View Full Version : Hijacks and Popups GALORE!
Hi everyone. PLEASE PLEASE HELP!!!!!
I have done my best to scan all of the forum to get answers before posting but can't seem to match up to what is going on with me. Same scenario but not the same items appearing.
I have always run Adaware and Zone Alarm as well as Symantec AntiVirus and have always had good success.
A few days ago, pop-ups started ALL OVER THE PLACE while I have IE open. I am not sure, but they seem to be popping up with OE as well when I check my mail. I have focused more on fixing/removing than in paying attention to *exactly* when they occur. The primary issue is the pop-ups coming up while i am surfing. This morning, my desktop background was also missing.
Anyway, I have tried SpyBot, Popup Killer and Spyware Doctor, and used Hijack This and Look2ME to compare it to listed logs. I tried VundoFix this morning and it found NOTHING. I downloaded SFP and BFU and the L2Mfix but did not use them yet. I thought it was time to get better advice instead of trying to do this by myself.
I *thought* I had it under control after several hours of endless scans with each softwares that I have and shortly after I would get MORE pop-ups. Now it is insanely bad. I am in the middle of typing or whatever and have to wait for the pop-ups to all come up (they seem to be on a timer), then I can continue what I am doing. Then it has started crashing IE and has crashed the machine where the only way to restart was to pull the plug.
Apparently I have a good one! HELPPPPPPPPPP!!!!!
Spyware Doctor is catching some of the pop-ups (also google is running as well) but the main culprits are www.adssvr.com, redorbit.com, heavy.com, qlinkserver.com, stopzilla.com, inqwire.com and smashhitsusa.com. I have written down SEVERAL others but these above are the primaries.
Here is the current Hijack This log:
Here is the current Hijack This log: (sorry - hit the return button by accident and this didn't get included):
Logfile of HijackThis v1.99.1
Scan saved at 9:41:53 PM, on 3/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Voyetra\AudioStation 6\astnscsi.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\dgfgql.exe
C:\WINDOWS\system32\klsx9e.exe
C:\mousepad.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\win3206034807569.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: Yvakt Class - {0DEADE31-9A37-48B2-921A-7825EA93D32A} - C:\WINDOWS\system32\wdc1n.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: RUPK - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\sypcms.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard.exe
O4 - HKLM\..\Run: [NJv7jy] "C:\WINDOWS\system32\dgfgql.exe"
O4 - HKLM\..\Run: [mousepad] C:\\mousepad.exe
O4 - HKLM\..\Run: [gimmysmileys] C:\\gimmysmileys.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\system32\loadadv64
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [win3206034807569] C:\WINDOWS\win3206034807569.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: 12Ghosts Wash.lnk = C:\Program Files\12Ghosts\12wash.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) -
http://www.pqprintcenter.com/plugin/axversion/1611/printquick1611.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/toolbar/webinstall.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) -
http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37670.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} - http://pak06.pictures.aol.com/ygp/aol/plugin/download/YGPPicDownload.en-
US.9.1.6.18.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/v_mywebex-
t20/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D587B35-4EBF-4BB7-B114-E28FD8D540C9}: NameServer = 167.206.3.154,167.206.3.220
O18 - Filter: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - C:\WINDOWS\system32\wdc1n.dll
O20 - Winlogon Notify: IntlRun - C:\WINDOWS\system32\rtpwsx.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: astnscsi - Voyetra Turtle Beach, Inc. - C:\Program Files\Voyetra\AudioStation 6\astnscsi.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32
\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program
Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security
Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\Voyetra\AUDIOS~1\x10nets.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program
Files\Iomega\AutoDisk\ADService.exe
pskelley
2006-03-11, 13:07
Hello Karen and welcome to the forum. Sorry for the wait, the logs are many and the volunteers are few. I may ask you to run programs you have run before, this is to make sure they are updated, configured properly and run in a specific order, please follow the posted order, thanks. I also want to say that sometimes items are removed by the tools and they are not there later in the instructions. Not to be concerned, just be careful not to miss anything.
1) Please click Format at the top of Notepad and uncheck Word Wrap. My scanner needs a single spaced log.
2) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.
3) ewido scan:
Please download Ewido Security Suite (http://www.ewido.net/en/download/) it is a trial version of the program.
Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates (http://www.ewido.net/en/download/updates/)
Once the updates are installed do the following:
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")
4) Turn off Spyware Doctor until you are finished, it may block the HJT fix we must make
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: Yvakt Class - {0DEADE31-9A37-48B2-921A-7825EA93D32A} - C:\WINDOWS\system32\wdc1n.dll
O4 - HKLM\..\Run: [keyboard] C:\\keyboard.exe
O4 - HKLM\..\Run: [NJv7jy] "C:\WINDOWS\system32\dgfgql.exe"
O4 - HKLM\..\Run: [mousepad] C:\\mousepad.exe
O4 - HKLM\..\Run: [gimmysmileys] C:\\gimmysmileys.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\system32\loadadv64
O4 - HKLM\..\Run: [win3206034807569] C:\WINDOWS\win3206034807569.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O18 - Filter: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - C:\WINDOWS\system32\wdc1n.dll
O20 - Winlogon Notify: IntlRun - C:\WINDOWS\system32\rtpwsx.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\\gimmysmileys.exe >>> file
C:\\keyboard.exe >>> file
C:\mousepad.exe >>> file
C:\WINDOWS\win3206034807569.exe >>> file
C:\WINDOWS\system32\dgfgql.exe >>> file
C:\WINDOWS\system32\klsx9e.exe >>> file
C:\WINDOWS\system32\loadadv64 >>> file
C:\WINDOWS\system32\rtpwsx.dll >>> file
C:\WINDOWS\system32\wdc1n.dll >>> file
C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
If you don't have a good cleaner, use this one with these instuctions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.
Restart the computer and post the ewido scan results, a new HJT log and any comments you think will help. How is the computer running now?
Thanks...pskelley
Safer Networking Forums
Hi pskelly,
Thank you SO much for getting back to me. I followed all of your instructions to the letter. As you mentioned, some items no longer existed and did not need to be deleted. (I can be more specific if needed).
One mention though -- the file 'C:\WINDOWS\system23\klsx9e.exe' could not be deleted for some reason. It kept saying I didn't have permission and would not allow me to delete it.
As I said, I followed everything to the letter and ran a new HJT log. I will post the ewido scan results also but was unsure if I was supposed to run another scan at the end of all of this. What I am listing is the scan results from step #3.
To answer your question about the computer - it appears to be running slowly but I only JUST NOW finished the tasks you gave me to complete, so am unsure of if there is really anything abnormal. Also, no pop-ups as I type this! That is an improvement. :-)
One other note - Spyware Doctor comes up everytime I open up a webpage (as usual) but is now crashing. I actually have had to 'end now' Spyware Doctor a couple of times now. Conflict with ewido maybe?
So here goes!:
Ewido Scan Results (from step 3):
--------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 12:40:36 PM, 3/11/2006
+ Report-Checksum: AAB65575
+ Scan result:
[308] C:\WINDOWS\win3208480756903.exe -> Downloader.VB.tw : Cleaned with backup
[2588] C:\WINDOWS\system32\wdc1n.dll -> Adware.Suggestor : Error during cleaning
C:\aebcq9z5w.exe -> Downloader.Agent.afi : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Karen\Application Data\Netscape\NSB\Profiles\b759ykpw.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Karen\Application Data\Netscape\NSB\Profiles\b759ykpw.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Karen\Application Data\Netscape\NSB\Profiles\b759ykpw.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Karen\Application Data\Netscape\NSB\Profiles\b759ykpw.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Karen\Application Data\Netscape\NSB\Profiles\b759ykpw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Karen\Application Data\Netscape\NSB\Profiles\b759ykpw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wfk4cpc5wap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wfk4oldpofo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wfk4qhazmao.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wfk4sgcjefo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wfkienajglp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wfkioidpwkq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wfkiqkczmho.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wfkisgdzahp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wfkiwncjgdo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wfkocgdjsco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wfkogpcjkkp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wfkogpdzgfo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wfkyejczkdo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wfkygoc5mcp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wfkykidzweo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wfl4apd5wgp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wfl4eicjmhp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wflianczkbp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wflokpc5wko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wfmiwjcjgho.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wgkisjczcgp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wgkogmczokp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wgkyaid5oko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wgkywhajggp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wgmiekajgcq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjk4endzglq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjk4gpcjehp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjk4qld5kko.