12089} - C:\WINDOWS\system32\netat.dll
O2 - BHO: Class - {D26AF2AB-0F2A-822B-1267-109C8769FEDC} - C:\WINDOWS\mskm.dll
O2 - BHO: Class - {EF566E13-6825-500A-957F-C72AD1DF5E45} - C:\WINDOWS\system32\msls.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [xp_system] C:\Program Files\TDS3\Ext.Sys\services.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [ipoj.exe] C:\WINDOWS\system32\ipoj.exe
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\RunOnce: [ntau.exe] C:\WINDOWS\ntau.exe
O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://boxerjam.skilljam.com/ssp/SSP.cab
O16 - DPF: {7D40ADF2-AD68-4959-ACEC-DA96BF5E6EB7} (SpyBouncer.SBDownloader) - http://spywareremover.spybouncer.com/downloader.ocx

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

Tick - Show hidden files and folder
Untick - Hide file extensions for known types
Untick - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following folders, if present:

C:\Program Files\MyWay\
C:\Program Files\SpyFighter\
C:\Program Files\TDS3\Ext.Sys\

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache

Delete Newsgroup Subscriptions

Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Run CWShredder & click on Fix.

Run About Buster and click - Begin Removal.
Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
.Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

REBOOT TO NORMAL MODE

Perform an online scan with Internet Explorer with Panda ActiveScan

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).

Double-click the tmas-web-scan.exe icon
It will say "Loading TrendMicro definitions".
Click "Start Scan"

After it's done scanning, click "Scan Results"

Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

In your next post, please include fresh logs from:

HiJackThis

Online scan

Antispyware.log

About Buster

Ewido

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Dmvgal · 10-10-2005, 05:52 PM

when I launch Killbox and check delete on Reboot, there are no files to select.. it is blank Where do I find these files? I have done everything up to this point.

Ried · 10-10-2005, 08:55 PM

Hi,

What you want to do is this:

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\ntau.exe
C:\WINDOWS\system32\addlf.exe
C:\WINDOWS\system32\ipea32.exe
C:\WINDOWS\system32\winue32.exe
C:\WINDOWS\dtlwd.dll
C:\WINDOWS\system32\netat.dll
C:\WINDOWS\mskm.dll
C:\WINDOWS\system32\msls.dll
C:\WINDOWS\system32\ipoj.exe

Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.
Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [YES] at the Pending Operations prompt.

Then, continue with sUBs instructions.

Dmvgal · 10-10-2005, 09:33 PM

Okay we are slowing moving along. I unhooked from the internet and rebooted into safe mode, open the control panel and opened add/remove programs. I found Spyfighter, but it would not let me remove it in safe mode. I do not have MYWAY . Then I was thinking did you mean the program was Spyfighter myway? and since I did not have that I continued on and unzipped HSfix and then ro.reg. Then it asked me to open Hijack this and configure-misc tools, but I did not have anything called "open ADS spy"
Where do I go from here?

Ried · 10-10-2005, 09:48 PM

Hi,

The 'button' for ADSspy is under the Misc Tools, the fifth button down under the System Tools category on the left.

For SpyFighter and MyWay, try uninstalling them this way:

Open Hijackthis>Config>Misc Tools>Open Uninstall Manager. Look for those 2 programs in the list and remove from there.

Please continue with the rest of the fix.

Dmvgal · 10-11-2005, 04:59 PM

I think I have done everything. Here are the logs. They are too long so they will be in 2 posts

ogfile of HijackThis v1.99.1
Scan saved at 7:50:42 PM, on 10/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\Program Files\hijackthis\security suite\ewidoctrl.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Error Nuker 2004\bin\ErrorNuker.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1128096398\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1128096398\ee\AOLServiceHost.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.312\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://newyork.yankees.mlb.com/NASAp...x.jsp?c_id=nyy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [Error Nuker 2004] C:\Program Files\Error Nuker 2004\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128096398\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ipea32.exe] C:\WINDOWS\system32\ipea32.exe
O4 - HKLM\..\Run: [winue32.exe] C:\WINDOWS\system32\winue32.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099174164045
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://boxerjam.skilljam.com/ssp/SSP.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activ...oadControl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...06/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\hijackthis\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I

Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Found '' in 'Software\Kazaa'
Found '' in 'Software\Kazaa\Settings'
Found '' in 'Software\Kazaa\Transfer'
Found '' in 'Software\KaZaA\CloudLoad'
Found '' in 'Software\KaZaA\ConnectionInfo'
Found '' in 'Software\KaZaA\LocalContent'
Found '' in 'Software\Kazaa'
Found '' in 'Software\Kazaa\Advanced'
Found '' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found '' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
Found '' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found '' in 'SOFTWARE\P2P Networking\Clients'
Found '' in 'SOFTWARE\Altnet'
Found '' in 'SOFTWARE\Altnet\Dashboard'
Found '' in 'SOFTWARE\Classes\magnet'
Found '' in 'SOFTWARE\Classes\magnet\shell\open\command'
Found 'PMversion' in 'SOFTWARE\Altnet\Dashboard'
Found 'URL Protocol' in 'SOFTWARE\Classes\magnet'
Found 'Tmp' in 'Software\Kazaa'
Found 'Status' in 'Software\Kazaa\Advanced'
Found 'b' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
Found 'b0' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found 'b0' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found 'b0seconds' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found 'b0seconds' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found 'b1' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found 'b1' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found 'DatabaseDir' in 'SOFTWARE\Kazaa\LocalContent'
Found 'Date' in 'Software\Kazaa\Settings'
Found 'DownloadDir' in 'SOFTWARE\Kazaa\LocalContent'
Found 'UseCount' in 'Software\Kazaa\Settings'
Found 'NoUploadLimitWhenIdle' in 'Software\Kazaa\Transfer'
Found 'ListenPort' in 'SOFTWARE\Kazaa'
Found 'network_config' in 'SOFTWARE\Kazaa'
Found 'Tmp' in 'SOFTWARE\Kazaa'
Found 'UDP_probe_successes' in 'SOFTWARE\Kazaa'
Found 'time' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
Found 'ShareDir' in 'SOFTWARE\Kazaa\CloudLoad'
Found 'KazaaNet' in 'SOFTWARE\Kazaa\ConnectionInfo'
Found '' in 'Software\AppConf'
Found 'confset' in 'Software\AppConf'
Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}'
Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\InprocServer32'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\MiscStatus'
Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\MiscStatus\1'
Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\ToolboxBitmap32'
Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\Version'
Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\VersionIndependentProgID'
Found '' in 'SOFTWARE\Classes\TypeLib\{EDD3B3E9-3FFD-4836-A6DE-D4A9C473A971}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{EDD3B3E9-3FFD-4836-A6DE-D4A9C473A971}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{EDD3B3E9-3FFD-4836-A6DE-D4A9C473A971}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{EDD3B3E9-3FFD-4836-A6DE-D4A9C473A971}\1.0\HELPDIR'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\INSTAFINK'
Found '' in 'SOFTWARE\MyWay'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall'
Found '' in 'SOFTWARE\Classes\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}'
Found '' in 'SOFTWARE\Classes\MyWayToolBar.SettingsPlugin.1'
Found '' in 'SOFTWARE\Classes\MyWayToolBar.SettingsPlugin'
Found '' in 'SOFTWARE\Classes\MyWayToolBar.NetscapeStartup.1'
Found '' in 'SOFTWARE\Classes\MyWayToolBar.NetscapeStartup'
Found '' in 'SOFTWARE\Classes\MyWayToolBar.NetscapeShutdown.1'
Found '' in 'SOFTWARE\Classes\MyWayToolBar.NetscapeShutdown'
Found '' in 'SOFTWARE\Classes\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}'
Found '' in 'SOFTWARE\Classes\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}'
Found '' in 'SOFTWARE\Classes\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}'
Found '' in 'SOFTWARE\Classes\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}'
Found '' in 'SOFTWARE\Classes\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}'
Found '' in 'SOFTWARE\Classes\CLSID\{014DA6CD-189F-421a-88CD-07CFE51CFF10}'
Found '' in 'SOFTWARE\Classes\Interface\{508EBE65-E39D-4363-8041-E647B4F6F4E1}'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run'
Internet URL Shortcuts
Found 'Ab scissor.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Broadband comparison.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Credit counseling.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Credit report.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Crm software.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Debt credit card.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Escorts.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Fha.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Health insurance.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Help desk software.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Insurance home.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Loan for debt consolidation.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Loan for people with bad credit.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Marketing email.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Mortgage insurance.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Nevada corporations.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Online Betting Site.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Online gambling casino.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Online instant loan.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Order phentermine.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Payroll advance.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Personal loans online.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Personal loans with bad credit.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Prescription Drugs Rx Online.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Refinancing my mortgage.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Tahoe vacation rental.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Unsecured bad credit loans.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'Videos.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Found 'What is hydrocodone.url' in 'C:\Documents and Settings\Owner\Favorites\Sites about\'
