Just Checking My Other Computer and Found Virus

Rabbit77 · 04-02-2006, 03:46 PM

Hi there i was about to install the anti virus ware you suggested on my other computer and thought i better do a scan first to make sure this one was clean and this is what i got :

Logfile of HijackThis v1.99.1
Scan saved at 7:34:52 AM, on 03/04/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\nfomon\nfomon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Lindsay\Desktop\SpyWare Destroyers\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index....10292&ttid=104
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Documents and Settings\All Users\Application Data\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PS2 Keyboard English Edition.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Do.../bridge-c3.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/v4.0/ysb_cracks.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15bc51aa2aa92cd...p/RdxIE601.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) -
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-motor.net/cabs/diamond.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/...chsettings.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{127F3F3C-42C6-4058-A9FE-1BD50B0815A5}: NameServer = 203.50.2.71 139.130.4.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{127F3F3C-42C6-4058-A9FE-1BD50B0815A5}: NameServer = 203.50.2.71 139.130.4.4
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

This is what panda scan picked up :

Incident Status Location

Virus:Trj/Downloader.FDU Disinfected Operating system
Adware:Adware/DelFinMedia Not disinfected C:\WINDOWS\SYSTEM32\NFOMON\NFOMON.EXE
Adware:Adware/DelFinMedia Not disinfected C:\WINDOWS\system32\nfomon\nfomon.exe
Adware:Adware/WUpd Not disinfected C:\Program Files\Media Access\MediaAccC.dll
Adware:Adware/WUpd Not disinfected C:\Program Files\Media Access\MediaAccess.exe
Adware:Adware/WUpd Not disinfected C:\Program Files\Media Access\MediaAccK.exe
Adware:adware/wupd Not disinfected C:\WINDOWS\SYSTEM32\ide21201.vxd
Potentially unwanted tool:application/funweb Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.6.inf
Adware:adware/delfinmedia Not disinfected C:\PROGRAM FILES\COMMON FILES\UNINSTALL INFORMATION\RemoveDisplayUtility.exe
Spyware:application/bestoffer Not disinfected C:\WINDOWS\smdat32m.sys
Spyware:spyware/betterinet Not disinfected C:\WINDOWS\thin-143-1-x-x.exe
Potentially unwanted tool:application/myway Not disinfected C:\PROGRAM FILES\MyWay
Adware:adware/navhelper Not disinfected C:\PROGRAM FILES\NavExcel
Spyware:spyware/rxtoolbar Not disinfected C:\PROGRAM FILES\RXToolBar
Adware:adware/ist.istbar Not disinfected C:\PROGRAM FILES\COMMON FILES\Totem Shared
Spyware:spyware/media-motor Not disinfected Windows Registry
Potentially unwanted tool:application/need2find Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\NEED2FIND
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
Potentially unwanted tool:application/altnet Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\APPID\ADM.EXE
Adware:adware/cws.aboutblank Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@112.2o7[1].txt
Spyware:Cookie/24/7 Realmedia Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@247realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@ad.yieldmanager[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@apmebf[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@as-eu.falkag[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@belnk[1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@clickbank[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@com[1].txt
Spyware:Cookie/DelfinMedia Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@delfinproject[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@doubleclick[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@ehg.hitbox[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@fastclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@hitbox[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@media.fastclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@mediaplex[1].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@microsofteup.112.2o7[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@overture[2].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@qksrv[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@questionmarket[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@revenue[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@rn11[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@sel.as-eu.falkag[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@serving-sys[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@stat.onestat[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@statcounter[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@tribalfusion[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@www.myaffiliateprogram[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@zedo[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@112.2o7[1].txt
Spyware:Cookie/24/7 Realmedia Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@247realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@ad.yieldmanager[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@apmebf[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@as-eu.falkag[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@belnk[1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@clickbank[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@com[1].txt
Spyware:Cookie/DelfinMedia Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@delfinproject[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@doubleclick[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@ehg.hitbox[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@fastclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@hitbox[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@media.fastclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@mediaplex[1].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@microsofteup.112.2o7[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@overture[2].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@qksrv[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@questionmarket[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@revenue[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@rn11[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@sel.as-eu.falkag[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@serving-sys[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@stat.onestat[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@statcounter[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@tribalfusion[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@www.myaffiliateprogram[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@zedo[2].txt
Adware:Adware/DelFinMedia Not disinfected C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
Adware:Adware/DelFinMedia Not disinfected C:\Program Files\Common Files\Uninstall Information\RemoveWebDP.exe
Adware:Adware/WUpd Not disinfected C:\Program Files\Media Access\MediaAccC.dll
Adware:Adware/WUpd Not disinfected C:\Program Files\Media Access\MediaAccess.exe
Adware:Adware/WUpd Not disinfected C:\Program Files\Media Access\MediaAccK.exe
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.6.inf
Adware:Adware/KeenValue Not disinfected C:\WINDOWS\Downloaded Program Files\imloader.exe
Spyware:Spyware/Media-motor Not disinfected C:\WINDOWS\Downloaded Program Files\m67m.inf
Adware:Adware/Transponder Not disinfected C:\WINDOWS\gkxhngt.exe
Possible Virus. Not disinfected C:\WINDOWS\izrdiyyez.exe
Adware:Adware/DelFinMedia Not disinfected C:\WINDOWS\system32\nfomon\nfo.ocx
Adware:Adware/DelFinMedia Not disinfected C:\WINDOWS\system32\nfomon\nfomon.exe
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\thin-143-1-x-x.exe
Dialer:dialer.b Not disinfected C:\WINDOWS\tmlpcert2005

