View Full Version : Malicious Action detected - mlljh.dll
jsiguenza
2007-04-07, 00:57
Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP465\A0022873.dll
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP465\A0022875.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[²θΗ]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[exdl.exe]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[exul.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[adp8025_OUTB.exe][bargains.exe]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[nls8025_OUTB.exe][nls.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[cb8025_OUTB.exe][cashback.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[cb8025_OUTB.exe][bb_welcome.html]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[cb8025_OUTB.exe][icon.gif]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022958.exe
Adware:Adware/TopMoxie Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022959.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022970.exe
Adware:Adware/Twain-Tech Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP470\A0023121.dll
Adware:Adware/Twain-Tech Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP471\A0023140.exe
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume
Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP482\A0023700.exe
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP482\snapshot\MFEX-1.DAT
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP484\A0023875.exe[²θΗ]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP484\A0023875.exe[²θΗ]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP484\A0023875.exe[²θΗ]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023913.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[²θΗ]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[²θΗ]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[²θΗ]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[exdl.exe]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\snapshot\MFEX-1.DAT
Spyware:Spyware/Vundo Not disinfected C:\WINDOWS\system32\dpxicinb.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\urqpnkh.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\wkdjhmjm.dll
Adware:Adware/IPInsight Not disinfected C:\WINNT\inf\alchem.inf
Adware:Adware/Twain-Tech Not disinfected C:\WINNT\inf\twaintec.inf
Adware:Adware/WinTools Not disinfected C:\WINNT\Key2.txt
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\system32\apuc.dll
Adware:Adware/Exact.SearchBar Not disinfected C:\WINNT\system32\exdl.exe
Adware:Adware/Exact.SearchBar Not disinfected C:\WINNT\system32\exul.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\system32\msbe.dll
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\system32\mscb.dll
Adware:Adware/Exact.SearchBar Not disinfected C:\WINNT\system32\nvms.dll
jsiguenza
2007-04-07, 01:00
My computer had been very slow and bringing pop ups regarding dlls. Please help
Active scan log:
Incident Status Location
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ddcywxu.dll
Adware:adware/gator Not disinfected c:\GatorPatch.log
Adware:adware/toprebates Not disinfected c:\program files\WebSavingsfromEbates
Adware:adware/blazefind Not disinfected c:\program files\WindowsSA
Adware:adware/dyfuca Not disinfected Windows Registry
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt[.doubleclick.net/]
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Desktop\backups\backup-20070405-205218-787.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Desktop\VundoFix\VundoFix\process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Desktop\VundoFix.exe[process.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018738.exe
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018755.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018756.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018757.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018758.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018759.exe
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018767.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018768.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018769.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018770.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018771.exe
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP442\A0018783.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP442\A0018784.exe
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018792.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018794.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018795.exe
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018806.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018807.exe
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018811.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018812.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018814.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018816.exe
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP444\A0018821.DLL
jsiguenza
2007-04-07, 01:01
Adware:Adware/Dyfuca Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP445\A0018846.exe
Adware:Adware/Dyfuca Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP445\A0018847.exe
Adware:Adware/Dyfuca Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP445\A0018848.exe
Adware:Adware/WeatherCast Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP445\A0018852.exe
Adware:Adware/Dyfuca Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP454\A0020299.exe
Adware:Adware/Dyfuca Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP454\A0020301.exe
Adware:Adware/WeatherCast Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP456\A0020393.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP465\A0022872.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP465\A0022873.dll
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP465\A0022875.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[²θΗ]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[exdl.exe]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[exul.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[adp8025_OUTB.exe][bargains.exe]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[nls8025_OUTB.exe][nls.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[cb8025_OUTB.exe][cashback.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[cb8025_OUTB.exe][bb_welcome.html]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[cb8025_OUTB.exe][icon.gif]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022958.exe
Adware:Adware/TopMoxie Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022959.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022970.exe
Adware:Adware/Twain-Tech Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP470\A0023121.dll
Adware:Adware/Twain-Tech Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP471\A0023140.exe
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP482\A0023700.exe
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP482\snapshot\MFEX-1.DAT
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP484\A0023875.exe[²θΗ]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP484\A0023875.exe[²θΗ]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP484\A0023875.exe[²θΗ]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023913.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[²θΗ]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[²θΗ]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[²θΗ]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[exdl.exe]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\snapshot\MFEX-1.DAT
Spyware:Spyware/Vundo Not disinfected C:\WINDOWS\system32\dpxicinb.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\urqpnkh.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\wkdjhmjm.dll
Adware:Adware/IPInsight Not disinfected C:\WINNT\inf\alchem.inf
Adware:Adware/Twain-Tech Not disinfected C:\WINNT\inf\twaintec.inf
Adware:Adware/WinTools Not disinfected C:\WINNT\Key2.txt
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\system32\apuc.dll
Adware:Adware/Exact.SearchBar Not disinfected C:\WINNT\system32\exdl.exe
Adware:Adware/Exact.SearchBar Not disinfected C:\WINNT\system32\exul.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\system32\msbe.dll
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\system32\mscb.dll
Adware:Adware/Exact.SearchBar Not disinfected C:\WINNT\system32\nvms.dll
jsiguenza
2007-04-07, 01:02
HJT log file.