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjk4sic5weo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjk4sjcjofq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjkocmd5efp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjkoeiazglp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjkokmczcfo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjkoqjczofp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjkospajicq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjkowidpklq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjkyghdzcgo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjkykmd5cdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjkyqkd5ibo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjkysgc5wco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjkysgd5gkq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjkyuoczmgp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjl4oldzslo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjl4qmcjwlp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjliclajehq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjliqhazwho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjliuiazsdo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjliwoc5whp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjlocidzohq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjlosjdjglq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjlycpcjeep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjlycpdpwfp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjlyeicjwcq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjlykhc5aep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjlyupajmgo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjmygpcjkho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjmyoodpglp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjmyqoazekp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjny-1kdpge.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjny-1sdjgh.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjnyakdjceo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjnyanajcfp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjnycgcpaeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjnychcpgep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjnychczoaq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjnyejazabo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjnygncpogo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@e-2dj6wjnyogdpgfq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@prizeamerica.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkyemajocogidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmygmazehogqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyekdpchoasdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyspazkeoasdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Karen\Cookies\karen@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\Content.IE5\5DQWI7T6\send_ocx_sof[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup
C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\Content.IE5\OHOHUJWL\mousepad1[1].exe -> Hijacker.VB.li : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\real.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\7020.exe/eee2.exe -> Adware.MediaMotor : Error during cleaning
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\seli.exe/eee2.exe -> Adware.MediaMotor : Error during cleaning
C:\WINDOWS\surv3.exe -> Downloader.VB.vv : Cleaned with backup
C:\WINDOWS\SYSTEM32\acwfs4t2.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\SYSTEM32\dgfgql.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\SYSTEM32\pre2.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__wdc1n.dll -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\win3208480756903.exe -> Downloader.VB.tw : Cleaned with backup
::Report End
More in next reply (too much text) -->
-------------------------------------------
HijackThis Log (just run):
Logfile of HijackThis v1.99.1
Scan saved at 1:28:37 PM, on 3/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Voyetra\AudioStation 6\astnscsi.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\HJT\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: RUPK - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\sypcms.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintcenter.com/plugin/axversion/1611/printquick1611.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/toolbar/webinstall.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37670.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} - http://pak06.pictures.aol.com/ygp/aol/plugin/download/YGPPicDownload.en-US.9.1.6.18.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D587B35-4EBF-4BB7-B114-E28FD8D540C9}: NameServer = 167.206.3.154,167.206.3.220
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: astnscsi - Voyetra Turtle Beach, Inc. - C:\Program Files\Voyetra\AudioStation 6\astnscsi.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\Voyetra\AUDIOS~1\x10nets.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
---------------------------------------------
Let me know if there is anything left that I need to do. I VERY MUCH appreciate all of the help you are giving me. It took awhile but worth every second if it gets rid of all this nonsense. Please advise if there is more I need to do. I will 'test' out the computer and see if I am getting anything 'weird' and let you know as well.
Thank you,
Karen
:)
So far so good. Things seem to be running smoothly. It's only been a short while but wanted to at least let you know. There is a little bit of lagging going on (for ex. when I am typing this - it is doing it very slowwwwlllyy) so I'll keep an eye on that.
BTW - last post - just to clarify - I meant that it 'took awhile' to run all of the scans - NOT that it took awhile for you guys to get to me. I am very pleased with how fast you helped me.
pskelley
2006-03-12, 20:08
Hi Karen, sorry to take so long to get back to you. Looking at the ewido scan there was a problem with this item: [2588] C:\WINDOWS\system32\wdc1n.dll -> Adware.Suggestor : Error during cleaning
We can try ewido again in safe mode or clean the item manually. Since there is only one, I will give you those instructions after I look at the HJT log. Here are a couple of links to information to help you better control cookies in Internet Explorer:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx
Logfile of HijackThis v1.99.1 Scan saved at 1:28:37 PM, on 3/11/2006
Seem I missed a couple of lines that are clutter, got excited killing the bad stuff and forgot to add them:( let's do this all at once like this.