Please Help!!

Cheers Rabbit77

Ried · 04-03-2006, 12:02 PM

Hello Rabbit77,

Please copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

**************************************************************

Download Ewido Security Suite

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Download the ISTBar removal tool from Symantec into it's own folder. Do not run it yet.

Download the attached regdel.zip file to your desktop. Do not run it yet.

**************************************************************

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

---------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

AdwareAlert
Media Access
MyWay
NavExcel
RXToolBar
NEED2FIND

---------------------------

Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Do.../bridge-c3.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/v4.0/ysb_cracks.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15bc51aa2aa92cd...p/RdxIE601.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-motor.net/cabs/diamond.cab
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)

Click 'Fix Checked' and close HijackThis.

---------------------------

Click Start>Run and copy/paste regsvr32 /u occache.dll and click OK.

Delete the following Files and Folders if they still exist.

C:\Program Files\Media Access
C:\Program Files\AdwareAlert
C:\PROGRAM FILES\MyWay
C:\PROGRAM FILES\NavExcel
C:\PROGRAM FILES\RXToolBar
C:\PROGRAM FILES\ NEED2FIND
C:\WINDOWS\SYSTEM32\NFOMON
C:\PROGRAM FILES\COMMON FILES\Totem Shared
C:\WINDOWS\SYSTEM32\ide21201.vxd
C:\PROGRAM FILES\COMMON FILES\UNINSTALL INFORMATION\RemoveDisplayUtility.exe
C:\Program Files\Common Files\Uninstall Information\RemoveWebDP.exe
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\thin-143-1-x-x.exe
C:\WINDOWS\gkxhngt.exe
C:\WINDOWS\izrdiyyez.exe
C:\WINDOWS\tmlpcert2005
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.6.inf
C:\WINDOWS\Downloaded Program Files\imloader.exe
C:\WINDOWS\Downloaded Program Files\m67m.inf

Click Start>Run and copy/paste regsvr32 occache.dll and click OK.

**************************************************************

Double click on the regdel.zip folderyou downloaded to your desktop earlier. Now double click on the .reg file within. Click yes to allow it to merge into your registry.

---------------------------

Run ISTBar removal tool.
Note: Removing this adware component from the system will likely cause the program that installed it to not function as intended. The uninstaller generally identifies the programs that will not work after uninstallation

---------------------------

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache
Delete Newsgroup Subscriptions
Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.
* CleanUp! will not create any backups!!

---------------------------

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. Ewido is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

**************************************************************

Reboot into Normal Mode.

---------------------------

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

**A box may appear asking you for a Password, click 'Cancel'
Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.

Click on see report. Then click Save report

Please post that log in your next reply along with a new HijackThis log and the results of the Ewido scan.

Rabbit77 · 04-04-2006, 07:39 PM

Hi Ried,

Most of those files that you asked me to delete were there just like you said. Thanks for your help. Here are the scan reports :

EWIDO :
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:38:07 AM, 05/04/06
+ Report-Checksum: C3C16759

+ Scan result:

HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Adware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Adware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\VCCPGDATAACCESS.PgDataAccessCtrl.1 -> Adware.Delfin : Cleaned with backup
HKLM\SOFTWARE\motoin -> Adware.Delfin : Cleaned with backup
HKU\S-1-5-21-1524905476-2261553049-1230801723-1005\Software\aurora -> Adware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-1524905476-2261553049-1230801723-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{59879FA4-4790-461C-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned with backup
HKU\S-1-5-21-1524905476-2261553049-1230801723-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E1412445-4FF8-410E-8D24-F2CF86B171A4} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-1524905476-2261553049-1230801723-1005\Software\RX Toolbar -> Adware.RXToolbar : Cleaned with backup

