SpywareStrike [Archive] - Safer-Networking Forums

View Full Version : SpywareStrike

Chipper

2006-01-19, 18:41

Need heip removing SpywareStrike.
Here is my latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:23:15 PM, on 1/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SpywareStrike\SpywareStrike.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareStrike\SpywareStrike.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbsnewyork.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5D66B431-8A5B-4ECA-AED6-6F4F411E1773} (AOLLaunch Class) - http://www.disneyblast.go.com/setup/activex/AOLLauncher.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolweb07.pogo.com/game/deluxe/zuma/popcaploader_v6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{68391CC4-7162-4FA7-85A9-B4A9D3C717F6}: NameServer = 68.237.161.12 71.242.0.12
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Chipper

2006-01-20, 22:15

I followed Corrine's posted instructrions and ran a new HJT log and smitRem, Spybot-S&D, Ewido, Panda ActiveScan, and another HJT log. Can someone check this logs and let me know if I look OK.

Logfile of HijackThis v1.99.1
Scan saved at 12:26:36 PM, on 1/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SpywareStrike\SpywareStrike.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareStrike\SpywareStrike.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbsnewyork.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5D66B431-8A5B-4ECA-AED6-6F4F411E1773} (AOLLaunch Class) - http://www.disneyblast.go.com/setup/activex/AOLLauncher.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolweb07.pogo.com/game/deluxe/zuma/popcaploader_v6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{68391CC4-7162-4FA7-85A9-B4A9D3C717F6}: NameServer = 68.237.161.12 71.242.0.12
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Chipper

2006-01-20, 22:18

--- Search result list ---
MalwareWipe: Tracking cookie (Internet Explorer: Chipper) (Cookie, fixed)

PSGuard: Application ID (Registry key, fixed)
HKEY_CLASSES_ROOT\AppID\{70F17C8C-1744-41B6-9D07-575DB448DCC5}

SpywareStrike: Program directory (Directory, fixed)
C:\Program Files\SpywareStrike\Quarantine\

SpywareStrike: Application ID (Registry key, fixed)
HKEY_CLASSES_ROOT\AppID\SpywareStrike.EXE

SpywareStrike: Program directory (Directory, fixed)
C:\Program Files\SpywareStrike\Lang\

SpywareStrike: Program directory (Directory, fixed)
C:\Program Files\SpywareStrike\

SpywareStrike: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SpywareStrike.exe

SpywareStrike: Type library (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{C1A4C0C9-DBD0-493A-93F8-0B05EDC96224}

Windows.ActiveDesktop: User settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-1214440339-492894223-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper!=W=1

--- Spybot - Search && Destroy version: 1.3 ---
2006-01-20 Includes\Cookies.sbi
2006-01-20 Includes\Dialer.sbi
2006-01-20 Includes\Hijackers.sbi
2006-01-20 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2006-01-20 Includes\Malware.sbi
2006-01-20 Includes\PUPS.sbi
2006-01-20 Includes\Revision.sbi
2006-01-20 Includes\Security.sbi
2006-01-20 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2006-01-20 Includes\Trojans.sbi

--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ MSXML4: Patch Available For XMLHTTP Vulnerability
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Security Update for Windows XP (KB896688)
/ Windows XP / SP3: Update for Windows XP (KB896727)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899588)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB905915)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)

--- Startup entries list ---
Located: HK_LM:Run, AVGCtrl
command: "C:\Program Files\AVPersonal\AVGNT.EXE" /min
file: C:\Program Files\AVPersonal\AVGNT.EXE
size: 180327
MD5: a9f455a03fa0fef8b85c68b123a5bb99

Located: HK_LM:Run, C-Media Mixer
command: Mixer.exe /startup
file: C:\WINDOWS\Mixer.exe
size: 1818624
MD5: f83709d0bacba84d297183825f089d98

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 98304
MD5: 76a3a30b58405c2c6d833895253a51a9

Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8

Located: HK_CU:Run, Spyware Doctor
command: "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
file: C:\Program Files\Spyware Doctor\spydoctor.exe
size: 1818624
MD5: c22f3b30f061bfc90500de3ba0312a4a

Located: Startup (common), Adobe Reader Speed Launch.lnk
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: 43362b96870ce8649f4f2ec893da93f0

Located: Startup (disabled), America Online 9.0 Tray Icon (DISABLED)
command: C:\PROGRA~1\AMERIC~1.0\aoltray.exe -check
file: C:\PROGRA~1\AMERIC~1.0\aoltray.exe
size: 156784
MD5: d3e103e5b79a6e8ba5b58e0a7c21523b

