View Full Version : Any help please?
Hi...
Recently my comp is being bombarded with pop-ups. I've run Ad-aware and Spybot Search and Destroy.
Both of these programs find problems but can't remove them and suggests running them on startup. But when I click Yes and restart, they do not run on startup. I've also tried removing them in safe mode but it doesn't work.
The ones that keep appearing are 'Command Service', and Look2Me. But there may be many more.
Heres a HiJackThis log.
Logfile of HijackThis v1.99.1
Scan saved at 20:27:34, on 01/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TDK Systems\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\outlook\outlook.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\{C02A8A27-0826-2057-1222-03052703002c}\Update.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\TDK Systems\Bluetooth Software\BTTray.exe
C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Barry's\Comp Safety\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150644085203
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150644831390
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\i0lo0a33ed.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\TDK Systems\Bluetooth Software\bin\btwdins.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Any help much appreciated. thanks.
Another thing I just noticed, not sure if it's useful or not but, I can't seem to open the Task Manager window. Both Ctrl Alt and Del and right clicking on the task bar and clicking Task Manager don't work.
Also if I look in the C:\Windows folder I can't see the System32 folder but if I type in C:\Windows\System32 it will open.
Don't know if that helps determin whats wrong in any way.
Thanks in advance
pskelley
2006-08-06, 16:39
Hello Barry and welcome to the forum. You have some real nasties and I believe I should share information with you, this item:
C:\Program Files\outlook\outlook.exe is being identified as:
http://www.sophos.com/virusinfo/analyses/w32sdbotru.html
Side effects Allows others to access the computer
Steals information
Reduces system security
Installs itself in the Registry
Exploits system or software vulnerabilities
Used in DOS attacks
and this one:
C:\Program Files\Common Files\{C02A8A27-0826-2057-1222-03052703002c}\Update.exe is probably the installer for the junk which usually comes with more infections and is being called Alcan worm. I can not see if there is more because you have MSConfig set to Selective Startup. You also have a Look2me adware infection that we will remove first. This is what I want you to do if you still want help and are not receiving it elsewhere.
1) Return MSConfig to Normal Mode unless I request otherwise.
2) Use one or more of these free online scans to scan the two files highlited in red above and post that information for me.
3) Please download Look2Me-Destroyer.exe (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
More info:
If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it
start>run sc start schedule press enter.
Post those two logs bolded above and the information I requested, along with a HJT log running in Normal Mode in MSConfig. Add any comments you think will help. We will have more to do.
Thanks...pskelley
Safer Networking Forums
Hi
Thanks for your help. Here's the new HijakThis Log.
Logfile of HijackThis v1.99.1
Scan saved at 15:21:00, on 06/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TDK Systems\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\outlook\outlook.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\winlog.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\{C02A8A27-0826-2057-1222-03052703002c}\Update.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\TDK Systems\Bluetooth Software\BTTray.exe
C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Barry's\Comp Safety\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ookw] C:\PROGRA~1\COMMON~1\ookw\ookwm.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150644085203
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150644831390
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\TDK Systems\Bluetooth Software\bin\btwdins.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
And here's the Look2Me-Destroyer Log
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 06/08/2006 15:15:16
Infected! C:\WINDOWS\system32\o884lilq18qe.dll
Infected! C:\WINDOWS\system32\bbsendto_notes.dll
Infected! C:\WINDOWS\system32\iTssvcs.dll
Infected! C:\WINDOWS\system32\jt2m07f1e.dll
Infected! C:\WINDOWS\system32\maricons.dll
Infected! C:\WINDOWS\system32\mzweb.dll
Infected! C:\WINDOWS\system32\nwwrsit.dll
Infected! C:\WINDOWS\system32\o884lilq18qe.dll
Infected! C:\WINDOWS\system32\rkset5.dll
Infected! C:\WINDOWS\system32\wepdxm.dll
Infected! C:\WINDOWS\System32\guard.tmp
Attempting to delete infected files...