Logfile of HijackThis v1.99.1
Scan saved at 5:48:57 PM, on 4/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B3E979F-85F3-40AA-8B9F-3FD1EE32B76C} - C:\WINDOWS\system32\mlljh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\dpxicinb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll (file missing)
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\system32\ddcywxu.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\wkdjhmjm.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll (file missing)
O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ddcywxu - C:\WINDOWS\SYSTEM32\ddcywxu.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mlljh - C:\WINDOWS\system32\mlljh.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
Thank you
"BEFORE you POST" (http://forums.spybot.info/showthread.php?t=288)
pskelley
2007-04-07, 14:33
Welcome to the forum, this is a Vundo infection but first I have to say your System Restore files are totally infected. DO NOT use System Restore for any reason, until we clean it.
Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
Thanks to Atribune and any others who helped with this fix.
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
Use Post Reply, DO NOT start new topics.
Thanks
jsiguenza
2007-04-11, 01:18
Thank you for your help.
VundoFix.txt---->
VundoFix V6.3.19
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.11
Scan started at 4:27:19 PM 4/10/2007
Listing files found while scanning....
C:\WINDOWS\system32\ccbeg.bak1
C:\WINDOWS\system32\ccbeg.ini2
C:\WINDOWS\system32\ccbeg.tmp
C:\WINDOWS\system32\ddcywxu.dll
C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\mjmhjdkw.ini
C:\WINDOWS\system32\wkdjhmjm.dll
C:\WINDOWS\system32\xvkmpogt.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ccbeg.bak1
C:\WINDOWS\system32\ccbeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ccbeg.ini2
C:\WINDOWS\system32\ccbeg.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ccbeg.tmp
C:\WINDOWS\system32\ccbeg.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\ddcywxu.dll
C:\WINDOWS\system32\ddcywxu.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\gebcc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mjmhjdkw.ini
C:\WINDOWS\system32\mjmhjdkw.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\wkdjhmjm.dll
C:\WINDOWS\system32\wkdjhmjm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xvkmpogt.dll
C:\WINDOWS\system32\xvkmpogt.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ddcywxu.dll
C:\WINDOWS\system32\ddcywxu.dll Has been deleted!
Performing Repairs to the registry.
Done!
-----------------------
Hijackthis---->
Logfile of HijackThis v1.99.1
Scan saved at 6:17:57 PM, on 4/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.CURT-JP80I6E32O\Desktop\Cleaning files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\xvkmpogt.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {8FD27C64-134F-4115-9BE4-FA23DDAA3C3B} - C:\WINDOWS\system32\gebcc.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll (file missing)
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\system32\ddcywxu.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\wkdjhmjm.dll",setvm
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll (file missing)
O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mlljh - C:\WINDOWS\system32\mlljh.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
Thank you again!
pskelley
2007-04-11, 01:49
Thanks for returning your information. You have called the folder where HJT stores the program and backups, "Cleaning files". That is fine as long as you store NOTHING else in that folder. If you need to store other stuff in that folder, create a new folder for HJT. I suggest C:\HJT\HijackThis.exe
You have an old version of Java on the computer, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Download the newest version and uninstall all old versions in Add Remove Programs.
Follow the directions carefully and in the posted order.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Spyware Doctor: From within Spyware Doctor, click the "OnGuard" button on the left side. Uncheck "Activate OnGuard". Make sure it has reactivated when you reboot.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\xvkmpogt.dll (file missing)
O2 - BHO: (no name) - {8FD27C64-134F-4115-9BE4-FA23DDAA3C3B} - C:\WINDOWS\system32\gebcc.dll (file missing)
(the next is damaged and not working right if at all. If you use it install it again when we finish)
O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll (file missing)
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\system32\ddcywxu.dll (file missing)
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\wkdjhmjm.dll",setvm
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O20 - Winlogon Notify: mlljh - C:\WINDOWS\system32\mlljh.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\wkdjhmjm.dll <<< delete that file
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
7) MANUAL INSTRUCTIONS FOR SYSTEM RESTORE
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Restart the computer and run a new Active scan log and post it along with a new HJT log and any comments you think will help.