Located: Startup (disabled), Microsoft Office (DISABLED)
command: C:\PROGRA~1\MICROS~2\Office\OSA9.EXE -b -l
file: C:\PROGRA~1\MICROS~2\Office\OSA9.EXE
size: 65588
MD5: 9a9b150e70f44ec65e3fdc0551f2921b

Located: Startup (disabled), SpySubtract (DISABLED)
command: C:\PROGRA~1\INTERM~1\SPYSUB~1\SpySub.exe -autostart
file: C:\PROGRA~1\INTERM~1\SPYSUB~1\SpySub.exe
size: 1191936
MD5: 355411ba8c182719ebe06416bf04d82d

--- Browser helper object list ---

--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control)
DPF name:
CLSID name: OSInfo Control
Path: C:\WINDOWS\
Long name: OSInfo.ocx
Short name:
Date (created): 7/4/2003 4:11:16 PM
Date (last access): 1/20/2006 12:37:46 PM
Date (last write): 7/4/2003 4:11:16 PM
Filesize: 36864
Attributes: archive
MD5: C2FC1D731B46BBECF8E351F542CB388F
CRC32: 470A4CC5
Version: 0.1.0.0

{16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control)
DPF name:
CLSID name: SiS_OCX Control
Path: C:\WINDOWS\
Long name: SiS_OCX.ocx
Short name:
Date (created): 2/4/2005 11:49:36 AM
Date (last access): 1/20/2006 12:37:48 PM
Date (last write): 2/4/2005 11:49:36 AM
Filesize: 282624
Attributes: archive
MD5: 8FAD2EDAB9E7F2CFAAA02422F250EE03
CRC32: 6C3D4BAE
Version: 0.1.0.0

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
description: Macromedia ShockWave Flash Player 7
classification: Unknown
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 8/22/2004 5:39:46 PM
Date (last access): 1/20/2006 9:48:00 AM
Date (last write): 5/28/2004 12:38:00 AM
Filesize: 54480
Attributes: archive
MD5: 408F53722D9C1280BF4EDD70341EA7F2
CRC32: 4EB8819E
Version: 0.10.0.0

{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Path: C:\WINDOWS\system32\
Long name: LegitCheckControl.DLL
Short name: LEGITC~1.DLL
Date (created): 7/12/2005 5:04:22 PM
Date (last access): 1/20/2006 10:09:14 AM
Date (last write): 8/29/2005 12:27:12 PM
Filesize: 520968
Attributes: archive
MD5: 679088DD42AFB105A6DA3F5E876D69B6
CRC32: 80D21320
Version: 0.1.0.3

{33564D57-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
description: Microsoft WMV Video Codec
classification: Legitimate
known filename: WMV9DMO.CAB
info link:
info source: Patrick M. Kolla

{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine)
DPF name:
CLSID name: Office Update Installation Engine
Path: C:\WINDOWS\
Long name: opuc.dll
Short name:
Date (created): 1/18/2005 12:07:18 AM
Date (last access): 1/20/2006 12:37:46 PM
Date (last write): 1/18/2005 12:07:18 AM
Filesize: 326656
Attributes: archive
MD5: 20393D64F69F26361A97FD9AFB3C9243
CRC32: 0B4DBA7F
Version: 0.11.0.0

{406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia)
DPF name:
CLSID name: Snapfish Activia
Path: C:\WINDOWS\Downloaded Program Files\
Long name: SnapfishActivia1000.ocx
Short name: SNAPFI~1.OCX
Date (created): 6/3/2005 11:24:32 AM
Date (last access): 1/19/2006 1:40:18 AM
Date (last write): 6/3/2005 11:24:32 AM
Filesize: 286720
Attributes: archive
MD5: F5C79C45F1ADF877DC3AFDFF3565AE7B
CRC32: F118547A
Version: 0.1.0.0

{5D66B431-8A5B-4ECA-AED6-6F4F411E1773} (AOLLaunch Class)
DPF name:
CLSID name: AOLLaunch Class
Path: C:\WINDOWS\system32\
Long name: AolLauncher.dll
Short name: AOLLAU~1.DLL
Date (created): 6/28/2001 5:51:56 PM
Date (last access): 1/20/2006 12:35:52 PM
Date (last write): 6/28/2001 5:51:56 PM
Filesize: 94208
Attributes: archive
MD5: 3DED253818FC187115719AE6E2567B0C
CRC32: C3B7F89B
Version: 0.1.0.0

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_04
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.5.0_04\bin\
Long name: NPJPI150_04.dll
Short name: NPJPI1~1.DLL
Date (created): 6/3/2005 3:52:58 AM
Date (last access): 1/19/2006 1:34:16 AM
Date (last write): 6/3/2005 4:09:54 AM
Filesize: 69746
Attributes: archive
MD5: 8548FE98BD687F35AFD0AED9C2A2DEE3
CRC32: 4058FA1B
Version: 0.5.0.0