::Report End

PANDA SCAN :

Incident Status Location

Adware:adware/delfinmedia Not disinfected C:\WINDOWS\SYSTEM32\vidmon
Spyware:spyware/media-motor Not disinfected Windows Registry
Potentially unwanted tool:application/need2find Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\NEED2FIND
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
Spyware:spyware/adclicker Not disinfected Windows Registry
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@apmebf[2].txt
Spyware:Spyware/Media-motor Not disinfected C:\Documents and Settings\Lindsay\Desktop\SpyWare Destroyers\hijackthis\backups\backup-20060405-091733-717.inf

and finally :

HIJACK THIS LOG :

Logfile of HijackThis v1.99.1
Scan saved at 11:38:51 AM, on 05/04/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Delux\PS2 Keyboard English Edition\keyboard.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Documents and Settings\Lindsay\Desktop\SpyWare Destroyers\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Documents and Settings\All Users\Application Data\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PS2 Keyboard English Edition.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/...chsettings.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{127F3F3C-42C6-4058-A9FE-1BD50B0815A5}: NameServer = 203.50.2.71 139.130.4.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{127F3F3C-42C6-4058-A9FE-1BD50B0815A5}: NameServer = 203.50.2.71 139.130.4.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{127F3F3C-42C6-4058-A9FE-1BD50B0815A5}: NameServer = 203.50.2.71 139.130.4.4
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

Once again thanks for your continued help

Rabbit77

Ried · 04-04-2006, 09:23 PM

Hi,

Looking much better.

Delete the following:

C:\WINDOWS\SYSTEM32\vidmon

If it gives you trouble, boot into Safe Mode and delete it from there.

---------------------------

Did you download and run the regdel.zip I attached to my previous post?

Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on the Box that says "Open Uninstall Manager"
*Click on the button "Save list"
Please copy and past the List from the notebook here.

Rabbit77 · 04-05-2006, 02:24 AM

Hi Ried,

I deleted the file C:\WINDOWS\SYSTEM32\vidmon. I already had run regdel.zip, but forgot to mention it sorry.

This is the file you requested from Hijack This :

AC3Filter (remove only)
Ad-aware 6 Personal
Adobe Acrobat 5.0
Ahead InCD
ArcSoft PhotoBase 3
ArcSoft PhotoStudio 5
aspi
AVG Free Edition
AVIcodec (remove only)
Brother's Keeper 6.1
Bug Doctor 3.0.3.3
Canon CanoScan Toolbox 4.1
CCHelp
CCleaner (remove only)
CCScore
CleanUp!
C-Media 3D Audio
C-Media WDM Audio Driver
CR2
DivX
DivX Converter
DivX Player
DivX Web Player
D-Link DSL-200 ADSL Modem
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Elecard MPEG2 Player Version 2.0 beta
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSTUTOR
ESSvpaht
ESSvpot
ewido anti-malware
FreeUndelete
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB912475)
IncrediMail Xe
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
Kodak EasyShare software
KSU
Lexmark Z600 Series
Macromedia Flash Player 8
Manual CanoScan LiDE 50
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
Microsoft Publisher 97
Nero OEM
NeroVision Express 2
Notifier
OmniPage SE
OTtBP
Panda ActiveScan
PCDLNCH
PCI SoftV92 Modem
PowerDVD
Presto! PageManager 6
PS2 Keyboard English Edition
Punter's Professional
Punter's Professional (C:\Program Files\Punter's Professional\)
QuickTime
QuickTime 3.0
RealPlayer
Registry First Aid
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
SFR
SFR2
Shareaza version 2.2.1.0
Shockwave
SiS 650_650GL_650GX_651
SiS 650_651_M650_740
SiS 900 PCI Fast Ethernet Adapter Driver
SoftK56 Data Fax Voice Speakerphone CARP
Spybot - Search & Destroy 1.3
TopSearch
Ulead Photo Express 3.0 SE
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB912945)
WebDP 2.07
Windows Blaster Worm Removal Tool (KB833330)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2

Thanx for all your help
Cheers Rabbit77.

