View Full Version : Trojan threat +adfirstadsolution popups
sunmar11
2006-11-17, 19:29
hello, im new here as well new to this whole gettung rid of virus adware stuff. Well actually lastnight i started to get popups from ad.firstadsolutions.com which is annoying btw everytime i go into to log on my firefox interent browser. As well i try many scans and updated my software too. But when i use my symantec live update it scans no viruses but whenever i use my adware se a symantec threat warning popups saying this
Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Trojan.ByteVerify
File: C:\DOCUME~1\Marinin\LOCALS~1\Temp\AAWTMP\C5017084\1EFF78\javainstaller\InstallerApplet.class
Location: C:\DOCUME~1\Marinin\LOCALS~1\Temp\AAWTMP\C5017084\1EFF78\javainstaller
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Friday, November 17, 2006 1:26:24 PM
As well when i rescan my system it shows that it found nothing but the adfirstadsoutions are still there and when i rescan using adware se it shows the trojan threat again. As well when i went to try and update my Liveupdate for Symantec it says cant download or update cause the file is corrupted, can anyone help me to get rid of this? as well i know i should do a hijackthis post but i want to wait first. thanks for the help
sunmar11
2006-11-17, 19:39
Here is my logfile.
Logfile of HijackThis v1.99.1
Scan saved at 1:38:03 PM, on 11/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Save\Save.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Marinin\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://ca.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://ca.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://ca.search.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://ca.search.yahoo.com
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Joy Find Blue Mail] C:\Documents and Settings\All Users\Application Data\Roam Error Joy Find\Modelocks.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MailFour] C:\DOCUME~1\Marinin\APPLIC~1\GLOBAL~1\INTRA PLAN.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163783037961
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
sunmar11
2006-11-19, 03:47
Hi again, i no i shouldnt keep posting cause people my think ive gotten assitance. but i was searching through the threads and i read something about zone media and it turns out i have it. but when i was trying to remove it from my add or remove hardware settings, i clicked on removed and this thing pops up asking me to type in these 7 numbers to verify im a human and not a computer, this got me worrying so, i hope someone can help along with the other problems ive seen to be having. i was perfectly fine before and safe. i hope someone can help thanks. also i think i did the post log wrong so i will try again, when i hear a response.
Hi sunmar11 and welcome to Safer Networking Forums :)
You got some infections there...
Please Download NoLop to your desktop from one of the links below...
Link 1 (http://www.spywareedge.net/nolop/NoLop.exe)
Link 2 (http://www.spywaretimes.com/Tools/download/21/chk,ed0778d88843ca2625ab6208a197bcc5/)
Link 3 (http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item16)
First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx (http://www.boletrice.com/downloads/mscomctl.ocx) to your system32 folder then rerun the program.--
sunmar11
2006-11-21, 14:07
hi, i ran the nolop.exe before, it was one of the first things i did. and it did find something but i went to look for the logfile and i must have got rid of it cause its not showing. im sorry. i hope you can still help. a newbies mistake.
here is a logfile, i reran nolop.exe. even though. im sorry for my stupidity. but i foun dsomething in the Nolopbackup folder
a file named: AB4ACE091394C04.job.01.infected
but i need something to open so i cant open it right now
NoLop! Log by Skate_Punk_21
Please Note: any existing old logs will have now been renamed to NoLop!OLD.log
Fix running from: C:\Documents and Settings\Marinin\Desktop
[11/21/2006]
[7:35:26 AM]
---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.
---Listing AppData sub directories---
C:\Documents and Settings\Administrator\Application Data\Adobe
C:\Documents and Settings\Administrator\Application Data\Drag'n Drop Cd
C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Intertrust
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Adobe Systems
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Cyberlink
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Msn6
C:\Documents and Settings\All Users\Application Data\Pixelstorm
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Roam Error Joy Find
C:\Documents and Settings\All Users\Application Data\Sbsi
C:\Documents and Settings\All Users\Application Data\Skype -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Default User\Application Data\Adobe
C:\Documents and Settings\Default User\Application Data\Drag'n Drop Cd
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Intertrust
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Marinin\Application Data\.bittorrent
C:\Documents and Settings\Marinin\Application Data\Adobe
C:\Documents and Settings\Marinin\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Marinin\Application Data\Azureus
C:\Documents and Settings\Marinin\Application Data\Bsplayer
C:\Documents and Settings\Marinin\Application Data\Cyberlink
C:\Documents and Settings\Marinin\Application Data\Drag'n Drop Cd
C:\Documents and Settings\Marinin\Application Data\Global Curb
C:\Documents and Settings\Marinin\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Marinin\Application Data\Identities
C:\Documents and Settings\Marinin\Application Data\Intertrust
C:\Documents and Settings\Marinin\Application Data\Jasc
C:\Documents and Settings\Marinin\Application Data\Lavasoft
C:\Documents and Settings\Marinin\Application Data\Leadertech
C:\Documents and Settings\Marinin\Application Data\Macromedia
C:\Documents and Settings\Marinin\Application Data\Media Player Classic
C:\Documents and Settings\Marinin\Application Data\Microsoft
C:\Documents and Settings\Marinin\Application Data\Mozilla
C:\Documents and Settings\Marinin\Application Data\Msn6
C:\Documents and Settings\Marinin\Application Data\Netpumper -- EMPTY Directory
C:\Documents and Settings\Marinin\Application Data\Opera -- EMPTY Directory
C:\Documents and Settings\Marinin\Application Data\Real
C:\Documents and Settings\Marinin\Application Data\Skype
C:\Documents and Settings\Marinin\Application Data\Sun
C:\Documents and Settings\Marinin\Application Data\Talkback
C:\Documents and Settings\Marinin\Application Data\Vlc
C:\Documents and Settings\Networkservice\Application Data\Microsoft
and here is my logfile from HJT. im not sure if you wanted me to repost this. im still sorry for my mistake.
