PDA

View Full Version : Newmalware.j, SpywareQuake, nvctrl.exe; HJT and Panda Log



kylezo
2006-03-30, 05:05
Just This morning my computer told me I have a virus. I was able to delete a few files using my McAfee VirusScan but nvctrl.exe can only be moved and deleted in quarantine and respawns immediately. I get a CMD window pop up every once in a while with a '16-bit MS-DOS subsystem NTVDM CPU illegal instruction' close or ignore warning, from an application (h91746.exe) in TEMP files that seems to come back if I delete it; when I end nvctrl.exe process manually to delete the file it pops back up immediatly and I get a Puper.dll trojan warning from McAfee. I also have an icon of the green handicapped guy/No symbol and infection warnings every few minutes. A few weeks ago I was having some problems with McAfee Being basically disemboweled every time I restarted my computer and having to reinstall the core software repeatedly. Here is my HJT log, immediately followed by a Panda Scan Log:

Logfile of HijackThis v1.99.1
Scan saved at 4:24:34 PM, on 3/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\1100900992\ee\aolsoftware.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kyle\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp1E9D.tmp
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: 2Wire Wireless Client.lnk = C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: YSIGet it! - C:\Program Files\YSIGet\wgbho.js
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: IMI - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\ServicePackFiles\i386\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\ServicePackFiles\i386\msmsgs.exe
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install007.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://mail.newtechhigh.org/iNotes.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137466817656
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAF} - http://images.bonzi.com/freebuddy/wd/bbsetupkaa.exe
O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://xbs.mtree.com/mt/dialers/on/US/NSupd9x.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

-------------------------------------

Thanks to all the generous volunteers. I don't know how this got through my defenses but I did recently experiment with a Torrent network which was probably a bad idea. But that was about 2 weeks ago.

kylezo
2006-03-30, 05:08
Panda Scan: File is too large to post or attach.

CalamityJane
2006-03-31, 00:03
Hi kylezo,

SpywareQuake has some special tools needed to remove. Please follow the steps itemized for you here:
http://forums.spybot.info/showthread.php?t=3261

Then post back with the requested logs please :)

kylezo
2006-03-31, 14:16
I had a bit of trouble with the Spyware logs...I neglected to do the updates before I ran the first fixes, and even did a second round of fixes, then applied the updates, THEN ran a scan that showed a clean system and saved THAT log. I dont know which files to attach so Ill just guess and attach the first 'Checks' log created automatically. Theres also a log called 'Fixes' from 4 minutes later, and i can always attach that one if its needed. There are 3 Checks logs and 1 Fixes log and all 4 of them have counterparts making 8 logs in all. plus the one I intentionally saved from the clean scan ;) Heres the rest of my info, everything seems to have cleared up except the Panda scan I did at the end showed some leftover spyware and hacker progs.

Smitfiles.txt=
Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 03/30/2006
The current time is: 16:02:28.93

Running from
C:\Documents and Settings\Kyle\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 792 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :)
------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 2:50:46 AM, on 3/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\1100900992\ee\aolsoftware.exe
C:\Documents and Settings\Kyle\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: 2Wire Wireless Client.lnk = C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: YSIGet it! - C:\Program Files\YSIGet\wgbho.js
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\ServicePackFiles\i386\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\ServicePackFiles\i386\msmsgs.exe
O16 - DPF: {0678747A-6BC5-73DC-A611-50E33A81BB33} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {16550D08-7E4C-0BC2-9614-6F6C703FAB30} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://mail.newtechhigh.org/iNotes.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2341DD44-48F0-4D2C-562D-35ED60115E12} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {363B02E2-CE0C-33D9-5BDB-1CC13A67C8EA} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137466817656
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

kylezo
2006-03-31, 14:16
I had a bit of trouble with the Spyware logs...I neglected to do the updates before I ran the first fixes, and even did a second round of fixes, then applied the updates, THEN ran a scan that showed a clean system and saved THAT log. I dont know which files to attach so Ill just guess and attach the first 'Checks' log created automatically. Theres also a log called 'Fixes' from 4 minutes later, and i can always attach that one if its needed. There are 3 Checks logs and 1 Fixes log and all 4 of them have counterparts making 8 logs in all. plus the one I intentionally saved from the clean scan ;) Heres the rest of my info, everything seems to have cleared up except the Panda scan I did at the end showed some leftover spyware and hacker progs.