Thanks
jsiguenza
2007-04-11, 21:59
Hello, thanks again for your help. As a comment, I cant tell you that I dont have any more pop-ups regarding the malicious action but the computer is still a lot slower that it was before the infection.
The ActiveScan log--->
Adware:adware/gator Not disinfected c:\GatorPatch.log
Adware:adware/toprebates Not disinfected c:\program files\WebSavingsfromEbates
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-1.txt[.doubleclick.net/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-1.txt[.burstnet.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt[.doubleclick.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt[.terra.com.br/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt[.target.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt[.terra.com.br/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt[.target.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt[.burstnet.com/]
Spyware:Spyware/Virtumonde Not disinfected C:\RECYCLER\S-1-5-21-1220945662-764733703-682003330-1003\Dc1\backup-20070405-205218-787.dll
Spyware:Spyware/Virtumonde Not disinfected C:\RECYCLER\S-1-5-21-1220945662-764733703-682003330-1003\Dc1\backup-20070409-133907-889.dll
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018738.exe
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018755.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018756.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018757.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018758.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018759.exe
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018767.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018768.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018769.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018770.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018771.exe
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP442\A0018783.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP442\A0018784.exe
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018792.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018794.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018795.exe
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018806.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018807.exe
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018811.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018812.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018814.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018816.exe
Spyware:Spyware/ClearSearch Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP444\A0018821.DLL
jsiguenza
2007-04-11, 22:01
continues.....
Adware:Adware/WeatherCast Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP445\A0018852.exe
Adware:Adware/WeatherCast Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP456\A0020393.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP465\A0022872.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP465\A0022873.dll
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP465\A0022875.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[²θΗ]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[exdl.exe]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[exul.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[adp8025_OUTB.exe][bargains.exe]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[nls8025_OUTB.exe][nls.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[cb8025_OUTB.exe][cashback.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[cb8025_OUTB.exe][bb_welcome.html]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe[cb8025_OUTB.exe][icon.gif]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022958.exe
Adware:Adware/TopMoxie Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022959.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022970.exe
Adware:Adware/Twain-Tech Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP470\A0023121.dll
Adware:Adware/Twain-Tech Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP471\A0023140.exe
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP482\A0023700.exe
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP482\snapshot\MFEX-1.DAT
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP484\A0023875.exe[²θΗ]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP484\A0023875.exe[²θΗ]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP484\A0023875.exe[²θΗ]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023913.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[²θΗ]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[²θΗ]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[²θΗ]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023914.exe[exdl.exe]
Adware:Adware/Exact.SearchBar Not disinfected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\snapshot\MFEX-1.DAT
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ddcywxu.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\wkdjhmjm.dll.bad
Adware:Adware/IPInsight Not disinfected C:\WINNT\inf\alchem.inf
Adware:Adware/Twain-Tech Not disinfected C:\WINNT\inf\twaintec.inf
Adware:Adware/WinTools Not disinfected C:\WINNT\Key2.txt
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\system32\apuc.dll
Adware:Adware/Exact.SearchBar Not disinfected C:\WINNT\system32\exdl.exe
Adware:Adware/Exact.SearchBar Not disinfected C:\WINNT\system32\exul.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\system32\msbe.dll
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\system32\mscb.dll
Adware:Adware/Exact.SearchBar Not disinfected C:\WINNT\system32\nvms.dll
jsiguenza
2007-04-11, 22:01
And finally the HJT log--->
Logfile of HijackThis v1.99.1
Scan saved at 2:54:22 PM, on 4/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Documents and Settings\Owner.CURT-JP80I6E32O\Desktop\Cleaning files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll (file missing)
O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
Ill wait for your commentaries.
Thank you
pskelley
2007-04-11, 22:26
Please look at all of the items in the Active scan log like this:
C:\System Volume Information\_restore
Those are junk that is backed up in your System Restore files. If you had followed the directions to turn System Restore off, reboot the computer and turn System Restore back on, all of those items would not be there. Please try to follow these directions:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
After that is done, then follow the instructions in this link:
http://forums.security-central.us/showthread.php?t=3165
DO NOT confuse this program with your Anti-Virus program, they are two different programs that do two different jobs. Download, install , update and run the program according to the instructions. Make sure you delete or at least quarantine anything it finds and save the scan results and post them.
Then look at this information for ways to help your computer run better:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Thanks
jsiguenza
2007-04-12, 18:15
I had already done the System Restore process but I did it again anyways. Once I have the AVG AntiSpyware 7.5 should I delete the PC Tools Spyware Doctor?