Ried · 04-05-2006, 06:59 AM

Hi,

Go into your Add/Remove panel and uninstall the following:

TopSearch

----------------------------------

Delete it's folder if it still exists:

C:\Program Files\ TopSearch

********************************************

Click START…RUN…Type in regedit. Make sure just "My Computer" is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to the following keys and delete the file/folder/entry I highlighted in RED

HKEY_LOCAL_MACHINE\SOFTWARE\ NEED2FIND
HKEY_CLASSES_ROOT\CLSID\ {147A976E-EEE1-4377-8EA7-4716E4CDD239}

If the above registry keys are giving you problems deleting, right click on it and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

********************************************

Reboot your system. Run the online scan at Panda again and post the results here so we can be sure those registry entries are gone.

How is your system behaving now?

Rabbit77 · 04-06-2006, 03:41 PM

Hi Ried,

Yeah system is behaving alot better now. My wife had gotten into some sort of advertising thing on the net and ever after that we were getting pop up ads. Computer good now thanx to you. Here is results of panda :

Incident Status Location

Spyware:spyware/media-motor Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@2o7[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@advertising[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@apmebf[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@as1.falkag[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@doubleclick[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@fastclick[2].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@hotlog[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@mediaplex[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@qksrv[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@tradedoubler[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@tribalfusion[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@xiti[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@yadro[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@2o7[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@advertising[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@apmebf[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@as1.falkag[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@doubleclick[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@fastclick[2].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@hotlog[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@mediaplex[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@qksrv[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@tradedoubler[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@tribalfusion[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@xiti[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@yadro[2].txt
Spyware:Spyware/Media-motor Not disinfected C:\Documents and Settings\Lindsay\Desktop\SpyWare Destroyers\hijackthis\backups\backup-20060405-091733-717.inf

Cheers Rabbit77

Ried · 04-07-2006, 06:52 AM

Hi Rabbit77,

I'm sure she's figured out now that you have to be careful with any of those sites that want you to help them with 'advertising' or 'marketing' or 'surveys'.

Clear Internet Explorer Cookies: Launch Internet Explorer>Tools>Internet Options>Delete Cookies

Your logs are clean now.

Please continue with these final instructions and helpful links:

Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Keep my computer up to date"
*Under Settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

More information and free downloads are available at the following links:

Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items .

Download Spyware Guard to catch and block spyware before it can execute.

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list, by typing 2
Then return to the main menu.
Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Rabbit77 · 04-08-2006, 02:11 AM

Hi Ried,

Thanks for all your help, i have installed the programs you recommended. Keep up the good work.