Make sure hidden files and folders are enabled, then restart your computer in safe mode: http://www.bleepingcomputer.com/tutorials/tutorial61.html
Once in safe mode, open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Now navigate to: C:\WINDOWS\system32\wdc1n.dll <<< and delete that file. Empty the recycle bin and restart the computer. You should be good to go at that point.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Look here for some ideas to make things run better. There is not need to post again unless you feel an urge.
http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx
http://vlaurie.com/computers2/Articles/runbetter.htm
http://www.linkgrinder.com/tutorials/10_Easy_Steps_to_Speed_Up_Your_Comp_24946_Computers_article.html
Safe surfing...Phil:bigthumb:
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
:)
Phil,
Everything appears A-OK. I removed those files via HijackThis but cound not find the wdc1n.dl file. I started in safe mode AND in regular mode. The file isn't there. I have all hidden files showing.
I may have gotten it already. Time will tell.
I DID wake up to having no taskbar this morning. I left the computer up and running all night to see if anything would happen. That was the only thing. No pop-ups though! Gotta love it!
Thank you for all of your help. :bigthumb:
I think I may have a similar thing going on with the other computer in the house but not as bad. I will walk through the same steps with that one. Wish me luck.
Thanks again. If anything weird does occur that gets out of my hands, should I just make a new thread?
Take care! You guys ROCK!!! What would we do without you?
Karen
pskelley
2006-03-12, 21:52
Hello Karen, I am so glad all is working as it should. I want to give you one last set of instructions for that file, I prefer to leave none of the bad stuff if possible.
These are instructions for WindowsXP to be sure: Double click MyComputer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK" Then ask Search Companion to look for you. Be patient, it sometimes takes a while for the file to be located. If Search Companion can not find the file, then we will move on, thanks.
The other computer in the house: let me say just because some symptoms seem the same, it is unwise to assume it is the same infection. I strongly suggest you follow the steps here: http://forums.spybot.info/showthread.php?t=288 as they apply to that computer, then post letting us know what you have done, as much as you can about what you think and the symptoms, and of course any evidence or error messages "word for word". Remember the logs are many and the volunteers are few, and one of the staff will assist you as soon as possible. If you ever wish to learn more about this process, look here:
http://forums.security-central.us/announcement.php?f=13&a=9
Thanks...Phil
Hi Phil,
Thanks for having me check. I did as you said and all was checked and unchecked as necessary. Should I change that back now?
I feel so bad to take up time from anybody! But it does *look like* I am all clear. So I am in your debt. I really appreciate your help. There are very few things that I can't handle on my own but this one got me.
I am trying to pay attention to the weird stuff.
As I mentioned, the only thing that was weird and is still happening is that if I leave the machine on without using it for a couple of hours, the taskbar disappears and I have to restart. That is the only oddball thing happening.
Plus I lost all of my 'wishlist' on Musicians Friend :) - but those are the breaks.
I will check out the other machine as you suggest and, if needed, run it by you guys in a new post.
If you have any thoughts on the taskbar issue, let me know.
Thanks again. You are AWESOME!
Karen
pskelley
2006-03-13, 13:35
Oops, looks like I missed this one:scratch: we should have looked for it with the last instructions.
One mention though -- the file 'C:\WINDOWS\system23\klsx9e.exe' could not be deleted for some reason. It kept saying I didn't have permission and would not allow me to delete it.
Let's run one more scan to look for anything that is still hiding, follow these directions:
http://www.kaspersky.com/virusscanner
Please do an online scan with Kaspersky Online Scanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:
Extended (If available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
That is the only log I need right now,
Thanks...Phil
:(
Hi Phil,
Thanks for having me run that. Gee - I am glad I am running Norton! (I temp. disabled it while I ran Kaspersky. It took 2 1/2 hours!