Smitfiles.txt=
Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 03/30/2006
The current time is: 16:02:28.93

Running from
C:\Documents and Settings\Kyle\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 792 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :)
------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 2:50:46 AM, on 3/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\1100900992\ee\aolsoftware.exe
C:\Documents and Settings\Kyle\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: 2Wire Wireless Client.lnk = C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: YSIGet it! - C:\Program Files\YSIGet\wgbho.js
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\ServicePackFiles\i386\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\ServicePackFiles\i386\msmsgs.exe
O16 - DPF: {0678747A-6BC5-73DC-A611-50E33A81BB33} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {16550D08-7E4C-0BC2-9614-6F6C703FAB30} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://mail.newtechhigh.org/iNotes.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2341DD44-48F0-4D2C-562D-35ED60115E12} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {363B02E2-CE0C-33D9-5BDB-1CC13A67C8EA} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137466817656
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

kylezo
2006-03-31, 14:21
Sorry about the double post :o
ewido file is too long so I will seperate it.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:58:40 AM, 3/31/2006
+ Report-Checksum: C63C73AD

+ Scan result:

HKLM\SOFTWARE\Classes\.b3dini -> Adware.BrilliantDigital : Cleaned with backup
HKLM\SOFTWARE\Classes\ADM.ADM -> Adware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\ADM.ADM\CLSID -> Adware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\ADM.ADM\CurVer -> Adware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\ADM.ADM.1 -> Adware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Adware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Adware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\BTGrabDll.BTGrabDllObj -> Adware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\BTGrabDll.BTGrabDllObj\CLSID -> Adware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\BTGrabDll.BTGrabDllObj\CurVer -> Adware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\BTGrabDll.BTGrabDllObj.1 -> Adware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\s3d_auto_file -> Adware.BrilliantDigital : Cleaned with backup
HKLM\SOFTWARE\Classes\s3d_auto_file\shell -> Adware.BrilliantDigital : Cleaned with backup
HKLM\SOFTWARE\Classes\s3d_auto_file\shell\Open -> Adware.BrilliantDigital : Cleaned with backup
HKLM\SOFTWARE\Classes\s3d_auto_file\shell\Open As New -> Adware.BrilliantDigital : Cleaned with backup
HKLM\SOFTWARE\Classes\SigningModule.SigningModule -> Adware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\SigningModule.SigningModule\CLSID -> Adware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\SigningModule.SigningModule\CurVer -> Adware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\SigningModule.SigningModule.1 -> Adware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band -> Adware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CLSID -> Adware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CurVer -> Adware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band.1 -> Adware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSave -> Adware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\PerfectNav -> Adware.KeenValue : Cleaned with backup