Rabbit77

04-02-2006, 03:46 PM	#1 (permalink)
Rabbit77 Registered User Join Date: Mar 2006 Posts: 17 OS: XP	Just Checking My Other Computer and Found Virus Hi there i was about to install the anti virus ware you suggested on my other computer and thought i better do a scan first to make sure this one was clean and this is what i got : Logfile of HijackThis v1.99.1 Scan saved at 7:34:52 AM, on 03/04/06 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\WINDOWS\system32\carpserv.exe C:\WINDOWS\htpatch.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\System32\ScsiAccess.EXE C:\Program Files\Media Access\MediaAccK.exe C:\Program Files\Media Access\MediaAccess.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\nfomon\nfomon.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\D-Link\DSL-200\dslstat.exe C:\Program Files\D-Link\DSL-200\dslagent.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Lindsay\Desktop\SpyWare Destroyers\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index....10292&ttid=104 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = F2 - REG:system.ini: Shell= F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Documents and Settings\All Users\Application Data\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: PS2 Keyboard English Edition.lnk = ? O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Do.../bridge-c3.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409 O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/v4.0/ysb_cracks.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15bc51aa2aa92cd...p/RdxIE601.cab O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-motor.net/cabs/diamond.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/...chsettings.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{127F3F3C-42C6-4058-A9FE-1BD50B0815A5}: NameServer = 203.50.2.71 139.130.4.4 O17 - HKLM\System\CS1\Services\Tcpip\..\{127F3F3C-42C6-4058-A9FE-1BD50B0815A5}: NameServer = 203.50.2.71 139.130.4.4 O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE This is what panda scan picked up : Incident Status Location Virus:Trj/Downloader.FDU Disinfected Operating system Adware:Adware/DelFinMedia Not disinfected C:\WINDOWS\SYSTEM32\NFOMON\NFOMON.EXE Adware:Adware/DelFinMedia Not disinfected C:\WINDOWS\system32\nfomon\nfomon.exe Adware:Adware/WUpd Not disinfected C:\Program Files\Media Access\MediaAccC.dll Adware:Adware/WUpd Not disinfected C:\Program Files\Media Access\MediaAccess.exe Adware:Adware/WUpd Not disinfected C:\Program Files\Media Access\MediaAccK.exe Adware:adware/wupd Not disinfected C:\WINDOWS\SYSTEM32\ide21201.vxd Potentially unwanted tool:application/funweb Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.6.inf Adware:adware/delfinmedia Not disinfected C:\PROGRAM FILES\COMMON FILES\UNINSTALL INFORMATION\RemoveDisplayUtility.exe Spyware:application/bestoffer Not disinfected C:\WINDOWS\smdat32m.sys Spyware:spyware/betterinet Not disinfected C:\WINDOWS\thin-143-1-x-x.exe Potentially unwanted tool:application/myway Not disinfected C:\PROGRAM FILES\MyWay Adware:adware/navhelper Not disinfected C:\PROGRAM FILES\NavExcel Spyware:spyware/rxtoolbar Not disinfected C:\PROGRAM FILES\RXToolBar Adware:adware/ist.istbar Not disinfected C:\PROGRAM FILES\COMMON FILES\Totem Shared Spyware:spyware/media-motor Not disinfected Windows Registry Potentially unwanted tool:application/need2find Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\NEED2FIND Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239} Potentially unwanted tool:application/altnet Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\APPID\ADM.EXE Adware:adware/cws.aboutblank Not disinfected Windows Registry Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@112.2o7[1].txt Spyware:Cookie/24/7 Realmedia Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@247realmedia[1].txt Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@2o7[1].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@ad.yieldmanager[2].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@apmebf[2].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@as-eu.falkag[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@atdmt[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@belnk[1].txt Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@clickbank[1].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@com[1].txt Spyware:Cookie/DelfinMedia Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@delfinproject[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@dist.belnk[2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@doubleclick[2].txt Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@ehg.hitbox[2].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@fastclick[1].txt Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@hitbox[2].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@media.fastclick[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@mediaplex[1].txt Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@microsofteup.112.2o7[1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@overture[2].txt Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@qksrv[2].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@questionmarket[2].txt Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@revenue[2].txt Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@rn11[2].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@sel.as-eu.falkag[2].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@serving-sys[2].txt Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@stat.onestat[2].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@statcounter[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@tribalfusion[1].txt Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@www.myaffiliateprogram[1].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@zedo[2].txt Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@112.2o7[1].txt Spyware:Cookie/24/7 Realmedia Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@247realmedia[1].txt Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@2o7[1].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@ad.yieldmanager[2].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@apmebf[2].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@as-eu.falkag[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@atdmt[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@belnk[1].txt Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@clickbank[1].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@com[1].txt Spyware:Cookie/DelfinMedia Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@delfinproject[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@dist.belnk[2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@doubleclick[2].txt Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@ehg.hitbox[2].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@fastclick[1].txt Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@hitbox[2].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@media.fastclick[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@mediaplex[1].txt Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@microsofteup.112.2o7[1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@overture[2].txt Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@qksrv[2].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@questionmarket[2].txt Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@revenue[2].txt Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@rn11[2].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@sel.as-eu.falkag[2].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@serving-sys[2].txt Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@stat.onestat[2].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@statcounter[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@tribalfusion[1].txt Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@www.myaffiliateprogram[1].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@zedo[2].txt Adware:Adware/DelFinMedia Not disinfected C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe Adware:Adware/DelFinMedia Not disinfected C:\Program Files\Common Files\Uninstall Information\RemoveWebDP.exe Adware:Adware/WUpd Not disinfected C:\Program Files\Media Access\MediaAccC.dll Adware:Adware/WUpd Not disinfected C:\Program Files\Media Access\MediaAccess.exe Adware:Adware/WUpd Not disinfected C:\Program Files\Media Access\MediaAccK.exe Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.6.inf Adware:Adware/KeenValue Not disinfected C:\WINDOWS\Downloaded Program Files\imloader.exe Spyware:Spyware/Media-motor Not disinfected C:\WINDOWS\Downloaded Program Files\m67m.inf Adware:Adware/Transponder Not disinfected C:\WINDOWS\gkxhngt.exe Possible Virus. Not disinfected C:\WINDOWS\izrdiyyez.exe Adware:Adware/DelFinMedia Not disinfected C:\WINDOWS\system32\nfomon\nfo.ocx Adware:Adware/DelFinMedia Not disinfected C:\WINDOWS\system32\nfomon\nfomon.exe Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\thin-143-1-x-x.exe Dialer:dialer.b Not disinfected C:\WINDOWS\tmlpcert2005 Please Help!! Cheers Rabbit77