I still have it up, if you happen to get this soon, and I can follow your instructions within Kaspersky if need be.
Thanks,
Karen
Here is the report:
------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, March 13, 2006 2:30:40 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 13/03/2006
Kaspersky Anti-Virus database records: 182225
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 126617
Number of viruses found: 8
Number of infected objects: 25
Number of suspicious objects: 0
Duration of the scan process: 02:22:43
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340000.VBN Infected: Trojan-Dropper.Win32.Agent.aie skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340001.VBN Infected: Trojan-Downloader.Win32.VB.nw skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340003.VBN Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340005.VBN Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340007.VBN Infected: Trojan-Dropper.Win32.Agent.aie skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340009.VBN Infected: Trojan.Win32.VB.tg skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0934000B.VBN Infected: Trojan.Win32.VB.tg skipped
C:\Documents and Settings\Karen\My Documents\Chiropractic Business\NYCC docs\NYCC schoolwork\Levittown 10th tri\GettingIntoPractice\CHIROPRACTIC\Accounting and Cash Flow\BSINSTALL.exe/WISE0024.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Karen\My Documents\Chiropractic Business\NYCC docs\NYCC schoolwork\Levittown 10th tri\GettingIntoPractice\CHIROPRACTIC\Accounting and Cash Flow\BSINSTALL.exe/WISE0024.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Karen\My Documents\Chiropractic Business\NYCC docs\NYCC schoolwork\Levittown 10th tri\GettingIntoPractice\CHIROPRACTIC\Accounting and Cash Flow\BSINSTALL.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Karen\My Documents\Chiropractic Business\NYCC docs\NYCC schoolwork\Levittown 10th tri\GettingIntoPractice\CHIROPRACTIC\Accounting and Cash Flow\BSINSTALL.exe WiseSFX: infected - 3 skipped
C:\Documents and Settings\Karen\My Documents\Chiropractic Business\NYCC docs\NYCC schoolwork\Levittown 10th tri\GettingIntoPractice\CHIROPRACTIC\Accounting and Cash Flow\BSINSTALL.exe WiseSFX Dropper: infected - 3 skipped
C:\ventfe1.exe/data0002 Infected: not-a-virus:AdWare.Win32.BookedSpace.e skipped
C:\ventfe1.exe NSIS: infected - 1 skipped
C:\WINDOWS\7020.exe/data.rar/eee2.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.k skipped
C:\WINDOWS\7020.exe/data.rar Infected: not-a-virus:AdWare.Win32.MediaMotor.k skipped
C:\WINDOWS\7020.exe RarSFX: infected - 2 skipped
C:\WINDOWS\seli.exe/data.rar/eee2.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.k skipped
C:\WINDOWS\seli.exe/data.rar Infected: not-a-virus:AdWare.Win32.MediaMotor.k skipped
C:\WINDOWS\seli.exe RarSFX: infected - 2 skipped
C:\WINDOWS\SYSTEM32\Tagasuarus5.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\WINDOWS\SYSTEM32\Tagasuarus5.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\SYSTEM32\Tagasuarus5.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\SYSTEM32\Tagasuarus5.exe/data0007 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\SYSTEM32\Tagasuarus5.exe NSIS: infected - 4 skipped
Scan process completed.
pskelley
2006-03-13, 22:09
Hi Karen, The last time I ran it was about 30 minutes and it scanned almost 20,000 files. Perhaps you scanned more files that I did. Well anyway, let's look at the results and do something with them. First you will need to have all files and folders enabled to find this junk and use safe mode so you can delete the stuff.
Here are the online scans so you can check anything you are unsure of before you delete it:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
Kaspersky items in the order they are in the scan list.
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\ <<< the first seven (7) are in this quarantine folder. Delete everything in that folder and add it to your routine maintenance.
You get to make all calls, Kaspwersky says these are a problem. You have the tools above to check them if you wish. I will, to the best of my ability, highlite in red what I believe is the bad or infected file.