HKU\S-1-5-21-1371315241-1085806099-568186159-500\Software\Hiwire -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1371315241-1085806099-568186159-500\Software\Hiwire\MusicMatch -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1371315241-1085806099-568186159-500\Software\Hiwire\MusicMatch\Browser -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1371315241-1085806099-568186159-500\Software\Hiwire\MusicMatch\Faceplate -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1371315241-1085806099-568186159-500\Software\Hiwire\MusicMatch\History -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1371315241-1085806099-568186159-500\Software\Hiwire\MusicMatch\Resources -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1371315241-1085806099-568186159-500\Software\Hiwire\MusicMatch\Stations -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1371315241-1085806099-568186159-500\Software\Hiwire\MusicMatch\WebUpdate -> Adware.HiWire : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@7search[1].txt -> TrackingCookie.7search : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@ad-flow[1].txt -> TrackingCookie.Ad-flow : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@adorigin[1].txt -> TrackingCookie.Adorigin : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@ads.specificpop[2].txt -> TrackingCookie.Specificpop : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@adserv.internetfuel[1].txt -> TrackingCookie.Internetfuel : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@adserv4.ads360[1].txt -> TrackingCookie.Ads360 : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@adserver.ads360[1].txt -> TrackingCookie.Ads360 : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@bfast[2].txt -> TrackingCookie.Bfast : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@bilbo.counted[2].txt -> TrackingCookie.Counted : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@bluemountain[1].txt -> TrackingCookie.Bluemountain : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@centrport[2].txt -> TrackingCookie.Centrport : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@clickagents[1].txt -> TrackingCookie.Clickagents : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@clickbank[2].txt -> TrackingCookie.Clickbank : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@commission-junction[1].txt -> TrackingCookie.Commission-junction : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@e-2dj6wjk4sgczolp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@e-2dj6wjk4wjczefp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@e-2dj6wjkowgcjogp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@ehg-clearchannel.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@ehg-directv.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@ehg-hoteldotcom.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@ehg-salonmedia.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@ehg-sportsfan.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@ehg-tigerdirect2.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@ehg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@estat[2].txt -> TrackingCookie.Estat : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@fl01.ct2.comclick[2].txt -> TrackingCookie.Comclick : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@hg1.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@linksynergy[2].txt -> TrackingCookie.Linksynergy : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@mediatrack.revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@paycounter[1].txt -> TrackingCookie.Paycounter : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@pro-market[2].txt -> TrackingCookie.Pro-market : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@servedby.valuead[1].txt -> TrackingCookie.Valuead : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@specificpop[2].txt -> TrackingCookie.Specificpop : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@spinbox[1].txt -> TrackingCookie.Spinbox : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@spylog[1].txt -> TrackingCookie.Spylog : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@web1.realtracker[1].txt -> TrackingCookie.Realtracker : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@x10[1].txt -> TrackingCookie.X10 : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Allyson\Cookies\allyson@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup

kylezo
2006-03-31, 14:22
C:\Documents and Settings\Momzo\Cookies\momzo@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Momzo\Cookies\momzo@ads.specificpop[2].txt -> TrackingCookie.Specificpop : Cleaned with backup
C:\Documents and Settings\Momzo\Cookies\momzo@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Momzo\Cookies\momzo@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Momzo\Cookies\momzo@bfast[1].txt -> TrackingCookie.Bfast : Cleaned with backup
C:\Documents and Settings\Momzo\Cookies\momzo@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Momzo\Cookies\momzo@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Momzo\Cookies\momzo@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Momzo\Cookies\momzo@ehg-sportsline.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Momzo\Cookies\momzo@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Momzo\Cookies\momzo@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Momzo\Cookies\momzo@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Momzo\Cookies\momzo@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Momzo\Cookies\momzo@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Momzo\Cookies\momzo@www.qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Momzo\Cookies\momzo@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1gazaaoqqdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@-1shz2prbmdj6wvny-1sez2pra2dj6wjnyciazegow-1dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@180solutions[1].txt -> TrackingCookie.180solutions : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@1shz2prbmdj6wvny-1sez2pra2dj6wjny-1sazalpg-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@a-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1gazaaoqqdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@a.as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@abetterinternet[1].txt -> TrackingCookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@ads.specificpop[1].txt -> TrackingCookie.Specificpop : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@ads.x10[1].txt -> TrackingCookie.X10 : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@bfast[2].txt -> TrackingCookie.Bfast : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@clickagents[2].txt -> TrackingCookie.Clickagents : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@cliks[2].txt -> TrackingCookie.Cliks : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@commission-junction[1].txt -> TrackingCookie.Commission-junction : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@counter.hitslink[2].txt -> TrackingCookie.Hitslink : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@counter2.hitslink[2].txt -> TrackingCookie.Hitslink : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@e-2dj6wfk4uhczwdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@e-2dj6wfmiuoajseq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@e-2dj6wjkoojazscp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@ehg-bskyb.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@ehg-directv.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@ehg-majorbaseball.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@ehg-space.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@ehg-sportsfan.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@ehg-sportsline.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@hg1.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@linksynergy[1].txt -> TrackingCookie.Linksynergy : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@sel.as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@servedby.advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@specificpop[1].txt -> TrackingCookie.Specificpop : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@targetnet[2].txt -> TrackingCookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@valueclick[3].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@web4.realtracker[1].txt -> TrackingCookie.Realtracker : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@webstat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@xxxtoolbar[1].txt -> TrackingCookie.Xxxtoolbar : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkoelczidqawdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlicjajkbqaqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmikjdjobpqidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyondpmlpasdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyqidjodogydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyujajgaowudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@z1.adserver[2].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Momzo 2\Cookies\momzo 2@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Visitor\Cookies\visitor@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Visitor\Cookies\visitor@bfast[2].txt -> TrackingCookie.Bfast : Cleaned with backup
C:\Documents and Settings\Visitor\Cookies\visitor@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup
C:\Documents and Settings\Visitor\Cookies\visitor@clickagents[1].txt -> TrackingCookie.Clickagents : Cleaned with backup
C:\Documents and Settings\Visitor\Cookies\visitor@hg1.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Visitor\Cookies\visitor@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Visitor\Cookies\visitor@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Visitor\Cookies\visitor@www.commission-junction[1].txt -> TrackingCookie.Commission-junction : Cleaned with backup
C:\Documents and Settings\Visitor\Cookies\visitor@www.qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Visitor\Cookies\visitor@x10[2].txt -> TrackingCookie.X10 : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1472\A0153107.exe -> Downloader.Zlob.jp : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1474\A0153243.exe -> Adware.DealHelper : Cleaned with backup
C:\WINDOWS\bundles\adl_dh.exe -> Downloader.Agent.hw : Cleaned with backup
C:\WINDOWS\bundles\CSv12P108.exe -> Adware.ClearSearch : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gsda.dll -> Not-A-Virus.Downloader.Win32.SpyGame : Cleaned with backup
C:\WINDOWS\NDNuninstall4_88.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\SYSTEM32\IEHelperMiddleMan.dll -> Adware.Bonzo : Cleaned with backup