This is the AVG Anti-Spyware log:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:12:35 AM 4/12/2007
+ Scan result:
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP465\A0022871.exe -> Adware.BargainBuddy : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP465\A0022872.exe -> Adware.BargainBuddy : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP465\A0022873.dll -> Adware.BargainBuddy : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP465\A0022875.exe -> Adware.BargainBuddy : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP466\A0022906.exe -> Adware.BargainBuddy : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022958.exe -> Adware.BargainBuddy : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022970.exe -> Adware.BargainBuddy : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022971.exe -> Adware.BargainBuddy : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP482\snapshot\MFEX-1.DAT -> Adware.BargainBuddy : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\A0023913.exe -> Adware.BargainBuddy : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP485\snapshot\MFEX-1.DAT -> Adware.BargainBuddy : No action taken.
C:\WINNT\bbchk.exe -> Adware.BargainBuddy : No action taken.
C:\WINNT\system32\apuc.dll -> Adware.BargainBuddy : No action taken.
C:\WINNT\system32\bbchk.exe -> Adware.BargainBuddy : No action taken.
C:\WINNT\system32\exdl.exe -> Adware.BargainBuddy : No action taken.
C:\WINNT\system32\msbe.dll -> Adware.BargainBuddy : No action taken.
C:\WINNT\system32\mscb.dll -> Adware.BargainBuddy : No action taken.
C:\WINNT\system32\nvms.dll -> Adware.BargainBuddy : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP470\A0023121.dll -> Adware.BiSpy : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP471\A0023140.exe -> Adware.BiSpy : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018755.DLL -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018756.DLL -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018757.DLL -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018758.DLL -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP440\A0018759.exe -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018767.DLL -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018768.DLL -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018769.DLL -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018770.DLL -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP441\A0018771.exe -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP442\A0018783.DLL -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP442\A0018784.exe -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018792.DLL -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018794.DLL -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018795.exe -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018806.DLL -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018807.exe -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018811.DLL -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018812.DLL -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018814.DLL -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP443\A0018816.exe -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP444\A0018821.DLL -> Adware.ClearSearch : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP467\A0022959.exe -> Adware.HelpExpress : No action taken.
C:\Program Files\WebSavingsfromEbates -> Adware.MoneyMaker : No action taken.
C:\Program Files\WebSavingsfromEbates\System -> Adware.MoneyMaker : No action taken.
C:\Program Files\WebSavingsfromEbates\System\Temp -> Adware.MoneyMaker : No action taken.
C:\Program Files\WebSavingsfromEbates\System\Temp\dump.txt -> Adware.MoneyMaker : No action taken.
C:\Program Files\WebSavingsfromEbates\System\Temp\run.txt -> Adware.MoneyMaker : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP445\A0018852.exe -> Adware.SaveNow : No action taken.
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP456\A0020393.exe -> Adware.SaveNow : No action taken.
:mozilla.121:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.189:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.53:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-1.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.21:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.29:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-1.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.40:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.46:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.103:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.110:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.125:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-1.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.125:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.126:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-1.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.127:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-1.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.127:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.153:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.193:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.194:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.220:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.228:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.229:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.230:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.274:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.275:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.32:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.92:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.99:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.126:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Paypal : No action taken.
:mozilla.50:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Paypal : No action taken.
:mozilla.115:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.116:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.117:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.118:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.183:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.184:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.185:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.186:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.93:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-1.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.94:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-1.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.112:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.113:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.114:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.115:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.116:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.117:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.118:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.119:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.120:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.121:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.35:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.36:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.37:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.38:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.39:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.40:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.41:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.42:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.43:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.44:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.45:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-2.txt -> TrackingCookie.Specificclick : No action taken.
::Report end
Thanks
pskelley
2007-04-12, 19:36
OK, we have a problem here, and I am not sure if it in communication or not. Look closely at the items in the AVG scan report, the vast majority say this:
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP465\A0022871.exe -> Adware.BargainBuddy : No action taken.
These are files that are backed up in System restore that must be removed. This is probably what Norton is seeing. I have no idea what you are doing, but here is another look at the instructions:
Click on this link and read carefully the instructions:
http://support.f-secure.com/enu/home/virusproblem/howtoclean/cleansystemrestore.shtml
How to Clean an Infected System Volume Information or System Restore folder
System Restore is a feature of Windows XP and Windows ME (Note: Windows ME is not supported by F-Secure Internet Security 2007). If a virus infects the computer, it is possible that the virus could be backed up in the system restore folder. To scan and clean System Restore, you need to disable it.