Attempting to delete: C:\WINDOWS\system32\o884lilq18qe.dll
C:\WINDOWS\system32\o884lilq18qe.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\bbsendto_notes.dll
C:\WINDOWS\system32\bbsendto_notes.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\iTssvcs.dll
C:\WINDOWS\system32\iTssvcs.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\jt2m07f1e.dll
C:\WINDOWS\system32\jt2m07f1e.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\maricons.dll
C:\WINDOWS\system32\maricons.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\mzweb.dll
C:\WINDOWS\system32\mzweb.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\nwwrsit.dll
C:\WINDOWS\system32\nwwrsit.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\o884lilq18qe.dll
C:\WINDOWS\system32\o884lilq18qe.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\rkset5.dll
C:\WINDOWS\system32\rkset5.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\wepdxm.dll
C:\WINDOWS\system32\wepdxm.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\guard.tmp Deleted successfully!
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8A364522-0B7B-4569-9CD1-182F670E4CCD}"
HKCR\Clsid\{8A364522-0B7B-4569-9CD1-182F670E4CCD}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9E1D232A-4DF1-4827-943C-E2CFAB6DE449}"
HKCR\Clsid\{9E1D232A-4DF1-4827-943C-E2CFAB6DE449}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8DB1B776-8778-4FD7-A0D6-77899A2FF9BB}"
HKCR\Clsid\{8DB1B776-8778-4FD7-A0D6-77899A2FF9BB}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3C9274C5-554E-44AB-B328-4ADCDB652D61}"
HKCR\Clsid\{3C9274C5-554E-44AB-B328-4ADCDB652D61}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A1E8482F-5A95-4739-B3FD-3194A97B68E9}"
HKCR\Clsid\{A1E8482F-5A95-4739-B3FD-3194A97B68E9}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3BD7FBB5-6972-42B4-827B-C6FD5E68AD02}"
HKCR\Clsid\{3BD7FBB5-6972-42B4-827B-C6FD5E68AD02}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7B88004F-4471-4245-A3AC-0A6D17A99AD7}"
HKCR\Clsid\{7B88004F-4471-4245-A3AC-0A6D17A99AD7}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{37271086-3CCC-45D1-A749-5013CA76759A}"
HKCR\Clsid\{37271086-3CCC-45D1-A749-5013CA76759A}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9AAF98D2-9585-4EC3-AF17-2973D8B3C97B}"
HKCR\Clsid\{9AAF98D2-9585-4EC3-AF17-2973D8B3C97B}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E8D72998-49EC-4A67-A048-779492CB4E37}"
HKCR\Clsid\{E8D72998-49EC-4A67-A048-779492CB4E37}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A8A0DAF8-2E03-4F88-BEA5-9BB5A19C3606}"
HKCR\Clsid\{A8A0DAF8-2E03-4F88-BEA5-9BB5A19C3606}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{265CD9FD-0EEA-41CB-BA98-39FF7836871E}"
HKCR\Clsid\{265CD9FD-0EEA-41CB-BA98-39FF7836871E}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{738903DD-B2D5-47FC-AE14-E4CB83891979}"
HKCR\Clsid\{738903DD-B2D5-47FC-AE14-E4CB83891979}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{89D25A94-CE3E-4B30-BE50-CE91284327A7}"
HKCR\Clsid\{89D25A94-CE3E-4B30-BE50-CE91284327A7}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3D20570D-F2D5-444E-97F0-FC91FE0C5A8D}"
HKCR\Clsid\{3D20570D-F2D5-444E-97F0-FC91FE0C5A8D}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{15466FA7-F083-49CF-A46D-42B35ED8E462}"
HKCR\Clsid\{15466FA7-F083-49CF-A46D-42B35ED8E462}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3BAE2656-16DB-454E-9B7E-6F832C6AF268}"
HKCR\Clsid\{3BAE2656-16DB-454E-9B7E-6F832C6AF268}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5B0F744E-E1CA-4E35-BBDE-C55975E39E50}"
HKCR\Clsid\{5B0F744E-E1CA-4E35-BBDE-C55975E39E50}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7E25CF9D-6F9F-4C56-A364-D316E14B6A65}"
HKCR\Clsid\{7E25CF9D-6F9F-4C56-A364-D316E14B6A65}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
Which online scanners should I use to scan for those two files?
pskelley
2006-08-06, 17:35
I apologize, guess I am working too many logs:confused:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
I am 99% sure those files are bad, just want to be 100%. I am off on my bike for some sunshine and it will be a couple of hours before I am back online. A look at this log shows you were hiding a lot of junk. I will post the next step to remove Alcan. It may not get it all but if you follow the directions, it will get most of it. Remember to stay offline except when working on the issues, this junk until gone, will get you more.