Files and Directories
Found '' in 'C:\Program Files\Kazaa'
Found '' in 'C:\Program Files\Kazaa\BGP2P'
Found '' in 'C:\Program Files\Kazaa\Db'
Found 'np.tmp' in 'C:\Program Files\Kazaa\Db'
Found '' in 'C:\Program Files\Kazaa\My Shared Folder'
Found '' in 'C:\Program Files\MaxSpeed'
Found '' in 'C:\Program Files\MyWay'
Found '' in 'C:\Program Files\NewDotNet'
Found 'sepsd.bin' in 'C:\WINDOWS'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SOFTWARE\Altnet'. Error=5.
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SOFTWARE\Altnet\Dashboard'. Error=5.
Checking for 'C:\Program Files\Kazaa' in shortcut areas.
Checking for 'C:\Program Files\Kazaa' in startup areas.
Cleaning 'C:\Program Files\Kazaa'
Checking for 'C:\Program Files\Kazaa\BGP2P\plugins.htm' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\BGP2P\plugins.htm' in startup areas.
Cleaning 'C:\Program Files\Kazaa\BGP2P\plugins.htm'
Checking for 'C:\Program Files\Kazaa\BGP2P\versions.dat' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\BGP2P\versions.dat' in startup areas.
Cleaning 'C:\Program Files\Kazaa\BGP2P\versions.dat'
Checking for 'C:\Program Files\Kazaa\data\{025FF639-156F-D499-5053-B52AD31B11ED}' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\data\{025FF639-156F-D499-5053-B52AD31B11ED}' in startup areas.
Cleaning 'C:\Program Files\Kazaa\data\{025FF639-156F-D499-5053-B52AD31B11ED}'
Checking for 'C:\Program Files\Kazaa\data\{10239BE6-692B-3EDE-8ED5-B5A9BCEBBAA0}' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\data\{10239BE6-692B-3EDE-8ED5-B5A9BCEBBAA0}' in startup areas.
Cleaning 'C:\Program Files\Kazaa\data\{10239BE6-692B-3EDE-8ED5-B5A9BCEBBAA0}'
Checking for 'C:\Program Files\Kazaa\data\{5270E3A8-45ED-82BF-2792-B2D730F5F4CD}' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\data\{5270E3A8-45ED-82BF-2792-B2D730F5F4CD}' in startup areas.
Cleaning 'C:\Program Files\Kazaa\data\{5270E3A8-45ED-82BF-2792-B2D730F5F4CD}'
Checking for 'C:\Program Files\Kazaa\data\{89B2F3B1-1FEC-F9BB-D0A7-FD9CC5604955}' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\data\{89B2F3B1-1FEC-F9BB-D0A7-FD9CC5604955}' in startup areas.
Cleaning 'C:\Program Files\Kazaa\data\{89B2F3B1-1FEC-F9BB-D0A7-FD9CC5604955}'
Checking for 'C:\Program Files\Kazaa\Db\ctx4-050323.cab' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\Db\ctx4-050323.cab' in startup areas.
Cleaning 'C:\Program Files\Kazaa\Db\ctx4-050323.cab'
Checking for 'C:\Program Files\Kazaa\Db\data1024.dbb' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\Db\data1024.dbb' in startup areas.
Cleaning 'C:\Program Files\Kazaa\Db\data1024.dbb'
Checking for 'C:\Program Files\Kazaa\Db\data256.dbb' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\Db\data256.dbb' in startup areas.
Cleaning 'C:\Program Files\Kazaa\Db\data256.dbb'
Checking for 'C:\Program Files\Kazaa\Db\k7tqkgkk_tssv125.dat' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\Db\k7tqkgkk_tssv125.dat' in startup areas.
Cleaning 'C:\Program Files\Kazaa\Db\k7tqkgkk_tssv125.dat'
Checking for 'C:\Program Files\Kazaa\Db\np.tmp' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\Db\np.tmp' in startup areas.
Cleaning 'C:\Program Files\Kazaa\Db\np.tmp'
Checking for 'C:\Program Files\Kazaa\Db\ova4-050325.cab' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\Db\ova4-050325.cab' in startup areas.
Cleaning 'C:\Program Files\Kazaa\Db\ova4-050325.cab'
Checking for 'C:\Program Files\Kazaa\Db\tsi4-050323a.cab' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\Db\tsi4-050323a.cab' in startup areas.
Cleaning 'C:\Program Files\Kazaa\Db\tsi4-050323a.cab'
Checking for 'C:\Program Files\Kazaa\Db\tsi4-050323b.cab' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\Db\tsi4-050323b.cab' in startup areas.
Cleaning 'C:\Program Files\Kazaa\Db\tsi4-050323b.cab'
Checking for 'C:\Program Files\Kazaa\Db\tss4.cab' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\Db\tss4.cab' in startup areas.
Cleaning 'C:\Program Files\Kazaa\Db\tss4.cab'
Checking for 'C:\Program Files\Kazaa\My Shared Folder\02 Number One Spot.wma' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\My Shared Folder\02 Number One Spot.wma' in startup areas.
Cleaning 'C:\Program Files\Kazaa\My Shared Folder\02 Number One Spot.wma'
Checking for 'C:\Program Files\Kazaa\My Shared Folder\04 - Look At Me Now.mp3' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\My Shared Folder\04 - Look At Me Now.mp3' in startup areas.
Cleaning 'C:\Program Files\Kazaa\My Shared Folder\04 - Look At Me Now.mp3'
Checking for 'C:\Program Files\Kazaa\My Shared Folder\Akon Trouble 8 Lonely.mp3' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\My Shared Folder\Akon Trouble 8 Lonely.mp3' in startup areas.
Cleaning 'C:\Program Files\Kazaa\My Shared Folder\Akon Trouble 8 Lonely.mp3'
Checking for 'C:\Program Files\Kazaa\My Shared Folder\download111227428345394421.dat' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\My Shared Folder\download111227428345394421.dat' in startup areas.
Cleaning 'C:\Program Files\Kazaa\My Shared Folder\download111227428345394421.dat'