(this is tough to call, but it looks to be this is infected Bear Share stuff? See this: http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLD,GGLD:2004-26,GGLD:en&q=BSINSTALL%2Eexe
C:\Documents and Settings\Karen\My Documents\Chiropractic Business\NYCC docs\NYCC schoolwork\Levittown 10th tri\GettingIntoPractice\CHIROPRACTIC\Accounting and Cash Flow\BSINSTALL.exe/WISE0024.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Karen\My Documents\Chiropractic Business\NYCC docs\NYCC schoolwork\Levittown 10th tri\GettingIntoPractice\CHIROPRACTIC\Accounting and Cash Flow\BSINSTALL.exe/WISE0024.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Karen\My Documents\Chiropractic Business\NYCC docs\NYCC schoolwork\Levittown 10th tri\GettingIntoPractice\CHIROPRACTIC\Accounting and Cash Flow\BSINSTALL.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Karen\My Documents\Chiropractic Business\NYCC docs\NYCC schoolwork\Levittown 10th tri\GettingIntoPractice\CHIROPRACTIC\Accounting and Cash Flow\BSINSTALL.exe WiseSFX: infected - 3 skipped
C:\Documents and Settings\Karen\My Documents\Chiropractic Business\NYCC docs\NYCC schoolwork\Levittown 10th tri\GettingIntoPractice\CHIROPRACTIC\Accounting and Cash Flow\BSINSTALL.exe WiseSFX Dropper: infected - 3 skipped
C:\ventfe1.exe/data0002 Infected: not-a-virus:AdWare.Win32.BookedSpace.e skipped
C:\ventfe1.exe NSIS: infected - 1 skipped
C:\WINDOWS\7020.exe/data.rar/eee2.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.k skipped
C:\WINDOWS\7020.exe/data.rar Infected: not-a-virus:AdWare.Win32.MediaMotor.k skipped
C:\WINDOWS\7020.exe RarSFX: infected - 2 skipped
C:\WINDOWS\seli.exe/data.rar/eee2.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.k skipped
C:\WINDOWS\seli.exe/data.rar Infected: not-a-virus:AdWare.Win32.MediaMotor.k skipped
C:\WINDOWS\seli.exe RarSFX: infected - 2 skipped
C:\WINDOWS\SYSTEM32\Tagasuarus5.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\WINDOWS\SYSTEM32\Tagasuarus5.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\SYSTEM32\Tagasuarus5.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\SYSTEM32\Tagasuarus5.exe/data0007 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\SYSTEM32\Tagasuarus5.exe NSIS: infected - 4 skipped
Make sure you look for this one if you did not kill it earlier:
C:\WINDOWS\system23\klsx9e.exe >>> file
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLD,GGLD:2004-26,GGLD:en&q=7020%2Eexe <<< not much info on this one: 7020.exe but the google makes it look bad.
http://www.bleepingcomputer.com/startups/seli.exe-13006.html >>> seli.exe
Tagasuarus5.exe <<< information about the last five.
http://www.superadblocker.com/T/TAGASAURUS.EXE-7166.html
Once you finish you can run another Kaspersky if you wish, but if you are careful and don't miss any there should be not reason to. Some please the file may be list multiple times but you will only find and delete it once.
Thanks...Phil
HI Phil,
Boy this is turning into a nightmare eh? I knew it was bad. But not this bad.
Anyway, I did as you suggested. I deleted all of those files - whatever is bad for the computer NEEDS to go. How I got BearShare garbage on there, I don't know. I did have a couple of friends using my machine while I was in school a few years ago.That 7020 file, that was something I *think* I recently download but can't remember what it was linked to. Not sure. I deleted it anyway. Worse comes to worse - I re-download.
I have to read the links you sent. I wanted to take care of this first.
I also went back and deleted that 'C:\WINDOWS\system23\klsx9e.exe' file as well. Now it let me.
Oh, HOW do I "add it to my routine maintenance" - the files inside of Norton's quarantine folder? I wasn't sure what you meant there.
And yeah, I had 126617 files that were scanned. It originally found:
Number of viruses found: 8
Number of infected objects: 25
Number of suspicious objects: 0
Duration of the scan process: 02:22:43
:mad: GUESS WHAT THOUGH?:mad:
I could have screamed! After I restarted after deleting all the files, I started running a Kaspersky scan and what do I get - yeah, you guessed it - a POP-UP! Just *one* and it was an ad for deodorant or something! Yeah!