Thanks to Metallica and any others who helped with this fix.
Follow the instructions carefully, read it several times until you are sure what you are doing.
1. Please download Ewido Anti-Malware (http://www.ewido.net/en/download/)
Install ewido anti-malware
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://download.ewido.net/ewido-signatures-full-current.exe)
2. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).
Do not do anything with these yet!
Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
4. Once in Safe Mode, Open Ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.
5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.
Thanks...Phil
Ok heres the results of the online scans from http://virusscan.jotti.org/ on those two files.
Scanner results for C:\Program Files\outlook\outlook.exe
AntiVir Found Worm/VB.DW
ArcaVir Found Worm.Vb.Dw
Avast Found Win32:VB-IE
AVG Antivirus Found Worm/VB.SO
BitDefender Found Win32.Worm.VB.DW
ClamAV Found Trojan.VB-100
Dr.Web Found Trojan.MulDrop.3290
F-Prot Antivirus Found W32/VB.NQ
Fortinet Found W32/VB.DW!p2p
Kaspersky Anti-Virus Found P2P-Worm.Win32.VB.dw
NOD32 Found Win32/TrojanDropper.VB.NAI
Norman Virus Control Found W32/Solo.A
UNA Found Worm.P2P.VB
VirusBuster Found Worm.P2P.VB.CIY
VBA32 Found P2P-Worm.Win32.VB.dw
Scanner results for C:\Program Files\Common Files\{C02A8A27-0826-2057-1222-03052703002c}\Update.exe
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found Trojan.Starter-7
Dr.Web Found Trojan.Starter.65
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.Starter.65
Here's a new HijackThis Log
Logfile of HijackThis v1.99.1
Scan saved at 16:58:22, on 06/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TDK Systems\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\TDK Systems\Bluetooth Software\BTTray.exe
C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Barry's\Comp Safety\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ookw] C:\PROGRA~1\COMMON~1\ookw\ookwm.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150644085203
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150644831390
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\TDK Systems\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
And heres the ewido scan log
C:\Documents and Settings\anon\Application Data\taal.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temp\i8.tmp -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temp\iD.tmp -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temp\GLB14.tmp/empty_00000001 -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\WINDOWS\system32\winlog.exe -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\0DYB45E3\drsmartload[1].exe -> Downloader.Adload.di : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\G5YR0LER\loader[1].exe -> Downloader.Adload.di : Cleaned with backup (quarantined).
C:\Program Files\DVD2MP3\DVD_to_MP3_Ripper_v3.0/toj.exe -> Downloader.INService.eu : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\1PTANZLA\al3[1].txt -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\4HMZSXAV\ac3_0010[1].exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\MMF7L03R\ac3_0010[1].exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\MMF7L03R\al3[1].txt -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\GBFFYW51\i[1].exe -> Downloader.VB.aik : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\SLIVW1MZ\i[1].exe -> Downloader.VB.aik : Cleaned with backup (quarantined).
C:\WINDOWS\system32\setup.exe.tmp -> Downloader.VB.aik : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\8GE4OVEQ\drsmartload45a[1].exe -> Downloader.VB.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\KP6VG1IV\drsmartload849a[1].exe -> Downloader.VB.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\GBFFYW51\nwnmfg_7[1].exe -> Downloader.VB.aiy : Cleaned with backup (quarantined).