Checking for 'C:\Program Files\Kazaa\My Shared Folder\download111227429645408156.dat' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\My Shared Folder\download111227429645408156.dat' in startup areas.
Cleaning 'C:\Program Files\Kazaa\My Shared Folder\download111227429645408156.dat'
Checking for 'C:\Program Files\Kazaa\My Shared Folder\Hate It or Love It [G-Unit Remix].wma' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\My Shared Folder\Hate It or Love It [G-Unit Remix].wma' in startup areas.
Cleaning 'C:\Program Files\Kazaa\My Shared Folder\Hate It or Love It [G-Unit Remix].wma'
Checking for 'C:\Program Files\Kazaa\My Shared Folder\Hush.wma' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\My Shared Folder\Hush.wma' in startup areas.
Cleaning 'C:\Program Files\Kazaa\My Shared Folder\Hush.wma'
Checking for 'C:\Program Files\Kazaa\My Shared Folder\kazaa300_en.exe' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\My Shared Folder\kazaa300_en.exe' in startup areas.
Cleaning 'C:\Program Files\Kazaa\My Shared Folder\kazaa300_en.exe'
Checking for 'C:\Program Files\Kazaa\BGP2P' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\BGP2P' in startup areas.
Cleaning 'C:\Program Files\Kazaa\BGP2P'
[SCANMODS] The file 'C:\Program Files\Kazaa\BGP2P' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\Kazaa\Db' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\Db' in startup areas.
Cleaning 'C:\Program Files\Kazaa\Db'
[SCANMODS] The file 'C:\Program Files\Kazaa\Db' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\Kazaa\Db\np.tmp' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\Db\np.tmp' in startup areas.
Cleaning 'C:\Program Files\Kazaa\Db\np.tmp'
[SCANMODS] The file 'C:\Program Files\Kazaa\Db\np.tmp' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\Kazaa\My Shared Folder' in shortcut areas.
Checking for 'C:\Program Files\Kazaa\My Shared Folder' in startup areas.
Cleaning 'C:\Program Files\Kazaa\My Shared Folder'
[SCANMODS] The file 'C:\Program Files\Kazaa\My Shared Folder' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\MaxSpeed' in shortcut areas.
Checking for 'C:\Program Files\MaxSpeed' in startup areas.
Cleaning 'C:\Program Files\MaxSpeed'
Checking for 'C:\Program Files\MyWay' in shortcut areas.
Checking for 'C:\Program Files\MyWay' in startup areas.
Cleaning 'C:\Program Files\MyWay'
Checking for 'C:\Program Files\MyWay\myBar\1.bin\PARTNER.BMP' in shortcut areas.
Checking for 'C:\Program Files\MyWay\myBar\1.bin\PARTNER.BMP' in startup areas.
Cleaning 'C:\Program Files\MyWay\myBar\1.bin\PARTNER.BMP'
Checking for 'C:\Program Files\MyWay\myBar\1.bin\PARTNER.DAT' in shortcut areas.
Checking for 'C:\Program Files\MyWay\myBar\1.bin\PARTNER.DAT' in startup areas.
Cleaning 'C:\Program Files\MyWay\myBar\1.bin\PARTNER.DAT'
Checking for 'C:\Program Files\MyWay\myBar\1.bin\PARTNER2.DAT' in shortcut areas.
Checking for 'C:\Program Files\MyWay\myBar\1.bin\PARTNER2.DAT' in startup areas.
Cleaning 'C:\Program Files\MyWay\myBar\1.bin\PARTNER2.DAT'
Checking for 'C:\Program Files\MyWay\myBar\1.bin\PARTNER3.DAT' in shortcut areas.
Checking for 'C:\Program Files\MyWay\myBar\1.bin\PARTNER3.DAT' in startup areas.
Cleaning 'C:\Program Files\MyWay\myBar\1.bin\PARTNER3.DAT'
Checking for 'C:\Program Files\MyWay\myBar\1.bin\PARTNER4.DAT' in shortcut areas.
Checking for 'C:\Program Files\MyWay\myBar\1.bin\PARTNER4.DAT' in startup areas.
Cleaning 'C:\Program Files\MyWay\myBar\1.bin\PARTNER4.DAT'
Checking for 'C:\Program Files\MyWay\myBar\1.bin\PARTNER5.DAT' in shortcut areas.
Checking for 'C:\Program Files\MyWay\myBar\1.bin\PARTNER5.DAT' in startup areas.
Cleaning 'C:\Program Files\MyWay\myBar\1.bin\PARTNER5.DAT'
Checking for 'C:\Program Files\MyWay\myBar\1.bin\PARTNER6.DAT' in shortcut areas.
Checking for 'C:\Program Files\MyWay\myBar\1.bin\PARTNER6.DAT' in startup areas.
Cleaning 'C:\Program Files\MyWay\myBar\1.bin\PARTNER6.DAT'
Checking for 'C:\Program Files\MyWay\myBar\Cache\055C2CAC' in shortcut areas.
Checking for 'C:\Program Files\MyWay\myBar\Cache\055C2CAC' in startup areas.
Cleaning 'C:\Program Files\MyWay\myBar\Cache\055C2CAC'
Checking for 'C:\Program Files\MyWay\myBar\Cache\0ADFF145.bin' in shortcut areas.
Checking for 'C:\Program Files\MyWay\myBar\Cache\0ADFF145.bin' in startup areas.
Cleaning 'C:\Program Files\MyWay\myBar\Cache\0ADFF145.bin'
Checking for 'C:\Program Files\MyWay\myBar\Cache\0ADFF26E.bin' in shortcut areas.
Checking for 'C:\Program Files\MyWay\myBar\Cache\0ADFF26E.bin' in startup areas.
Cleaning 'C:\Program Files\MyWay\myBar\Cache\0ADFF26E.bin'
Checking for 'C:\Program Files\MyWay\myBar\Cache\0ADFF396.bin' in shortcut areas.
Checking for 'C:\Program Files\MyWay\myBar\Cache\0ADFF396.bin' in startup areas.
Cleaning 'C:\Program Files\MyWay\myBar\Cache\0ADFF396.bin'
Checking for 'C:\Program Files\MyWay\myBar\Cache\files.ini' in shortcut areas.
Checking for 'C:\Program Files\MyWay\myBar\Cache\files.ini' in startup areas.
Cleaning 'C:\Program Files\MyWay\myBar\Cache\files.ini'
Checking for 'C:\Program Files\MyWay\myBar\History\search' in shortcut areas.
Checking for 'C:\Program Files\MyWay\myBar\History\search' in startup areas.
Cleaning 'C:\Program Files\MyWay\myBar\History\search'
Checking for 'C:\Program Files\MyWay\myBar\Settings\prevcfg.htm' in shortcut areas.
Checking for 'C:\Program Files\MyWay\myBar\Settings\prevcfg.htm' in startup areas.
Cleaning 'C:\Program Files\MyWay\myBar\Settings\prevcfg.htm'
Checking for 'C:\Program Files\NewDotNet' in shortcut areas.
Checking for 'C:\Program Files\NewDotNet' in startup areas.
Cleaning 'C:\Program Files\NewDotNet'
Checking for 'C:\WINDOWS\sepsd.bin' in shortcut areas.
Checking for 'C:\WINDOWS\sepsd.bin' in startup areas.
Cleaning 'C:\WINDOWS\sepsd.bin'
Finished Cleaning