04-03-2006, 12:02 PM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,016 OS: WinXP and Vista	Hello Rabbit77, Please copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. ************************************************************ Download Ewido Security Suite Install Ewido Security Suite When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet. Download the ISTBar removal tool from Symantec into it's own folder. Do not run it yet. Download the attached regdel.zip file to your desktop. Do not run it yet. ********************************************************** Go to My Computer->Tools->Folder Options->View** tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK. Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. --------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: AdwareAlert Media Access MyWay NavExcel RXToolBar NEED2FIND --------------------------- Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any): R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = F2 - REG:system.ini: Shell= O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file) O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Do.../bridge-c3.cab O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/v4.0/ysb_cracks.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15bc51aa2aa92cd...p/RdxIE601.cab O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-motor.net/cabs/diamond.cab O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file) Click 'Fix Checked' and close HijackThis. --------------------------- Click Start>Run and copy/paste regsvr32 /u occache.dll and click OK. Delete the following Files and Folders if they still exist. C:\Program Files\Media Access C:\Program Files\AdwareAlert C:\PROGRAM FILES\MyWay C:\PROGRAM FILES\NavExcel C:\PROGRAM FILES\RXToolBar C:\PROGRAM FILES\ NEED2FIND C:\WINDOWS\SYSTEM32\NFOMON C:\PROGRAM FILES\COMMON FILES\Totem Shared C:\WINDOWS\SYSTEM32\ide21201.vxd C:\PROGRAM FILES\COMMON FILES\UNINSTALL INFORMATION\RemoveDisplayUtility.exe C:\Program Files\Common Files\Uninstall Information\RemoveWebDP.exe C:\WINDOWS\smdat32m.sys C:\WINDOWS\thin-143-1-x-x.exe C:\WINDOWS\gkxhngt.exe C:\WINDOWS\izrdiyyez.exe C:\WINDOWS\tmlpcert2005 C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.6.inf C:\WINDOWS\Downloaded Program Files\imloader.exe C:\WINDOWS\Downloaded Program Files\m67m.inf Click Start>Run and copy/paste regsvr32 occache.dll and click OK. ************************************************************ Double click on the regdel.zip folderyou downloaded to your desktop earlier. Now double click on the .reg file within. Click yes to allow it to merge into your registry. --------------------------- Run ISTBar removal tool. Note:** Removing this adware component from the system will likely cause the program that installed it to not function as intended. The uninstaller generally identifies the programs that will not work after uninstallation --------------------------- NOTE Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files 4. Click OK 5. Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted. * CleanUp! will not create any backups!! --------------------------- Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop Ewido scan would require at least an hour. Ewido is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner. ********************************************************** Reboot into Normal Mode. --------------------------- Perform an online scan using Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Check Now & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Scan Now* ...begins downloading 8 MB Panda's ActiveX controls A box may appear asking you for a Password, click 'Cancel' Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and wants you to buy the program for removal as we will address this later. Click on see report. Then click Save report** Please post that log in your next reply along with a new HijackThis log and the results of the Ewido scan. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried; 05-02-2006 at 08:30 AM.