By disabling System Restore you lose your last system restore point. If you want to continue using the System Restore feature, it is important to re-enable it after removing the infected files. Unfortunately there is no other way to remove infections from this location.
(there is no need to scan with F-Secure, the process of turning off system restore, then rebooting your computer and then turning system restore back on will give you a clean restore point)
(here is the information from Microsoft: http://www.microsoft.com/technet/community/en-us/management/sysrestore_faq.mspx )
To disable System Restore on Windows XP:
Close all open programs.
Right-click My Computer, and select Properties. The System Properties dialog is displayed.
Click the System Restore tab.
Select the Turn off System Restore on all drives check box.
Click Apply, and when the system asks if you want to turn off System Restore, click Yes.
Click OK.
Scan all hard drives and all files for viruses with your F-Secure Anti-Virus product.
Once you have scanned and disinfected the files, enable System Restore again as follows:
Right-click My Computer, and select Properties. The System Properties dialog is displayed.
Click the System Restore tab.
Clear the Turn off System Restore on all drives check box.
Click Apply, and then click OK.
Something you are doing is not being done correctly or those items would not be in the AVG Anti-Spyware scan.
Many of the bad items like this one:
C:\WINNT\bbchk.exe -> Adware.BargainBuddy : No action taken.
Indicate you took no action instead of deletating the bad file.
Many are cookies: Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies-1.txt -> TrackingCookie.Revsci : No action taken.
and no action was taken instead of deleting them?
Here are the instructions I posted:
Make sure you delete or at least quarantine anything it finds and save the scan results and post
If you don't know how to control cookies in Firefox, read this information:
http://privacy.getnetwise.org/browsing/tools/firefox1/ffdisablecookies
http://www.mozilla.org/projects/security/pki/psm/help_21/using_priv_help.html
Please follow the above directions and then post another AVG Scan report which should be clean.
Thank you
jsiguenza
2007-04-12, 21:41
Sorry, I misunderstood what you wanted me to do. Now its done.
This is the AVG log:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 2:38:04 PM 4/12/2007
+ Scan result:
:mozilla.31:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.32:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.33:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.34:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.234:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.16:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.101:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.95:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.54:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.55:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.56:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.141:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.148:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.152:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.159:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.238:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.239:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.265:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.319:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.320:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.105:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.57:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.58:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.59:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.60:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.161:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.162:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.163:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.164:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.165:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.166:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.167:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.168:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.169:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.170:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.37:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.38:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.39:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.41:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.42:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.43:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.10:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.11:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.12:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.13:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.14:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.15:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.17:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.9:C:\Documents and Settings\Owner.CURT-JP80I6E32O\Application Data\Mozilla\Firefox\Profiles\1uajqrvo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
::Report end
Now, after all the process, I suppose I should just leave in the computer the AVG antivirus and spyware on, is that right? Should I now delete the PC Spyware doctor and all the spyware and antivirus programs?
Thank you
pskelley
2007-04-12, 21:49
Thanks: http://mozilla.gunnars.net/firefox_help_firefox_cookie_tutorial.html
Since it has been a while, please let me see one more HijackThis log. I'll look it over and give you some information from experts that will help with your decisions. Once you review what they have to say, if you still have questions, then post them.
Thanks
jsiguenza
2007-04-12, 22:20
This is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 3:18:52 PM, on 4/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.CURT-JP80I6E32O\Desktop\Cleaning files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll (file missing)
O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
So, should I delete all the antivirus and spywares that I have in my computer as PC tools spyware doctor and just keep the AVG anti virus and spyware, is that ok?
Thank you very much again for all your help.
Javier Siguenza
pskelley
2007-04-12, 22:36
Thanks for providing your HJT log Javier, and it looks clean of malware:bigthumb: I personally do not use Spyware Doctor, is it a trial which supplies no benefits after the trial period? That being the case you would want to uninstall it. AVG Anti-Spyware also stops realtime protection after the trial period, but the scanner can be kept and updated for as long as you like. I will post more information, but it is important that you turn it completely off unless you purchase it because it would use resources and provide no benefits. My suggestion is that you run one good antivirus program which you have, and one good firewall, which I do not see. If you use the Windows SP2 firewall, you may want to consider a better free one. I also suggest at least one good spyware program that runs in realtime, and freeware programs are available. After you read what the experts have to say, if you still have questions, post them and I will do my best to give you answers.
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Gracias...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
jsiguenza
2007-04-13, 00:11
Well, I suppose thats it... I really apreciate all your help.
pskelley
2007-04-17, 13:15
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thanks