ewido security suite - Process report
---------------------------------------------------------

+ Created on: 5:30:01 PM, 10/11/2005
+ Report-Checksum: D0C1CFB2

0: System Process
4: System Process
124: C:\Program Files\hijackthis\security suite\ewidoctrl.exe
152: C:\WINDOWS\system32\nvsvc32.exe
172: C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
216: C:\WINDOWS\System32\svchost.exe
240: C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
260: C:\WINDOWS\System32\wdfmgr.exe
288: C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
332: C:\WINDOWS\system32\dla\tfswctrl.exe
440: C:\WINDOWS\system32\ZoneLabs\vsmon.exe
652: C:\WINDOWS\System32\MsPMSPSv.exe
760: C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
772: C:\WINDOWS\Explorer.EXE
816: C:\WINDOWS\System32\alg.exe
836: \SystemRoot\System32\smss.exe
888: \??\C:\WINDOWS\system32\csrss.exe
908: C:\HP\KBD\KBD.EXE
968: \??\C:\WINDOWS\system32\winlogon.exe
1012: C:\WINDOWS\system32\services.exe
1024: C:\WINDOWS\system32\lsass.exe
1112: C:\Program Files\QuickTime\qttask.exe
1152: C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
1168: C:\Program Files\hijackthis\security suite\SecuritySuite.exe
1240: C:\WINDOWS\system32\svchost.exe
1312: C:\Program Files\Common Files\AOL\1128096398\ee\AOLServiceHost.exe
1332: C:\WINDOWS\system32\svchost.exe
1384: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
1448: C:\Program Files\Common Files\AOL\1128096398\ee\AOLHostManager.exe
1464: C:\WINDOWS\System32\svchost.exe
1568: C:\WINDOWS\System32\svchost.exe
1668: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
1736: C:\WINDOWS\System32\svchost.exe
1908: C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
1916: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
1928: C:\WINDOWS\system32\spoolsv.exe
2008: C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
2028: C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
2052: C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
2056: C:\WINDOWS\system32\S3apphk.exe
2176: C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
2240: C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
2252: C:\Program Files\Error Nuker 2004\bin\ErrorNuker.exe
2436: C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
2444: C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
2480: C:\Program Files\SpywareGuard\sgmain.exe
2540: C:\Program Files\Common Files\AOL\1128096398\ee\AOLServiceHost.exe
2632: C:\windows\system\hpsysdrv.exe
2648: C:\HP\KBD\KBD.EXE
2664: C:\WINDOWS\system32\dla\tfswctrl.exe
2708: C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
2712: C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
2800: C:\WINDOWS\system32\S3apphk.exe
2816: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
2824: C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
2836: C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
2876: C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
2884: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
2908: C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
2944: C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
2948: C:\WINDOWS\system32\HPZipm12.exe
2972: C:\Program Files\Error Nuker 2004\bin\ErrorNuker.exe
2980: C:\Program Files\Java\jre1.5.0\bin\jusched.exe
2988: C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
2996: C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
3004: C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
3020: C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
3044: C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
3056: C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
3080: C:\Program Files\iTunes\iTunesHelper.exe
3088: C:\Program Files\QuickTime\qttask.exe
3096: C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
3164: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
3172: C:\Program Files\iPod\bin\iPodService.exe
3180: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
3276: C:\Program Files\AIM\aim.exe
3348: C:\Program Files\Common Files\AOL\1128096398\ee\AOLHostManager.exe
3364: C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
3408: C:\WINDOWS\Explorer.EXE
3440: \??\C:\WINDOWS\system32\csrss.exe
3460: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
3496: C:\Program Files\Common Files\AOL\1128096398\ee\AOLServiceHost.exe
3604: C:\windows\system\hpsysdrv.exe
3728: \??\C:\WINDOWS\system32\winlogon.exe
3884: C:\Program Files\Java\jre1.5.0\bin\jusched.exe
3904: C:\Program Files\SpywareGuard\sgbhp.exe
3968: C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

Dmvgal · 10-11-2005, 05:04 PM

and here is the rest:

ncident Status Location

Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM32\sdkag32.exe
Spyware:spyware/petro-line No disinfected C:\Documents and Settings\Patrick\Favorites\SITES ABOUT\Ab scissor.url
Adware:adware/keenvalue No disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Adware:adware/cws No disinfected C:\Documents and Settings\Patrick\Favorites\Free Online Dating.url
Adware:adware/searchaid No disinfected C:\Documents and Settings\Patrick\Favorites\Only sex website.url
Adware:adware/sidesearch No disinfected C:\WINDOWS\sepsd.bin
Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32a.sys
Spyware:spyware/new.net No disinfected C:\PROGRAM FILES\NewDotNet
Adware:adware/quicksearch No disinfected C:\PROGRAM FILES\QuickSearch
Spyware:spyware/heterofind No disinfected C:\spe
Adware:adware/cws.yexe No disinfected C:\WINDOWS\inetdim
Adware:adware/iedriver No disinfected Windows Registry
Dialer:dialer.bqw No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\CONC
Adware:adware/powerscan No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-35a00785.zip[a.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-35a00785.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-35a00785.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-5f0480da.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-5f0480da.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-5f0480da.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-5f0480da.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-7f478efc.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-7f478efc.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-7f478efc.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-7f478efc.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Joel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-5908667c.zip[a.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Joel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-5908667c.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Joel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-5908667c.zip[VerifierBug.class]
Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Owner\My Documents\Moms Stuff\hijackthis\backups\backup-20041113-164537-630.inf
Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Owner\My Documents\Moms Stuff\hijackthis\backups\backup-20041114-115148-880.inf
Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Owner\My Documents\Moms Stuff\hijackthis\backups\backup-20041114-131858-353.inf
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5fdfa9fc-6c951b17.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5fdfa9fc-6c951b17.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5fdfa9fc-6c951b17.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5fdfa9fc-6c951b17.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-28b7c93d-53d74786.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-28b7c93d-53d74786.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-28b7c93d-53d74786.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-28b7c93d-53d74786.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-104920fc.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-104920fc.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-104920fc.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-104920fc.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7660c386-455c69dc.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7660c386-455c69dc.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7660c386-455c69dc.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7660c386-455c69dc.zip[Installer.class]

sUBs · 10-11-2005, 05:21 PM

Follow the instructions outlined here to clear Sun Java's cache.