{90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control)
DPF name:
CLSID name: Snapfish File Upload ActiveX Control
Path: C:\WINDOWS\Downloaded Program Files\
Long name: SnapfishUpload1407.ocx
Short name: SNAPFI~2.OCX
Date (created): 4/1/2005 3:46:06 PM
Date (last access): 1/19/2006 1:40:18 AM
Date (last write): 4/1/2005 3:46:06 PM
Filesize: 372736
Attributes: archive
MD5: 5B8D77ACB3D14EC96752D2A9592F91FF
CRC32: CBC6B97F
Version: 0.1.0.4

{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_05
Path: C:\Program Files\Java\j2re1.4.2_05\bin\
Long name: NPJPI142_05.dll
Short name: NPJPI1~1.DLL
Date (created): 6/3/2068 9:05:12 PM
Date (last access): 1/19/2006 1:32:08 AM
Date (last write): 6/3/2004 9:05:06 PM
Filesize: 65650
Attributes: archive
MD5: 174488C8877FA852448D1937C322AABB
CRC32: 62C2460D
Version: 0.1.0.4

{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_02
Path: C:\Program Files\Java\jre1.5.0_02\bin\
Long name: NPJPI150_02.dll
Short name: NPJPI1~1.DLL
Date (created): 3/4/2005 3:36:50 AM
Date (last access): 1/19/2006 1:33:00 AM
Date (last write): 3/4/2005 3:54:18 AM
Filesize: 69746
Attributes: archive
MD5: 6C9A4C573C0C771D99D902EE06DA3CBB
CRC32: 55F989EE
Version: 0.5.0.0

{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_04
Path: C:\Program Files\Java\jre1.5.0_04\bin\
Long name: NPJPI150_04.dll
Short name: NPJPI1~1.DLL
Date (created): 6/3/2005 3:52:58 AM
Date (last access): 1/20/2006 12:45:00 PM
Date (last write): 6/3/2005 4:09:54 AM
Filesize: 69746
Attributes: archive
MD5: 8548FE98BD687F35AFD0AED9C2A2DEE3
CRC32: 4058FA1B
Version: 0.5.0.0

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash8.ocx
Short name:
Date (created): 8/27/2005 1:38:56 PM
Date (last access): 1/20/2006 11:47:22 AM
Date (last write): 8/27/2005 1:38:56 PM
Filesize: 1435272
Attributes: archive
MD5: 900373C059C2B51CA91BF110DBDECB33
CRC32: F19599BC
Version: 0.8.0.0

{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object)
DPF name:
CLSID name: PopCapLoader Object

{EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class)
DPF name:
CLSID name: QDiagHUpdateObj Class
Path: C:\WINDOWS\System32\
Long name: qdiagh.ocx
Short name:
Date (created): 7/21/2004 11:32:04 AM
Date (last access): 1/19/2006 1:45:26 AM
Date (last write): 11/30/2004 1:10:08 PM
Filesize: 824416
Attributes: archive
MD5: F74D5AEFB89DEDC35B2295ED424A7CDF
CRC32: 25AD1A25
Version: 0.1.0.0

--- Process list ---
Spybot - Search && Destroy process list report, 1/20/2006 12:44:58 PM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 128 ( 4) \SystemRoot\System32\smss.exe
PID: 176 ( 128) csrss.exe
PID: 180 (1944) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 200 ( 128) \??\C:\WINDOWS\SYSTEM32\winlogon.exe
PID: 244 ( 200) C:\WINDOWS\system32\services.exe
PID: 256 ( 200) C:\WINDOWS\system32\lsass.exe
PID: 400 ( 244) C:\WINDOWS\system32\svchost.exe
PID: 444 ( 244) svchost.exe
PID: 508 ( 244) C:\WINDOWS\system32\svchost.exe
PID: 1944 ( 860) C:\WINDOWS\explorer.exe

--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 1/20/2006 12:44:58 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://search.msn.com/spbasic.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.cbsnewyork.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\SearchAssistant
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