C:\temp\SAHPackage.exe -> Dropper.Agent.lh : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\19DIZN9M\popup[2].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\19DIZN9M\popup[3].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\4L6RCHMV\popup[2].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\4L6RCHMV\popup[3].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\65RK1OBA\popup[2].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\8527STA3\popup[2].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\8LIFGDIN\popup[1].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\8LIFGDIN\popup[3].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\G5YR0LER\popup[3].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\HS4B9P8H\popup[2].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\I48FVH0S\popup[1].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\KDM7GHUF\popup[2].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\KHAJG5YB\popup[2].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\KP6VG1IV\popup[1].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\KP6VG1IV\popup[3].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\OXYBKPYB\popup[1].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\OXYBKPYB\popup[2].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\RPHSDJCD\popup[2].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\RPHSDJCD\popup[3].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\SX2VC9YJ\popup[2].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\SX2VC9YJ\popup[3].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\V9H7EAIP\popup[1].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\W5IJCXQV\popup[2].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\W5IJCXQV\popup[3].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\W9UNGP2F\popup[2].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\W9UNGP2F\popup[3].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Program Files\ComPlus Applications\howyly.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Program Files\MSN\kyze.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\8HVF7MBP\drsmartload46a[1].exe -> Hijacker.VB.fg : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dr.exe -> Hijacker.VB.fg : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\19DIZN9M\dfndrfg_7[1].exe -> Hijacker.VB.ly : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\8LIFGDIN\dfndrfg_7[1].exe -> Hijacker.VB.ly : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\W9UNGP2F\dfndrfg_7[1].exe -> Hijacker.VB.ly : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\8GE4OVEQ\ErrorSafeFreeInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Ignored.
:mozilla.128:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.331:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@marketworksinc.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@www.adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned.
:mozilla.159:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.131:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.132:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.167:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.168:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.289:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.290:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.312:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.313:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.165:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.166:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.8:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wt510a6j.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.9:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wt510a6j.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\anon\Local Settings\Temp\Cookies\anon@com[1].txt -> TrackingCookie.Com : Cleaned.
:mozilla.74:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.10:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wt510a6j.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.161:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@e-2dj6wfk4wgdjgko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@e-2dj6wfkigiazwlp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@e-2dj6wfmicpczego.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@e-2dj6wgk4kldjidq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@e-2dj6wgkoejcpsco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@e-2dj6wglygnczkhp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@e-2dj6whkoakd5mdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@e-2dj6wjkykjajabp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@e-2dj6wjkyopcpsgo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@e-2dj6wjl4kidjweo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@e-2dj6wjlishczifo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@e-2dj6wjlocjczcdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@e-2dj6wjlyqjdjkdq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@e-2dj6wjmiqjdzceo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@e-2dj6wjmiwidjekq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.299:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.156:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.278:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Goclick : Cleaned.
:mozilla.279:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Goclick : Cleaned.
:mozilla.95:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned.
:mozilla.10:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.11:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.12:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.13:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.14:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.15:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.16:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.17:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.18:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.19:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.20:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.21:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.22:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.23:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.24:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.25:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.26:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.27:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.28:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.29:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.30:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.31:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.32:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.33:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.34:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.35:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.36:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.37:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.38:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.39:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.40:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.41:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.42:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.43:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.44:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.45:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.46:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.47:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.48:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.49:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.50:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.51:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.52:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.53:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.54:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.55:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.6:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.7:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.8:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.9:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.291:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Spylog : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@h.starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@try.starware[1].txt -> TrackingCookie.Starware : Cleaned.
:mozilla.277:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.304:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.305:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.369:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned.
:mozilla.160:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.281:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.282:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.283:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.284:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.285:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.286:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.179:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.180:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.181:C:\Documents and Settings\anon\Application Data\Mozilla\Firefox\Profiles\4t7w6vp5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\anon\Cookies\anon@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\system32\latestsv.exe -> Trojan.Crypt.l : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temporary Internet Files\Content.IE5\RPHSDJCD\installdrivecleanerstart[1].exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Local Settings\Temp\eoqqr0sm.zip/tsrh-cdrwin40Ap.exe -> Trojan.Proxcrak.A : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{C02A8A27-0826-2057-1222-03052703002c}\Update.exe -> Trojan.Starter.65 : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Complete\Die Hard Triology DVDrip XviD SWE sub.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Complete\Gladiator[Extended Special Edition]DvDrip AC3[Eng]-aXXo.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Complete\Late Show w David Letterman 072806 - Jamie Foxx, Tom Dreesen.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Complete\Stargate Atlantis - Stargate Atlantis S03E03 WS DSR XviD-DIMENSION-[Team-iNFLUX].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\anon\Complete\[PC-ITA-Multi] Worms 4 Mayhem[colombo-bt org].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Program Files\outlook\outlook.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Program Files\outlook\v.tmp -> Worm.VB.dw : Cleaned with backup (quarantined).