Uninstall these programs, if present, using Add/Remove Programs:

NewNet /NewDotNet
Quick Search

Have HijackThis fix these entries:

O4 - HKLM\..\Run: [ipea32.exe] C:\WINDOWS\system32\ipea32.exe
O4 - HKLM\..\Run: [winue32.exe] C:\WINDOWS\system32\winue32.exe

Next, locate & delete these files/folders:

C:\PROGRAM FILES\NewDotNet
C:\PROGRAM FILES\QuickSearch
C:\spe
C:\WINDOWS\inetdim

Select all the filenames below & then right-click & select Copy

C:\WINDOWS\SYSTEM32\sdkag32.exe
C:\Documents and Settings\Patrick\Favorites\SITES ABOUT\Ab scissor.url
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
C:\Documents and Settings\Patrick\Favorites\Free Online Dating.url
C:\Documents and Settings\Patrick\Favorites\Only sex website.url
C:\WINDOWS\sepsd.bin
C:\WINDOWS\smdat32a.sys
C:\spe
C:\WINDOWS\inetdim
C:\WINDOWS\system32\ipea32.exe
C:\WINDOWS\system32\winue32.exe

Launch KillBox.exe
Go to the File menu, and choose Paste from Clipboard
Select the following options:

delete on Reboot

Then, click on the dropdown menu next to Full Path of File to Delete field.
Verify that the filenames you pasted are found there
Click the RED X button.
Click Yes at the Delete on Reboot prompt.
Click Yes at the 'Pending Operations prompt'.

Post a new HJT log after you have rebooted.

Dmvgal · 10-12-2005, 04:14 AM

I think everything looks good

Logfile of HijackThis v1.99.1
Scan saved at 7:13:02 AM, on 10/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\Program Files\hijackthis\security suite\ewidoctrl.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Error Nuker 2004\bin\ErrorNuker.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\1128096398\ee\AOLHostManager.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\AOL\1128096398\ee\AOLServiceHost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.469\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://newyork.yankees.mlb.com/NASAp...x.jsp?c_id=nyy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [Error Nuker 2004] C:\Program Files\Error Nuker 2004\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128096398\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099174164045
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://boxerjam.skilljam.com/ssp/SSP.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activ...oadControl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...06/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\hijackthis\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

sUBs · 10-12-2005, 06:29 AM

Your system is clean. Please follow these simple steps in order to keep your computer clean and secure:

CLEAR & RESET SYSTEM RESTORE'S CACHE
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
- Tick on the checkbox - Turn off System Restore on all drives
- Click Apply
Turn it back 'On' by unticking the same checkbox & click OK
DISABLE THE VIEWING OF SYSTEM FILES
From Windows Explorer, go to Tools>Folder Options> View tab.
- Untick - Show hidden files and folder
- Tick - Hide file extensions for known types
- Tick - Hide protected operating system files
Click Yes to confirm & then click OK
SECURING INTERNET EXPLORER
From within Internet Explorer click on the Tools menu and then click on Internet Options.
- Select the Security tab
  - Click once on the Internet icon so it becomes highlighted.
  - Select Custom Level .
    - Change 'Download signed ActiveX controls' to Prompt
    - Change 'Download unsigned ActiveX controls' to Disable
    - Change 'Initialize and script ActiveX controls not marked as safe' to Disable
    - Change 'Installation of desktop items' to Prompt
    - Change 'Launching programs and files in an IFRAME' to Prompt
    - Change 'Navigate sub-frames across different domains' to Prompt
    - When all these changes have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Select OK to exit the Internet Properties page.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
FIREWALL
Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
Microsoft Windows Update
Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here
IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
Google Toolbar - Get the free google toolbar to help stop pop up windows.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

Dmvgal · 10-12-2005, 02:02 PM

Thank you for your help!