Chipper

2006-01-20, 22:19

--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3158657B-38B5-4399-A4A6-7E498B53F1C6}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3158657B-38B5-4399-A4A6-7E498B53F1C6}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7AE32A69-CF4D-4A92-83DA-4EBCAF8E275C}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7AE32A69-CF4D-4A92-83DA-4EBCAF8E275C}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{596141C3-7127-467D-92C6-722A58F5F0A1}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{596141C3-7127-467D-92C6-722A58F5F0A1}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{69DEA7FE-0851-4946-B0A0-E037AAE62132}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{69DEA7FE-0851-4946-B0A0-E037AAE62132}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D186F4D7-E035-45FD-A4A1-563F1C905368}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D186F4D7-E035-45FD-A4A1-563F1C905368}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{432A1BF1-EBC3-4AD2-A67D-C6640A308280}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{432A1BF1-EBC3-4AD2-A67D-C6640A308280}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{68391CC4-7162-4FA7-85A9-B4A9D3C717F6}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{68391CC4-7162-4FA7-85A9-B4A9D3C717F6}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Chipper

2006-01-20, 22:27

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 01/20/2006
The current time is: 12:30:45.95

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

Crystalys media
SpywareStrike

~~~ Shortcuts ~~~

Online Security Guide.url

~~~ Favorites ~~~

~~~ system32 folder ~~~

netwrap.dll

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 728 'explorer.exe'

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

SpywareStrike

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :)

Chipper

2006-01-20, 22:28

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:02:07 PM, 1/20/2006
+ Report-Checksum: 973CDF21

+ Scan result:

C:\Documents and Settings\Caitlin\Cookies\caitlin@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Caitlin\Cookies\caitlin@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Caitlin\Cookies\caitlin@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Caitlin\Cookies\caitlin@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Caitlin\Cookies\caitlin@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Caitlin\Cookies\caitlin@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Caitlin\Cookies\caitlin@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Caitlin\Cookies\caitlin@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Caitlin\Cookies\caitlin@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Cassidy\Cookies\cassidy@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Cassidy\Cookies\cassidy@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Cassidy\Cookies\cassidy@ehg-dig.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Cassidy\Cookies\cassidy@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Cassidy\Cookies\cassidy@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Kerry\Cookies\kerry@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Kerry\Cookies\kerry@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Kerry\Cookies\kerry@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Kerry\Cookies\kerry@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Kerry\Cookies\kerry@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Kerry\Cookies\kerry@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Kerry\Cookies\kerry@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Kerry\Cookies\kerry@ehg-wildoats.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Kerry\Cookies\kerry@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Kerry\Cookies\kerry@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Kerry\Cookies\kerry@phg.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Kerry\Cookies\kerry@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Kerry\Cookies\kerry@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Kerry\Cookies\kerry@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Kerry\Cookies\kerry@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup

::Report End

Chipper

2006-01-20, 22:28

Logfile of HijackThis v1.99.1
Scan saved at 3:41:38 PM, on 1/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbsnewyork.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5D66B431-8A5B-4ECA-AED6-6F4F411E1773} (AOLLaunch Class) - http://www.disneyblast.go.com/setup/activex/AOLLauncher.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolweb07.pogo.com/game/deluxe/zuma/popcaploader_v6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{68391CC4-7162-4FA7-85A9-B4A9D3C717F6}: NameServer = 68.237.161.12 71.242.0.12
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

LonnyRJones

2006-01-23, 18:55

Hi Chipper

Looks good but are there any problems ?

--- Spybot - Search && Destroy version: 1.3 ---
In windows addremove programs uninstall SpyBot then Restart the PC,
and delete SpyBots folder in program files,
usualy > C:\Program Files\Spybot - Search & Destroy
Then download and install 1.4 once thats done, check for updates, then check for problems, fix everything found, always reboot if SpyBots needs to, to finish the cleanup. http://www.safer-networking.org/index.php?page=tutorial
Download found here http://www.safer-networking.org/en/download/index.html

Update suns java manualy
Sun Java V1.5.0_06 is Available: http://java.com/en/index.jsp
Afterwards Turn off it's auto-updater,(Its buggy) , in control panel java >
update tab uncheck its option to update automatically.
After you install the newer version its important to uninstall the old versions, via addremove programs.

Chipper

2006-01-23, 23:11

I did as you instructed and everything seems to be fine. After uninstalling and reinstalling Spybot-S&D and running it once again no problems were found. I also took care of the Java update as well. I did notice however that there is an entry in the MS system configuration utility on the start up tab for "SpywareStrike" it is not checked but could this become a problem?

LonnyRJones

2006-01-24, 05:04

Hi

No not a problem but you could re-check it, exit msconfig without restarting the pc run hijackthis and fix the item, or if you like save a log and post it.

Chipper

2006-01-24, 17:52

I did as you suggested and all remnates of "SpywareStrike" have been eradicated.

Thank You Very Much
Chipper

Anyone I know having computer problems I direct here. If you guys can't figure it out it can't be done!

LonnyRJones

2006-01-24, 21:11

Some Prevention advice :
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly
How did that go ?
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

Regards
Lonny

LonnyRJones

2006-01-28, 13:33

Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.