::Report End

CalamityJane
2006-03-31, 17:43
Good job! Your logs all look good. (Did Panda find some other stuff? Did you save that log and can you post the Panda results?)

A few leftovers are showing in Hijack This

Do a scan only with HijackThis and checkmark the following entries, then press *fix checked*

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

How are things looking now on your end. Seeing any problems?

kylezo
2006-04-01, 00:54
Here is the Panda scan log, I did the fixes and now I'm doing another panda scan. Ill post that log too!

CalamityJane
2006-04-01, 01:07
Here is the Panda scan log, I did the fixes and now I'm doing another panda scan. Ill post that log too!
Ok :)

I'll wait for the latest Panda log then. It is likely to have changed since the last scan. :)

kylezo
2006-04-01, 10:04
here it is, pretty much same results. Mostly cookies left over. Thanks for your help!I downloaded the pandascan trail program for cleaning so I could use that.

kylezo
2006-04-01, 14:26
having some more problems, McAfee told me there was a virus detected on my computer, did another panda scan...attached.

CalamityJane
2006-04-01, 16:47
Let me paste that scan log in here (minus the cookies) for easier reading:

Incident Status Location

Adware:adware/portalscan Not disinfected C:\WINDOWS\SYSTEM32\winupdt.bin
Potentially unwanted tool:application/spywarequake Not disinfected C:\Documents and Settings\Kyle\Start Menu\SpywareQuake 2.0.lnk
Adware:adware/ipinsight Not disinfected C:\WINDOWS\INF\polall1r.inf
Spyware:spyware/betterinet Not disinfected C:\WINDOWS\INF\satmat.inf
Adware:adware/virtualbouncer Not disinfected C:\myPcsearch.exe
Adware:adware/ieplugin Not disinfected C:\WINDOWS\kwv2.dat
Adware:adware/ncase Not disinfected C:\WINDOWS\msbb.exe.temp
Spyware:application/bestoffer Not disinfected C:\WINDOWS\smdat32m.sys
Adware:adware/tvmedia Not disinfected C:\WINDOWS\bundles
Adware:adware/elitebar Not disinfected C:\WINDOWS\EliteSideBar
Adware:adware/btgrab Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected HKEY_CLASSES_ROOT\CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
Potentially unwanted tool:application/altnet Not disinfected HKEY_CLASSES_ROOT\CLSID\{9BBCF06C-DCD7-495D-80DF-CDD5399D0FF8}
Adware:adware/ist.istbar Not disinfected Windows Registry

Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\Documents and Settings\Kyle\Local Settings\Temp\sa1D.exe
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\Documents and Settings\Kyle\Local Settings\Temp\sa214.exe
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\Documents and Settings\Kyle\Local Settings\Temp\sa377.exe
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\Documents and Settings\Kyle\Local Settings\Temp\sa4B4.exe
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\Documents and Settings\Kyle\Local Settings\Temp\sa5F0.exe
Spyware:Spyware/BetterInet Not disinfected C:\Documents and Settings\Momzo 2\Local Settings\Temp\satmat.inf
Adware:Adware/IPInsight Not disinfected C:\Documents and Settings\Momzo 2\Local Settings\Temp\THI2699.tmp\farmmext.inf
Adware:Adware/Transponder Not disinfected C:\Documents and Settings\Momzo 2\Local Settings\Temp\THI5F87.tmp\polall1r.inf
Adware:Adware/Transponder Not disinfected C:\Documents and Settings\Momzo 2\Local Settings\Temp\THI65A2.tmp\polall1r.inf
Spyware:Cookie/Kazaa Networks Not disinfected C:\Documents and Settings\Visitor\Cookies\visitor@desktop.kazaa[1].txt
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll
Adware:Adware/Transponder Not disinfected C:\WINDOWS\INF\polall1r.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\satmat.inf

CalamityJane
2006-04-01, 16:50
See if you can delete all those infected files above manually.

Have you run Spybot Search & Destroy on this PC?
http://forums.spybot.info/showpost.php?p=1150&postcount=2

I see all spyware remnants on there that Spybot should be able to find and remove

kylezo
2006-04-01, 22:51
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll


Could not locate this file.

When I first tried to do this, every time i opened my computer Windows explorer crashed, and when I treid to do it from a web brower that crashed. I restarted and that fixed it.

I'm going to run spybot now, thanks!

kylezo
2006-04-01, 22:54
Also, McAfee found this last night:

C:\WINDOWS\SYSTEM32\__delete_on_reboot__stickrep.dll

And said it was infected. I deleted that.

CalamityJane
2006-04-02, 00:55
Make sure you have the latest updates for Spybot as detections added 3/31 include some of the malware you had:
http://www.spybot.info/en/updatehistory/index.html

kylezo
2006-04-03, 00:12
i ran spybot with the updates and got a clean scan, panda is still giving me a lot of leftovers. heres the HJT log. Ill drop off another panda log too.