04-04-2006, 09:23 PM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,016 OS: WinXP and Vista	Hi, Looking much better. Delete the following: C:\WINDOWS\SYSTEM32\vidmon If it gives you trouble, boot into Safe Mode and delete it from there. --------------------------- Did you download and run the regdel.zip I attached to my previous post? Open HijackThis Click on the "Configure" button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Please copy and past the List from the notebook here. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-05-2006, 06:59 AM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,016 OS: WinXP and Vista	Hi, Go into your Add/Remove panel and uninstall the following: TopSearch ---------------------------------- Delete it's folder if it still exists: C:\Program Files\ TopSearch ****************************************** Click START…RUN…Type in regedit. Make sure just "My Computer" is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to the following keys and delete the file/folder/entry I highlighted in RED HKEY_LOCAL_MACHINE\SOFTWARE\ NEED2FIND HKEY_CLASSES_ROOT\CLSID\ {147A976E-EEE1-4377-8EA7-4716E4CDD239} If the above registry keys are giving you problems deleting, right click on it and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. ****************************************** Reboot your system. Run the online scan at Panda again and post the results here so we can be sure those registry entries are gone. How is your system behaving now? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-07-2006, 06:52 AM	#8 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,016 OS: WinXP and Vista	Hi Rabbit77, I'm sure she's figured out now that you have to be careful with any of those sites that want you to help them with 'advertising' or 'marketing' or 'surveys'. Clear Internet Explorer Cookies: Launch Internet Explorer>Tools>Internet Options>Delete Cookies Your logs are clean now. Please continue with these final instructions and helpful links: Reset hidden/system files and folders Windows XP =============== Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View tab. * Deselect the Show hidden files and folders option. * Select the Hide file extensions for known types option. * Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Enable Windows Auto Update Go to Start>Run* - type wuaucpl.cpl Tick on the checkbox - "Keep my computer up to date" Under *Settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Create a new System Restore point* Click Start >> Run - type SYSDM.CPL & press Enter * Select the System Restore Tab * Tick on the checkbox - "Turn off System Restore on all drives" Click Apply * Then untick the same checkbox & click OK This will prevent any reinfection from previous restore points. In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles: HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. More information and free downloads are available at the following links: Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items . Download Spyware Guard to catch and block spyware before it can execute. Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD) From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list, by typing 2 Then return to the main menu. Select option #4 - Add the old porn sites domain, by typing 4 Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-04-2006, 07:39 PM	#3 (permalink)
Rabbit77 Registered User Join Date: Mar 2006 Posts: 17 OS: XP	Hi Ried, Most of those files that you asked me to delete were there just like you said. Thanks for your help. Here are the scan reports : EWIDO : --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 10:38:07 AM, 05/04/06 + Report-Checksum: C3C16759 + Scan result: HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Adware.Altnet : Cleaned with backup HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Adware.Altnet : Cleaned with backup HKLM\SOFTWARE\Classes\VCCPGDATAACCESS.PgDataAccessCtrl.1 -> Adware.Delfin : Cleaned with backup HKLM\SOFTWARE\motoin -> Adware.Delfin : Cleaned with backup HKU\S-1-5-21-1524905476-2261553049-1230801723-1005\Software\aurora -> Adware.BetterInternet : Cleaned with backup HKU\S-1-5-21-1524905476-2261553049-1230801723-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{59879FA4-4790-461C-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned with backup HKU\S-1-5-21-1524905476-2261553049-1230801723-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E1412445-4FF8-410E-8D24-F2CF86B171A4} -> Adware.Generic : Cleaned with backup HKU\S-1-5-21-1524905476-2261553049-1230801723-1005\Software\RX Toolbar -> Adware.RXToolbar : Cleaned with backup ::Report End PANDA SCAN : Incident Status Location Adware:adware/delfinmedia Not disinfected C:\WINDOWS\SYSTEM32\vidmon Spyware:spyware/media-motor Not disinfected Windows Registry Potentially unwanted tool:application/need2find Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\NEED2FIND Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239} Spyware:spyware/adclicker Not disinfected Windows Registry Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@apmebf[2].txt Spyware:Spyware/Media-motor Not disinfected C:\Documents and Settings\Lindsay\Desktop\SpyWare Destroyers\hijackthis\backups\backup-20060405-091733-717.inf and finally : HIJACK THIS LOG : Logfile of HijackThis v1.99.1 Scan saved at 11:38:51 AM, on 05/04/06 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\WINDOWS\System32\ScsiAccess.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\carpserv.exe C:\WINDOWS\htpatch.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\D-Link\DSL-200\dslstat.exe C:\Program Files\D-Link\DSL-200\dslagent.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Delux\PS2 Keyboard English Edition\keyboard.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\IncrediMail\bin\IncMail.exe C:\Documents and Settings\Lindsay\Desktop\SpyWare Destroyers\hijackthis\HijackThis.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Documents and Settings\All Users\Application Data\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: PS2 Keyboard English Edition.lnk = ? O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409 O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/...chsettings.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{127F3F3C-42C6-4058-A9FE-1BD50B0815A5}: NameServer = 203.50.2.71 139.130.4.4 O17 - HKLM\System\CS1\Services\Tcpip\..\{127F3F3C-42C6-4058-A9FE-1BD50B0815A5}: NameServer = 203.50.2.71 139.130.4.4 O17 - HKLM\System\CS2\Services\Tcpip\..\{127F3F3C-42C6-4058-A9FE-1BD50B0815A5}: NameServer = 203.50.2.71 139.130.4.4 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE Once again thanks for your continued help Rabbit77

