Slow Laptop - Adware-FlashGet detected (McAfee Online Scan)

Spektyr · 04-01-2006, 04:00 PM

Problem 1: It's a Dell. (Inspiron 2600)

Problem 2: It's waiting for the upgrade memory to arrive (to take it from a puny 128mb to a semi-respectable 512mb).

Problem 3: There's a bit of stuff that's "important" to my wife installed on it.

I also found something called "Adware-FlashGet" while running the online scan from McAfee's website. Not sure how much of a problem that's actually causing (if any).

Mainly I'm just trying to get this thing running at a decent speed (the main problem is my desktop smokes her laptop by enough that she's getting envious). I'm considering buying a 16mb Nvidia video card for it that I saw on eBay... not sure whether I'm going to do that or not.

I'm hoping that there's some ultra-sneaky malware or something easily fixable that's bogging this thing down. It seems like something it runs in the background has a wicked memory leak - most definitely begins running progressively worse the longer it's on.

Logfile of HijackThis v1.99.1
Scan saved at 5:57:58 PM, on 4/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Wireless\Client Manager\CmAGS.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kiwibox.com/default.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Wireless Client Manager.lnk = C:\Program Files\Wireless\Client Manager\CmAGS.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MSOffice\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MSOffice\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/bingame/pacz/def...andaonline.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/def...GameLoader.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/def...caploader1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1141189956876
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/def...jolauncher.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/def...utLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/default/gf.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/def...ebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...29/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

EDIT: Just in case anyone asks, I followed the directions stickied in the forum to the letter.

greyknight17 · 04-01-2006, 09:08 PM

Laptops just don't perform as well as desktops...is that video card compatible with the laptop? Usually the video card that's in the laptop stays in...I don't recall users upgrading this part in a laptop. Usually only memory is upgradeable.

For the Adware Flashget found by McAfee, did it mention any filename and location?

I don't see anything much in the log.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

R3 - Default URLSearchHook is missing

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply along with a new HijackThis log.

Spektyr · 04-01-2006, 10:26 PM

Yeah, the video card I'm looking at buying was pulled from a Dell Inspiron 2600 - it's the upgrade option that wasn't opted for on the laptop my wife owns. A complete pull (three parts) should supply a complete replacement, and then it would just be a matter of drivers, right?

Basically I'm not planning on getting it if it's not really cheap (cheap enough that it if turns out to be useless I'm going to be kicking myself.)

The Adware Flashget McAfee saw was in the registry, but it didn't say where exactly. (It did, but there were elipses in the displayed path, and I couldn't see how to get it to be more specific.)

Here's the report:

Incident Status Location

Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Chris\Application Data\tvmknwrd.dll
Adware:adware/keenvalue Not disinfected C:\WINDOWS\BROWSERXTRAS\PN\remove.exe
Spyware:application/bestoffer Not disinfected C:\WINDOWS\smdat32m.sys
Spyware:spyware/sysren Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected HKEY_CLASSES_ROOT\CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[servedby.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Bs.serving-sys Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.com.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.entrepreneur.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.bfast.com/]
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[data.coremetrics.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.ath.belnk.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.dist.belnk.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/24/7 Realmedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.valueclick.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.perf.overture.com/]
Adware:Adware/KeenValue Not disinfected C:\WINDOWS\browserxtras\pn\remove.exe
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[]
Spyware:Spyware/BetterInet Not disinfected C:\Program Files\Common Files\SearchUpgrader\system.cfg

greyknight17 · 04-01-2006, 10:46 PM

Go into Firefox and clear the internet temp files (Clear Private Data under the Tools menu I think).

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_CLASSES_ROOT\CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}]

Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

Delete these:
C:\Documents and Settings\Chris\Application Data\tvmknwrd.dll
C:\WINDOWS\BROWSERXTRAS\
C:\WINDOWS\smdat32m.sys
C:\Program Files\Common Files\SearchUpgrader\

Restart and run a new Panda scan. Post the log here.

That entry found by McAfee was probably not harmful. Did you at least get the registry key name at the end? We can at least search for that and remove it.

Spektyr · 04-02-2006, 10:55 AM

Here's the new Panda log.

Incident Status Location

Spyware:spyware/sysren Not disinfected Windows Registry
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[servedby.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.advertising.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Bs.serving-sys Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.com.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.entrepreneur.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.bfast.com/]
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[data.coremetrics.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.ath.belnk.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.dist.belnk.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/24/7 Realmedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.valueclick.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[]

I'll try the McAfee again, but it didn't give useful information last time. It named the problem (Adware-FlashGet) and gave a filepath with "..." in the middle partially obscuring the ending of the first part of the path and the beginning of the first part of the destination. So I know it's in the registry simply because no other folder in the computer starts out with the same words.