pskelley
2006-08-06, 19:38
Thanks for returning the information, remember to clean out that ewido quarantine folder if you keep it after the trial. Here is information to help you stop storing all of the junk cookies in Firefox if you wish.
http://privacy.getnetwise.org/browsing/tools/firefox1/ffdisablecookies
http://www.mozilla.org/projects/security/pki/psm/help_21/using_priv_help.html
We are making progress, this looks like a trojan, scan to find out if you wish:
O4 - HKCU\..\Run: [ookw] C:\PROGRA~1\COMMON~1\ookw\ookwm.exe and C:\Program Files\SurfSideKick 3\Ssk.exe must go. Let's proceed like this.
1) Start > Contol Panel > Add Remove programs and uninstall SurfSideKick if there. Look at the programs and uninstall any you know do not belong there. If you are unsure let me know and I will look.
2) Thanks to LonnyRJones and any others who helped with this fix.
If you can not uninstall SSK from there, then try this tool:
Download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the file on your Desktop, and choose Extract All.
Click Next.
In the box to choose where to extract the files to:
Click Browse.
Click on the + sign next to My Computer
Click on Local Disk (C: ) or whatever your primary drive is.
Click Make New Folder
Type in BFU
Click Next, and uncheck the Show Extracted Files box and then click Finish.
Download sidekickFix.bat (http://downloads.subratam.org/Lon/sidekickFix.bat) (rightclick on that link and choose save as)
Place sidekickFix.bat in your C:\BFU - folder. (Important!)
Close all browsers and explorer folders.
Double-click on sidekickFix.bat
Click Yes and follow the prompts, when prompted to restart the PC please do so.
3) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
4) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [ookw] C:\PROGRA~1\COMMON~1\ookw\ookwm.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) RIGHT Click on Start then click on Explore. Locate and delete these items:
(these may or may not be there, just DO NOT miss them)
C:\Program Files\SurfSideKick 3\ <<< delete that folder
C:\PROGRAM FILES~1\COMMON FILES~1\ookw\ <<< delete that folder
7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a clean (hopefully) HJT log. Add your comments if you think they will help.
Thanks...Phil
Couldn't find any of the SurfSideKick stuff but did all the rest.
Here's a new HijackThis! Log
Logfile of HijackThis v1.99.1
Scan saved at 18:25:58, on 06/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TDK Systems\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\TDK Systems\Bluetooth Software\BTTray.exe
C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Barry's\Comp Safety\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150644085203
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150644831390
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\TDK Systems\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
As a side note, I now have no pop-ups and can access Windows Task Manager again. Also the System32 folder appears in the Windows folder again.
Thanks a lot for your help. :bigthumb:
pskelley
2006-08-06, 21:54
Thanks for the feedback and the HJT log looks to be clean:bigthumb: SSK must have been gone and just needed to be "kicked":laugh: out of the HJT log.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Safe surfing...tashi:) will close your topic in a day or so.
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Hi... I just did another scan with SpyBot Search & Destroy and it appears that the 'Command Service' object is still there.
Spybot S&D says it can't delete it even when using it on reboot.
Any ideas how to get rid of that?
pskelley
2006-08-06, 23:17
Please download and unzip Ren-cmdservice to your desktop.
It will only work correctly if the folder is placed on your desktop and extracted !!.
http://downloads.subratam.org/Lon/ren-cmdservice.zip
Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run spybot check for and fix any problems found.
Thanks
Running from C:\Documents and Settings\anon\Desktop\ren-cmdservice
No Image Path Listed in Registry
-----------------
Deleting cmdservice key
cmdservice key deleted
..
-----------------
Commandline utilities (SWReg and SWSC)
Written by Bobbi Flekman © 2005
-----------------
Finised, Post this text then
Please Restart your PC
ren-cmdservice.bat edited 6-25-2006
-----------------
No problems found in Spybot. Looks like its all clear. Thanks a lot :D
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.
Glad we could help.