Logfile of HijackThis v1.99.1
Scan saved at 7:57:18 AM, on 11/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Save\Save.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Marinin\Desktop\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://ca.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://ca.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://ca.search.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://ca.search.yahoo.com
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] "C:\Program Files\TOSHIBA\TouchED\TouchED.Exe"
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TMESBS.EXE] "C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE" /Client
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Joy Find Blue Mail] "C:\Documents and Settings\All Users\Application Data\Roam Error Joy Find\Modelocks.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MailFour] "C:\DOCUME~1\Marinin\APPLIC~1\GLOBAL~1\INTRA PLAN.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163783037961
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
Hi again, we'll continue :)
You seem to have this Netpumper program installed. The free version is bundled with adware but the paid version should be ok to use. If you have the free version, please remove it via Control Panel, Add/Remove programs. After that, please remove it's folders too:
C:\Documents and Settings\Marinin\Application Data\Netpumper
C:\Program Files\Netpumper
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Open Control Panel -> Add/Remove programs -> Remove all the of the following or similar entries if found:
WhenUSave
WhenU
and any other programs you didn't install or don't recognize - if your not sure please ask first
Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.
Save.exe
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O4 - HKLM\..\Run: [Joy Find Blue Mail] "C:\Documents and Settings\All Users\Application Data\Roam Error Joy Find\Modelocks.exe"
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKCU\..\Run: [MailFour] "C:\DOCUME~1\Marinin\APPLIC~1\GLOBAL~1\INTRA PLAN.exe"
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following folders (if present):
C:\Program Files\Save
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
sunmar11
2006-11-21, 20:56
Actually i installed whenusave because its part of the new bsplayer, in order to use the new version you agree to have whenusave ads popup. im fine with those coming up. But i have a question about zone media as well as the java, ishould i remove all of those and then reinstall a new java? thanks for helping me
OK you want to keep whenu...
Yes, uninstall zone media. You're using the latest version of Java at the moment, no need for an uninstall :)
Post the logs I requested when you're ready :bigthumb:
sunmar11
2006-11-23, 15:23
i hope i did this right, here are my HJT and AVG logs. as well i was wondering about the trojan and zone media. First whenever i do a Adware SE scan the trojan always pops up in my Symantec Antivirus program. so i hope you can help me on that as well with zone media, when you uninstall it is it suppose to say type in these 7 digits to verify if im a human. Thanks again for helping
Logfile of HijackThis v1.99.1
Scan saved at 9:17:51 AM, on 11/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Save\Save.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Marinin\Desktop\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://ca.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://ca.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://ca.search.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://ca.search.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] "C:\Program Files\TOSHIBA\TouchED\TouchED.Exe"
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TMESBS.EXE] "C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE" /Client
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163783037961
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
Next post cause its too long is AVG LOG
sunmar11
2006-11-23, 15:24
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:04:41 AM 11/23/2006
+ Scan result:
HKLM\SOFTWARE\Classes\VoiceIPDll.VoiceIPDllObj.1 -> Adware.BetterInternet : Cleaned with backup (quarantined).
HKU\S-1-5-21-897904722-1067787018-816764068-1005\Software\VoiceIP -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{284AA3A1-802A-4014-8B18-6EB326D7D76A}\RP655\A0136046.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{284AA3A1-802A-4014-8B18-6EB326D7D76A}\RP655\A0136047.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{284AA3A1-802A-4014-8B18-6EB326D7D76A}\RP655\A0136051.EXE -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\WINDOWS\system32\P2P Networking v126.cpl -> Adware.P2PNet : Cleaned with backup (quarantined).