Spektyr · 04-02-2006, 12:15 PM

Update: McAfee says the Adware-FlashGet is at "C:\System Volume Information\...\A0210058.exe"

Searching the registry for A0210058 yields no results. Same with a general search of the hard drive. Perhaps McAfee has been dipping into the McLSD?

greyknight17 · 04-02-2006, 06:19 PM

Perfect...that's more than enough information for us. It's in the System Restore point

Let's remove it now.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Empty out your Firefox temp files.

Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

Spektyr · 04-03-2006, 05:07 PM

Everything seems fine... hard to say if it's going any quicker than before, but I'm not really expecting much from a laptop trying to chug through XP on a scant 128mb of RAM and a 1GHz processor.

Once I drop the 512mb in there it ought to perk up.

Thanks.

04-01-2006, 04:00 PM	#1 (permalink)
Spektyr Registered User Join Date: Mar 2006 Posts: 102 OS: XP, Vista Home & Ultimate / Ubuntu "Hardy Heron"	Slow Laptop - Adware-FlashGet detected (McAfee Online Scan) Problem 1: It's a Dell. (Inspiron 2600) Problem 2: It's waiting for the upgrade memory to arrive (to take it from a puny 128mb to a semi-respectable 512mb). Problem 3: There's a bit of stuff that's "important" to my wife installed on it. I also found something called "Adware-FlashGet" while running the online scan from McAfee's website. Not sure how much of a problem that's actually causing (if any). Mainly I'm just trying to get this thing running at a decent speed (the main problem is my desktop smokes her laptop by enough that she's getting envious). I'm considering buying a 16mb Nvidia video card for it that I saw on eBay... not sure whether I'm going to do that or not. I'm hoping that there's some ultra-sneaky malware or something easily fixable that's bogging this thing down. It seems like something it runs in the background has a wicked memory leak - most definitely begins running progressively worse the longer it's on. Logfile of HijackThis v1.99.1 Scan saved at 5:57:58 PM, on 4/1/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\I8kfanGUI\I8kfanGUI.exe C:\Program Files\Wireless\Client Manager\CmAGS.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kiwibox.com/default.asp R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O4 - Global Startup: Wireless Client Manager.lnk = C:\Program Files\Wireless\Client Manager\CmAGS.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MSOffice\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MSOffice\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/bingame/pacz/def...andaonline.cab O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/def...GameLoader.cab O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/def...caploader1.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1141189956876 O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/def...jolauncher.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/def...utLauncher.cab O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/default/gf.cab O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/def...ebLauncher.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...29/mcfscan.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe EDIT: Just in case anyone asks, I followed the directions stickied in the forum to the letter. Last edited by Spektyr; 04-01-2006 at 04:01 PM.

04-01-2006, 09:08 PM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Laptops just don't perform as well as desktops...is that video card compatible with the laptop? Usually the video card that's in the laptop stays in...I don't recall users upgrading this part in a laptop. Usually only memory is upgradeable. For the Adware Flashget found by McAfee, did it mention any filename and location? I don't see anything much in the log. Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one: R3 - Default URLSearchHook is missing Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm * Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it. * Click 'Check Now' & a pop-up window will appear. * Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size). * Begin the scan by selecting My Computer. * If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later. * Click on see report. Then click Save report. * Post that log in your next reply along with a new HijackThis log. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-01-2006, 10:46 PM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Go into Firefox and clear the internet temp files (Clear Private Data under the Tools menu I think). Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad: REGEDIT4 [-HKEY_CLASSES_ROOT\CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}] Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. Delete these: C:\Documents and Settings\Chris\Application Data\tvmknwrd.dll C:\WINDOWS\BROWSERXTRAS\ C:\WINDOWS\smdat32m.sys C:\Program Files\Common Files\SearchUpgrader\ Restart and run a new Panda scan. Post the log here. That entry found by McAfee was probably not harmful. Did you at least get the registry key name at the end? We can at least search for that and remove it. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-02-2006, 12:15 PM	#6 (permalink)
Spektyr Registered User Join Date: Mar 2006 Posts: 102 OS: XP, Vista Home & Ultimate / Ubuntu "Hardy Heron"	Update: McAfee says the Adware-FlashGet is at "C:\System Volume Information\...\A0210058.exe" Searching the registry for A0210058 yields no results. Same with a general search of the hard drive. Perhaps McAfee has been dipping into the McLSD? Last edited by Spektyr; 04-02-2006 at 12:36 PM.