Logfile of HijackThis v1.99.1
Scan saved at 5:15:18 AM, on 4/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\1100900992\ee\aolsoftware.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kyle\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/config/login?.partner=sbc&.done=http%3a//sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: 2Wire Wireless Client.lnk = C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: YSIGet it! - C:\Program Files\YSIGet\wgbho.js
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\ServicePackFiles\i386\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\ServicePackFiles\i386\msmsgs.exe
O16 - DPF: {0678747A-6BC5-73DC-A611-50E33A81BB33} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {16550D08-7E4C-0BC2-9614-6F6C703FAB30} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://mail.newtechhigh.org/iNotes.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2341DD44-48F0-4D2C-562D-35ED60115E12} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {363B02E2-CE0C-33D9-5BDB-1CC13A67C8EA} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137466817656
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

kylezo
2006-04-03, 12:08
heres the latest panda log!

kylezo
2006-04-03, 14:29
did another ewido scan, 33 items all cleaned. heres the report!


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:27:29 AM, 4/3/2006
+ Report-Checksum: 589383AC

+ Scan result:

HKU\S-1-5-21-1371315241-1085806099-568186159-1003\Software\Hiwire -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1371315241-1085806099-568186159-1003\Software\Hiwire\MusicMatch -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1371315241-1085806099-568186159-1003\Software\Hiwire\MusicMatch\Browser -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1371315241-1085806099-568186159-1003\Software\Hiwire\MusicMatch\Faceplate -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1371315241-1085806099-568186159-1003\Software\Hiwire\MusicMatch\History -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1371315241-1085806099-568186159-1003\Software\Hiwire\MusicMatch\Resources -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1371315241-1085806099-568186159-1003\Software\Hiwire\MusicMatch\Stations -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1371315241-1085806099-568186159-1003\Software\Hiwire\MusicMatch\WebUpdate -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1371315241-1085806099-568186159-1008\Software\BTGrab -> Adware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-1371315241-1085806099-568186159-1008\Software\Bundles -> Adware.SecondThought : Cleaned with backup
HKU\S-1-5-21-1371315241-1085806099-568186159-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-1371315241-1085806099-568186159-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB} -> Adware.Generic : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1474\A0153164.exe -> Downloader.Zlob.js : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1474\A0153271.exe -> Downloader.Agent.hw : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1474\A0153272.exe -> Adware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1474\A0153273.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1474\A0153274.dll -> Adware.Bonzo : Cleaned with backup


::Report End

kylezo
2006-04-05, 08:59
Did the Microsoft Full system scan Beta software, found 8 threats in 9 items on my computer, cleaned most of them, except for 2. This isn't going away it seems. Ill do another panda scan. Ill post anything you need. Thanks!

CalamityJane
2006-04-05, 15:11
Hi, kylezo

Could you please scan and post a fresh HijackThis log?

kylezo
2006-04-06, 04:19
here you go and heres the panda scan too in case you need it :)
Logfile of HijackThis v1.99.1
Scan saved at 6:19:52 PM, on 4/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\1100900992\ee\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kyle\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/config/login?.partner=sbc&.done=http%3a//sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: 2Wire Wireless Client.lnk = C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: YSIGet it! - C:\Program Files\YSIGet\wgbho.js
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\ServicePackFiles\i386\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\ServicePackFiles\i386\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0678747A-6BC5-73DC-A611-50E33A81BB33} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {16550D08-7E4C-0BC2-9614-6F6C703FAB30} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://mail.newtechhigh.org/iNotes.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2341DD44-48F0-4D2C-562D-35ED60115E12} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {363B02E2-CE0C-33D9-5BDB-1CC13A67C8EA} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/en-us/wlscbase7617.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137466817656
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D21C477-5000-4CA2-9B53-DE8956F6744B}: NameServer = 205.188.146.145
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

CalamityJane
2006-04-10, 18:26
kylezo, my apologies! I missed seeing this reply.

The stuff being found now is leftovers and traces, but I don't see any active infection going on. However, I do see that we missed some dialers that we need to get rid of and one folder found by Panda

Delete this folder named Fleok:
C:\WINDOWS\SYSTEM32\FLEOK

Make a copy of these instructions to have handy as the next step needs to be done with nothing else open but HijackThis.