04-05-2006, 02:24 AM	#5 (permalink)
Rabbit77 Registered User Join Date: Mar 2006 Posts: 17 OS: XP	Hi Ried, I deleted the file C:\WINDOWS\SYSTEM32\vidmon. I already had run regdel.zip, but forgot to mention it sorry. This is the file you requested from Hijack This : AC3Filter (remove only) Ad-aware 6 Personal Adobe Acrobat 5.0 Ahead InCD ArcSoft PhotoBase 3 ArcSoft PhotoStudio 5 aspi AVG Free Edition AVIcodec (remove only) Brother's Keeper 6.1 Bug Doctor 3.0.3.3 Canon CanoScan Toolbox 4.1 CCHelp CCleaner (remove only) CCScore CleanUp! C-Media 3D Audio C-Media WDM Audio Driver CR2 DivX DivX Converter DivX Player DivX Web Player D-Link DSL-200 ADSL Modem DVD Decrypter (Remove Only) DVD Shrink 3.2 Elecard MPEG2 Player Version 2.0 beta ESSAdpt ESSANUP ESSBrwr ESSCAM ESSCDBK ESScore ESSgui ESShelp ESSini ESSPCD ESSTUTOR ESSvpaht ESSvpot ewido anti-malware FreeUndelete Google Toolbar for Internet Explorer HijackThis 1.99.1 Hotfix for Windows XP (KB896344) Hotfix for Windows XP (KB912475) IncrediMail Xe J2SE Runtime Environment 5.0 Update 1 J2SE Runtime Environment 5.0 Update 2 J2SE Runtime Environment 5.0 Update 6 Kodak EasyShare software KSU Lexmark Z600 Series Macromedia Flash Player 8 Manual CanoScan LiDE 50 Microsoft Base Smart Card Cryptographic Service Provider Package Microsoft Data Access Components KB870669 Microsoft Office XP Professional with FrontPage Microsoft Publisher 97 Nero OEM NeroVision Express 2 Notifier OmniPage SE OTtBP Panda ActiveScan PCDLNCH PCI SoftV92 Modem PowerDVD Presto! PageManager 6 PS2 Keyboard English Edition Punter's Professional Punter's Professional (C:\Program Files\Punter's Professional\) QuickTime QuickTime 3.0 RealPlayer Registry First Aid Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows XP (KB883939) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901190) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB903235) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) SFR SFR2 Shareaza version 2.2.1.0 Shockwave SiS 650_650GL_650GX_651 SiS 650_651_M650_740 SiS 900 PCI Fast Ethernet Adapter Driver SoftK56 Data Fax Voice Speakerphone CARP Spybot - Search & Destroy 1.3 TopSearch Ulead Photo Express 3.0 SE Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB900930) Update for Windows XP (KB904942) Update for Windows XP (KB910437) Update for Windows XP (KB912945) WebDP 2.07 Windows Blaster Worm Removal Tool (KB833330) Windows Installer 3.1 (KB893803) Windows Installer 3.1 (KB893803) Windows Media Connect Windows Media Format Runtime Windows Media Format SDK Hotfix - KB891122 Windows Media Player 10 Windows XP Hotfix - KB834707 Windows XP Hotfix - KB867282 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB885884 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890047 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893066 Windows XP Hotfix - KB893086 Windows XP Service Pack 2 Thanx for all your help Cheers Rabbit77.

04-06-2006, 03:41 PM	#7 (permalink)
Rabbit77 Registered User Join Date: Mar 2006 Posts: 17 OS: XP	Hi Ried, Yeah system is behaving alot better now. My wife had gotten into some sort of advertising thing on the net and ever after that we were getting pop up ads. Computer good now thanx to you. Here is results of panda : Incident Status Location Spyware:spyware/media-motor Not disinfected Windows Registry Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@2o7[1].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@advertising[1].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@apmebf[2].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@as1.falkag[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@atdmt[2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@doubleclick[2].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@fastclick[2].txt Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@hotlog[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@mediaplex[1].txt Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@qksrv[2].txt Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@tradedoubler[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@tribalfusion[1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@xiti[1].txt Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@yadro[2].txt Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@2o7[1].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@advertising[1].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@apmebf[2].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@as1.falkag[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@atdmt[2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@doubleclick[2].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@fastclick[2].txt Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@hotlog[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@mediaplex[1].txt Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@qksrv[2].txt Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@tradedoubler[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@tribalfusion[1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@xiti[1].txt Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Lindsay\Cookies\lindsay@yadro[2].txt Spyware:Spyware/Media-motor Not disinfected C:\Documents and Settings\Lindsay\Desktop\SpyWare Destroyers\hijackthis\backups\backup-20060405-091733-717.inf Cheers Rabbit77

04-08-2006, 02:11 AM	#9 (permalink)
Rabbit77 Registered User Join Date: Mar 2006 Posts: 17 OS: XP	Hi Ried, Thanks for all your help, i have installed the programs you recommended. Keep up the good work. Rabbit77