04-02-2006, 06:19 PM	#7 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Perfect...that's more than enough information for us. It's in the System Restore point Let's remove it now. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore. Empty out your Firefox temp files. Your log is clean. To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided. Are there any problems now? If not, you should be set to go. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-01-2006, 10:26 PM	#3 (permalink)
Spektyr Registered User Join Date: Mar 2006 Posts: 102 OS: XP, Vista Home & Ultimate / Ubuntu "Hardy Heron"	Yeah, the video card I'm looking at buying was pulled from a Dell Inspiron 2600 - it's the upgrade option that wasn't opted for on the laptop my wife owns. A complete pull (three parts) should supply a complete replacement, and then it would just be a matter of drivers, right? Basically I'm not planning on getting it if it's not really cheap (cheap enough that it if turns out to be useless I'm going to be kicking myself.) The Adware Flashget McAfee saw was in the registry, but it didn't say where exactly. (It did, but there were elipses in the displayed path, and I couldn't see how to get it to be more specific.) Here's the report: Incident Status Location Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Chris\Application Data\tvmknwrd.dll Adware:adware/keenvalue Not disinfected C:\WINDOWS\BROWSERXTRAS\PN\remove.exe Spyware:application/bestoffer Not disinfected C:\WINDOWS\smdat32m.sys Spyware:spyware/sysren Not disinfected Windows Registry Potentially unwanted tool:application/myway Not disinfected HKEY_CLASSES_ROOT\CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76} Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.realmedia.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.realmedia.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.advertising.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[servedby.advertising.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.advertising.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.fastclick.net/] Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.burstnet.com/] Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[www.burstbeacon.com/] Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.as-us.falkag.net/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.serving-sys.com/] Spyware:Cookie/Bs.serving-sys Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.bs.serving-sys.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.serving-sys.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.z1.adserver.com/] Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.bluestreak.com/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.2o7.net/] Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.trafficmp.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.com.com/] Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.zedo.com/] Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.hitbox.com/] Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.entrepreneur.com/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.statcounter.com/] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.atwola.com/] Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.bfast.com/] Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[data.coremetrics.com/] Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.belnk.com/] Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.ath.belnk.com/] Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.dist.belnk.com/] Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.maxserving.com/] Spyware:Cookie/24/7 Realmedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.247realmedia.com/] Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.valueclick.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.perf.overture.com/] Adware:Adware/KeenValue Not disinfected C:\WINDOWS\browserxtras\pn\remove.exe Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[] Spyware:Spyware/BetterInet Not disinfected C:\Program Files\Common Files\SearchUpgrader\system.cfg

04-02-2006, 10:55 AM	#5 (permalink)
Spektyr Registered User Join Date: Mar 2006 Posts: 102 OS: XP, Vista Home & Ultimate / Ubuntu "Hardy Heron"	Here's the new Panda log. Incident Status Location Spyware:spyware/sysren Not disinfected Windows Registry Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.statcounter.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[servedby.advertising.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.advertising.com/] Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.burstnet.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.realmedia.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.realmedia.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.atdmt.com/] Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[www.burstbeacon.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.realmedia.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.realmedia.com/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.fastclick.net/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.2o7.net/] Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.as-us.falkag.net/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.serving-sys.com/] Spyware:Cookie/Bs.serving-sys Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.bs.serving-sys.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.serving-sys.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.z1.adserver.com/] Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.bluestreak.com/] Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.trafficmp.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.com.com/] Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.zedo.com/] Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.hitbox.com/] Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.entrepreneur.com/] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.atwola.com/] Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.bfast.com/] Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[data.coremetrics.com/] Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.belnk.com/] Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.ath.belnk.com/] Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.dist.belnk.com/] Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.maxserving.com/] Spyware:Cookie/24/7 Realmedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.247realmedia.com/] Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.valueclick.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[.perf.overture.com/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\w9fd92jm.default\cookies.txt[] I'll try the McAfee again, but it didn't give useful information last time. It named the problem (Adware-FlashGet) and gave a filepath with "..." in the middle partially obscuring the ending of the first part of the path and the beginning of the first part of the destination. So I know it's in the registry simply because no other folder in the computer starts out with the same words.

04-03-2006, 05:07 PM	#8 (permalink)
Spektyr Registered User Join Date: Mar 2006 Posts: 102 OS: XP, Vista Home & Ultimate / Ubuntu "Hardy Heron"	Everything seems fine... hard to say if it's going any quicker than before, but I'm not really expecting much from a laptop trying to chug through XP on a scant 128mb of RAM and a 1GHz processor. Once I drop the 512mb in there it ought to perk up. Thanks.