Close all browsers and any open windows. Do a *scan only* with HijackThis and checkmark the following entries then press *fix checked* button:

O16 - DPF: {0678747A-6BC5-73DC-A611-50E33A81BB33} - http://85.255.113.214/1/gdnUS2296.exe

O16 - DPF: {16550D08-7E4C-0BC2-9614-6F6C703FAB30} - http://85.255.113.214/1/gdnUS2296.exe

O16 - DPF: {2341DD44-48F0-4D2C-562D-35ED60115E12} - http://85.255.113.214/1/gdnUS2296.exe

O16 - DPF: {2341DD44-48F0-4D2C-562D-35ED60115E12} - http://85.255.113.214/1/gdnUS2296.exe

O16 - DPF: {363B02E2-CE0C-33D9-5BDB-1CC13A67C8EA} - http://85.255.113.214/1/gdnUS2296.exe

After pressing *fix checked*, close HijackThis and reboot your computer.

I think that should be all needed. Let me know if you see any remaining problems on your end.

kylezo
2006-04-11, 12:44
Ok I carried out the fixes and I still have 120 problems in the panda scan. They are mostly cookies but there are a few other things and a spywarequake leftover. here are the logs.

I also had an issue with Internet Explorer where it had to shut down and I was taken to the online crash analysis website that told me I had an add-on causing trouble. this happened once before and I disabled all teh add ons. it was called Safer Networking Ltd. and its name was a hexidecimal looking string of numbers and letters looking like a registry entry. it still exists but its disabled at the moment.

The active scan log is 2 parts.

Logfile of HijackThis v1.99.1
Scan saved at 2:39:22 AM, on 4/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\1100900992\ee\aolsoftware.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Documents and Settings\Kyle\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/config/login?.partner=sbc&.done=http%3a//sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: YSIGet it! - C:\Program Files\YSIGet\wgbho.js
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\ServicePackFiles\i386\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\ServicePackFiles\i386\msmsgs.exe
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://mail.newtechhigh.org/iNotes.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/en-us/wlscbase7617.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137466817656
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

CalamityJane
2006-04-11, 17:21
Your HijackThis log is fine. :)

You can delete any of the items Panda found manually, but there is only cookies and a few registry leftovers - nothing active running.

Safer Networking Ltd. <---That is Spybot

kylezo
2006-04-12, 05:03
Thank you for all your help. Can you tell me how to find and delete these items? I could not locate them.


Adware:adware/portalscan Not disinfected Windows Registry
Adware:adware/btgrab Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry


Thanks again!!

kylezo
2006-04-16, 10:09
I had some big time problems today. I downloaded some of the latest windows XP updates and I think it really screwed up my computer...when I clicked on internet explorer, it told me that it encountered an error and had to close before it even opened. When I tried to open any folder, or explore window, Windows Explorer did the same. I went through a few steps to try to solve this, like uninstalling all the updates and such, but i eventually had to restore my computer to a backup restore point from 2 days ago. now I am not sure about the stability fo my computer. anyways I look forward to any guidance available and if not, thanks anyways!

CalamityJane
2006-04-16, 16:28
Hi Kylezo, and Happy Easter :)

Yes, some folks have had some problems with the recent updates - and vary according to OS, software/hardware installed, and which update caused the problems. Microsoft provides a number for support and to report problems - and get help here:


If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.

That's a toll-free number and the support service is also provided for free :)

kylezo
2006-04-16, 22:06
Thank you for the confirmation, do you ahve any suggestions for getting rid of these items?

Adware:adware/portalscan Not disinfected Windows Registry
Adware:adware/btgrab Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry


I could not locate them!

CalamityJane
2006-04-20, 02:55
I would not be concerned about the 3 registry entries. In and of themselves, cannot do harm

tashi
2006-04-27, 01:45
Thank you CalamityJane.

kylezo this topic is now closed to prevent others with similar issues posting in it.
If you need it re-opened please send me a pm and provide a link to the thread.