------------------------------------------
Just completed the scan.
Here is the NEW report after all is said and done. Let me know if I 'got' everything:
Fingers get type-happy or the computer can't keep up with me - something --
Another of the same pop up came at the end. It was the same video clip from AIM. The movie popped up out of AIM when I opened Outlook Express and then when I closed it - i finally figured out what the correlation was.)
It shows an address of http://cdn.eyewonder.com (Secret deodorant).
Anyway, here is the new Kaspwersky report:
The scan is complete.
No malware has been detected. The sections that have been scanned are CLEAN.
Report is empty.
Please note: The free Kaspersky On-line Scanner does not provide comprehensive protection and cannot prevent future infections. It only detects malware that has already penetrated your storage devices. We strongly recommend that you use a fully-functional antivirus solution to protect your computer at all times.
I think that's good. :bigthumb:
Let me know if you see anything else.
We have to nickname you 'stealth man'! I would've missed most of what you got. THANKS!
Karen
pskelley
2006-03-14, 01:36
Hi Karen, here are just a few links that may help you.
http://www.microsoft.com/athome/security/update/default.mspx
http://www.microsoft.com/windowsxp/using/setup/expert/honeycutt_03december01.mspx
http://culearn.creighton.edu/utilities/windows/xp_maintenance_intro.htm
http://www.cryer.co.uk/brian/windows/howto_nt_rrm.htm
I will say we all get an occasional popup. Is your Google popup blocker activated? As tight as I run my ship, one will get through every once in a while.
This was my last Kaspersky scan: Scan took about 40 minutes. scanned 45,097 files with No viruses found.
Scan Results: Scan Completed. 45097 files scanned. No viruses found.
File Infection Status Path
- No Infections
You can see either you have a load more files than I or you scanned differently than I did?
You said the magic word: AIM I allow nothing from aol on any computer I own. With AIM/aol expect some popups and unless you are extremely careful, expect other problems also:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLD,GGLD:2004-26,GGLD:en&q=aim+worm
Since you know the address, you should be able to block it in IE like this: Internet Explorer > Tools > Internet Options > Privacy > Edit near the bottom > add the address and choose "Block"
Since you have a clean HJT log, a clean ewido scan and a clean Kaspersky, I believe we have you in good shape. Make sure you review the thread to view the links from the experts, remind yourself that ewido nears to be turned off unless you purchase it, and do not forget to clean the System Restore files.
Safe surfing...Phil:bigthumb:
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Hi Phil!
Thank you so much. I know - AOL/AIM stuff - BAD.
Up until now, I have never had too many problems that weren't in my control. This one just got out of hand.
Last set of questions before we close:
I think I am just fried over this one. :rolleyes: HOW do you do the system restore thing to clean that up?
I will remove Ewido for now. Would you also suggest taking the SpyDoctor out also? That has been quite annoying - everytime I click on IE, that comes up to 'protect' me but it takes forever to start up.
Also, I have this poor machine filled to the gills with files. The scan said something like ~126,600 files that it scanned so would obviously take longer. PLUS, the machine's a little older. It is about 4? years old now? Runs slow. I get 'low virtual memory' things all the time.
Again, thanks for everything. I look forward to your 'final answer'! :D
pskelley
2006-03-14, 02:44
Hi Karen, you need to review all of the information we have covered, at this time: 2006-03-12, 21:08 I posted many important links including all of the answers to the questions you are asking me now.
Like you said:
I will remove Ewido for now. and it is a good free scanner with free updates and if you have the room I would keep it, I did also cover that earlier.
If you are going to keep the older machine, the information I posted earlier will also help. If you have room for more ram I would get it. I would also take a hard look at what you have on the computer that you can get rid of.
Thanks...Phil
I, again, appreciate all of your help.
I will carefully review all we have covered.
My sincerest thanks,
Karen
As the problem appears to be resolved this topic will be archived.:bigthumb:
If you need it re-opened please send me a pm and provide a link to the thread.
Glad we could help.