10-10-2005, 12:36 PM	#1 (permalink)
Dmvgal Registered User Join Date: Nov 2004 Location: new york state Posts: 55 OS: Windows xp home	virsuses Hi I am hoping you can help me. It seems that all of a sudden, I am getting a ton of viruses and BHO's. I am running windows xp and have ez firewall/antivirus from computer associates running. I have also run adaware 1.0.6.0. and spyware guard, but nothing is helping. I have spyfighter and it keeps popping up with a new BHO every few minutes. I keep scanning for viruses and more just come out of the wood work. My last virus scan showed 40 viruses under all the users on the computer They seem to be "installer.class;dummy.class; insecure.class;virifier.bug.class;a.class;getaccess.class;blackbox.class; vb.class and beyond.class" and they all seem to be a Javabyte verify exploit trojan, or a Java, shinwow.AM trojan. How can I stop these, other than shooting my husband and adult boys for going to some sites I know they should not go to. I have downloaded and run the newest version of hijack this along with the analyzer and have attached a copy. Thanks for your tiime. Michele ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 3:24:26 PM, on 10/10/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\ntau.exe C:\Program Files\Error Nuker 2004\bin\ErrorNuker.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe C:\Program Files\SpyFighter\SpyFighter.exe C:\WINDOWS\system32\addlf.exe C:\Program Files\Common Files\AOL\1128096398\ee\AOLHostManager.exe C:\Program Files\Common Files\AOL\1128096398\ee\AOLServiceHost.exe C:\WINDOWS\system32\ipea32.exe C:\WINDOWS\system32\winue32.exe C:\Documents and Settings\Owner\My Documents\Moms Stuff\hijackthis\HijackThis.exe C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.406\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://newyork.yankees.mlb.com/NASAp...x.jsp?c_id=nyy R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dtlwd.dll/sp.html#44768 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - Default URLSearchHook is missing O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O2 - BHO: Class - {C2CAFF59-2CB5-AC2F-01C3-DD7DBFA12089} - C:\WINDOWS\system32\netat.dll O2 - BHO: Class - {D26AF2AB-0F2A-822B-1267-109C8769FEDC} - C:\WINDOWS\mskm.dll O2 - BHO: Class - {EF566E13-6825-500A-957F-C72AD1DF5E45} - C:\WINDOWS\system32\msls.dll O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O4 - HKLM\..\Run: [Error Nuker 2004] C:\Program Files\Error Nuker 2004\bin\ErrorNuker.exe autostart O4 - HKLM\..\Run: [xp_system] C:\Program Files\TDS3\Ext.Sys\services.exe O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe" O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe O4 - HKLM\..\Run: [ipoj.exe] C:\WINDOWS\system32\ipoj.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128096398\ee\AOLHostManager.exe O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent O4 - HKLM\..\RunOnce: [ntau.exe] C:\WINDOWS\ntau.exe O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099174164045 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://boxerjam.skilljam.com/ssp/SSP.cab O16 - DPF: {7D40ADF2-AD68-4959-ACEC-DA96BF5E6EB7} (SpyBouncer.SBDownloader) - http://spywareremover.spybouncer.com/downloader.ocx O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activ...oadControl.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...06/mcfscan.cab O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe End of KRC HijackThis Analyzer Log. ====================================================================

10-10-2005, 08:55 PM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Hi, What you want to do is this: Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C: C:\WINDOWS\ntau.exe C:\WINDOWS\system32\addlf.exe C:\WINDOWS\system32\ipea32.exe C:\WINDOWS\system32\winue32.exe C:\WINDOWS\dtlwd.dll C:\WINDOWS\system32\netat.dll C:\WINDOWS\mskm.dll C:\WINDOWS\system32\msls.dll C:\WINDOWS\system32\ipoj.exe Start KillBox. Go to the File menu, and choose Paste from Clipboard. Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there. Select/tick the following: * Delete on Reboot * End Explorer Shell While Killing File * Unregister.dll Before Deleting" if it's not grayed out. Click the RED X button. Click [Yes] at the 'Delete on Reboot' prompt. Click [YES] at the Pending Operations prompt. Then, continue with sUBs instructions. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-10-2005, 09:48 PM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Hi, The 'button' for ADSspy is under the Misc Tools, the fifth button down under the System Tools category on the left. For SpyFighter and MyWay, try uninstalling them this way: Open Hijackthis>Config>Misc Tools>Open Uninstall Manager. Look for those 2 programs in the list and remove from there. Please continue with the rest of the fix. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-11-2005, 05:21 PM	#9 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,238 OS: N/A	Follow the instructions outlined here to clear Sun Java's cache. Uninstall these programs, if present, using Add/Remove Programs: NewNet /NewDotNet Quick Search Have HijackThis fix these entries: O4 - HKLM\..\Run: [ipea32.exe] C:\WINDOWS\system32\ipea32.exe O4 - HKLM\..\Run: [winue32.exe] C:\WINDOWS\system32\winue32.exe Next, locate & delete these files/folders: C:\PROGRAM FILES\NewDotNet C:\PROGRAM FILES\QuickSearch C:\spe C:\WINDOWS\inetdim Select all the filenames below & then right-click & select Copy C:\WINDOWS\SYSTEM32\sdkag32.exe C:\Documents and Settings\Patrick\Favorites\SITES ABOUT\Ab scissor.url C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho C:\Documents and Settings\Patrick\Favorites\Free Online Dating.url C:\Documents and Settings\Patrick\Favorites\Only sex website.url C:\WINDOWS\sepsd.bin C:\WINDOWS\smdat32a.sys C:\spe C:\WINDOWS\inetdim C:\WINDOWS\system32\ipea32.exe C:\WINDOWS\system32\winue32.exe Launch KillBox.exe Go to the File menu, and choose Paste from Clipboard Select the following options: delete on Reboot Then, click on the dropdown menu next to Full Path of File to Delete field. Verify that the filenames you pasted are found there Click the RED X button. Click Yes at the Delete on Reboot prompt. Click Yes at the 'Pending Operations prompt'. Post a new HJT log after you have rebooted. __________________

10-12-2005, 06:29 AM	#11 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,238 OS: N/A	Your system is clean. Please follow these simple steps in order to keep your computer clean and secure: CLEAR & RESET SYSTEM RESTORE'S CACHE Go to Start >> Run - type control sysdm.cpl,,4 & press Enter Tick on the checkbox - Turn off System Restore on all drives Click Apply Turn it back 'On' by unticking the same checkbox & click OK DISABLE THE VIEWING OF SYSTEM FILES From Windows Explorer, go to Tools>Folder Options> View tab. Untick - Show hidden files and folder Tick - Hide file extensions for known types Tick - Hide protected operating system files Click Yes to confirm & then click OK SECURING INTERNET EXPLORER From within Internet Explorer click on the Tools menu and then click on Internet Options. Select the Security tab Click once on the Internet icon so it becomes highlighted. Select Custom Level . Change 'Download signed ActiveX controls' to Prompt Change 'Download unsigned ActiveX controls' to Disable Change 'Initialize and script ActiveX controls not marked as safe' to Disable Change 'Installation of desktop items' to Prompt Change 'Launching programs and files in an IFRAME' to Prompt Change 'Navigate sub-frames across different domains' to Prompt When all these changes have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Select OK to exit the Internet Properties page. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. FIREWALL Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here. Microsoft Windows Update Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here SPYWAREBLASTER SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites. Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here IE-SPYAD IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Weather Watcher - Free taskbar weather program that is free, malware free, and resource light. Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. Google Toolbar - Get the free google toolbar to help stop pop up windows. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. __________________

10-10-2005, 05:52 PM	#3 (permalink)
Dmvgal Registered User Join Date: Nov 2004 Location: new york state Posts: 55 OS: Windows xp home	when I launch Killbox and check delete on Reboot, there are no files to select.. it is blank Where do I find these files? I have done everything up to this point.

10-10-2005, 09:33 PM	#5 (permalink)
Dmvgal Registered User Join Date: Nov 2004 Location: new york state Posts: 55 OS: Windows xp home	Okay we are slowing moving along. I unhooked from the internet and rebooted into safe mode, open the control panel and opened add/remove programs. I found Spyfighter, but it would not let me remove it in safe mode. I do not have MYWAY . Then I was thinking did you mean the program was Spyfighter myway? and since I did not have that I continued on and unzipped HSfix and then ro.reg. Then it asked me to open Hijack this and configure-misc tools, but I did not have anything called "open ADS spy" Where do I go from here?

10-11-2005, 05:04 PM	#8 (permalink)
Dmvgal Registered User Join Date: Nov 2004 Location: new york state Posts: 55 OS: Windows xp home	and here is the rest: ncident Status Location Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM32\sdkag32.exe Spyware:spyware/petro-line No disinfected C:\Documents and Settings\Patrick\Favorites\SITES ABOUT\Ab scissor.url Adware:adware/keenvalue No disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho Adware:adware/cws No disinfected C:\Documents and Settings\Patrick\Favorites\Free Online Dating.url Adware:adware/searchaid No disinfected C:\Documents and Settings\Patrick\Favorites\Only sex website.url Adware:adware/sidesearch No disinfected C:\WINDOWS\sepsd.bin Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32a.sys Spyware:spyware/new.net No disinfected C:\PROGRAM FILES\NewDotNet Adware:adware/quicksearch No disinfected C:\PROGRAM FILES\QuickSearch Spyware:spyware/heterofind No disinfected C:\spe Adware:adware/cws.yexe No disinfected C:\WINDOWS\inetdim Adware:adware/iedriver No disinfected Windows Registry Dialer:dialer.bqw No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\CONC Adware:adware/powerscan No disinfected Windows Registry Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-35a00785.zip[a.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-35a00785.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-35a00785.zip[VerifierBug.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-5f0480da.zip[GetAccess.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-5f0480da.zip[InsecureClassLoader.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-5f0480da.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-5f0480da.zip[Installer.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-7f478efc.zip[GetAccess.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-7f478efc.zip[InsecureClassLoader.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-7f478efc.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-7f478efc.zip[Installer.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Joel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-5908667c.zip[a.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Joel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-5908667c.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Joel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-5908667c.zip[VerifierBug.class] Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Owner\My Documents\Moms Stuff\hijackthis\backups\backup-20041113-164537-630.inf Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Owner\My Documents\Moms Stuff\hijackthis\backups\backup-20041114-115148-880.inf Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Owner\My Documents\Moms Stuff\hijackthis\backups\backup-20041114-131858-353.inf Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5fdfa9fc-6c951b17.zip[BlackBox.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5fdfa9fc-6c951b17.zip[VB.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5fdfa9fc-6c951b17.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5fdfa9fc-6c951b17.zip[Beyond.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-28b7c93d-53d74786.zip[GetAccess.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-28b7c93d-53d74786.zip[InsecureClassLoader.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-28b7c93d-53d74786.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-28b7c93d-53d74786.zip[Installer.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-104920fc.zip[GetAccess.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-104920fc.zip[InsecureClassLoader.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-104920fc.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-104920fc.zip[Installer.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7660c386-455c69dc.zip[GetAccess.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7660c386-455c69dc.zip[InsecureClassLoader.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7660c386-455c69dc.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7660c386-455c69dc.zip[Installer.class]

10-12-2005, 04:14 AM	#10 (permalink)
Dmvgal Registered User Join Date: Nov 2004 Location: new york state Posts: 55 OS: Windows xp home	I think everything looks good Logfile of HijackThis v1.99.1 Scan saved at 7:13:02 AM, on 10/12/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe C:\Program Files\hijackthis\security suite\ewidoctrl.exe C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\system32\S3apphk.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\Program Files\Error Nuker 2004\bin\ErrorNuker.exe C:\Program Files\Java\jre1.5.0\bin\jusched.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\hp center\137903\Program\BackWeb-137903.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Common Files\AOL\1128096398\ee\AOLHostManager.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\Common Files\AOL\1128096398\ee\AOLServiceHost.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\HP\hpcoretech\comp\hpdarc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.469\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://newyork.yankees.mlb.com/NASAp...x.jsp?c_id=nyy R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [S3apphk] S3apphk.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe O4 - HKLM\..\Run: [Error Nuker 2004] C:\Program Files\Error Nuker 2004\bin\ErrorNuker.exe autostart O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe" O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128096398\ee\AOLHostManager.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099174164045 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://boxerjam.skilljam.com/ssp/SSP.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activ...oadControl.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...06/mcfscan.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\hijackthis\security suite\ewidoctrl.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

10-12-2005, 02:02 PM	#12 (permalink)
Dmvgal Registered User Join Date: Nov 2004 Location: new york state Posts: 55 OS: Windows xp home	Thank you for your help!