C:\Documents and Settings\Marinin\Start Menu\Programs\WhenU -> Adware.SaveNow : Ignored and added to exceptions
C:\Documents and Settings\Marinin\Start Menu\Programs\WhenU\Customer Support.lnk -> Adware.SaveNow : Ignored and added to exceptions
C:\Documents and Settings\Marinin\Start Menu\Programs\WhenU\Learn More About WhenU Save.url -> Adware.SaveNow : Ignored and added to exceptions
C:\Documents and Settings\Marinin\Start Menu\Programs\WhenU\Learn More About WhenU SaveNow.url -> Adware.SaveNow : Ignored and added to exceptions
C:\Documents and Settings\Marinin\Start Menu\Programs\WhenU\Uninstall Instructions.lnk -> Adware.SaveNow : Ignored and added to exceptions
C:\Documents and Settings\Marinin\Start Menu\Programs\WhenU\WhenU.com Website.url -> Adware.SaveNow : Ignored and added to exceptions
C:\Program Files\Save -> Adware.SaveNow : Ignored and added to exceptions
C:\Program Files\Save\ACM.dll -> Adware.SaveNow : Ignored and added to exceptions
C:\Program Files\Save\Save.exe -> Adware.SaveNow : Ignored and added to exceptions
C:\Program Files\Save\SaveUninst.exe -> Adware.SaveNow : Ignored and added to exceptions
C:\Program Files\Save\ffext.mod -> Adware.SaveNow : Ignored and added to exceptions
C:\Program Files\Save\save.db -> Adware.SaveNow : Ignored and added to exceptions
C:\Program Files\Save\save.htm -> Adware.SaveNow : Ignored and added to exceptions
C:\Program Files\Save\store.db -> Adware.SaveNow : Ignored and added to exceptions
C:\System Volume Information\_restore{284AA3A1-802A-4014-8B18-6EB326D7D76A}\RP609\A0119745.exe -> Adware.SaveNow : Ignored and added to exceptions
C:\System Volume Information\_restore{284AA3A1-802A-4014-8B18-6EB326D7D76A}\RP611\A0119749.exe -> Adware.SaveNow : Ignored and added to exceptions
C:\System Volume Information\_restore{284AA3A1-802A-4014-8B18-6EB326D7D76A}\RP611\A0119752.dll -> Adware.SaveNow : Ignored and added to exceptions
C:\System Volume Information\_restore{284AA3A1-802A-4014-8B18-6EB326D7D76A}\RP611\A0119754.exe -> Adware.SaveNow : Ignored and added to exceptions
C:\System Volume Information\_restore{284AA3A1-802A-4014-8B18-6EB326D7D76A}\RP612\A0119931.dll -> Adware.SaveNow : Ignored and added to exceptions
C:\System Volume Information\_restore{284AA3A1-802A-4014-8B18-6EB326D7D76A}\RP612\A0119932.exe -> Adware.SaveNow : Ignored and added to exceptions
C:\System Volume Information\_restore{284AA3A1-802A-4014-8B18-6EB326D7D76A}\RP612\A0119933.exe -> Adware.SaveNow : Ignored and added to exceptions
C:\System Volume Information\_restore{284AA3A1-802A-4014-8B18-6EB326D7D76A}\RP632\A0127231.exe -> Adware.SaveNow : Ignored and added to exceptions
C:\System Volume Information\_restore{284AA3A1-802A-4014-8B18-6EB326D7D76A}\RP632\A0127232.exe -> Adware.SaveNow : Ignored and added to exceptions
C:\System Volume Information\_restore{284AA3A1-802A-4014-8B18-6EB326D7D76A}\RP632\A0127233.dll -> Adware.SaveNow : Ignored and added to exceptions
C:\System Volume Information\_restore{284AA3A1-802A-4014-8B18-6EB326D7D76A}\RP644\A0131295.exe -> Adware.SaveNow : Ignored and added to exceptions
C:\System Volume Information\_restore{284AA3A1-802A-4014-8B18-6EB326D7D76A}\RP673\A0143319.exe -> Adware.SaveNow : Ignored and added to exceptions
C:\System Volume Information\_restore{284AA3A1-802A-4014-8B18-6EB326D7D76A}\RP673\A0143325.exe -> Adware.SaveNow : Ignored and added to exceptions
C:\System Volume Information\_restore{284AA3A1-802A-4014-8B18-6EB326D7D76A}\RP673\A0143326.exe -> Adware.SaveNow : Ignored and added to exceptions
HKLM\SOFTWARE\Classes\WUSN.1 -> Adware.SaveNow : Ignored and added to exceptions
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSaveMsg -> Adware.SaveNow : Ignored and added to exceptions
HKLM\SOFTWARE\WhenUSave -> Adware.SaveNow : Ignored and added to exceptions
HKLM\SOFTWARE\WhenUSave\Partners -> Adware.SaveNow : Ignored and added to exceptions
HKLM\SOFTWARE\WhenUSave\Partners\BSPL -> Adware.SaveNow : Ignored and added to exceptions
HKU\S-1-5-21-897904722-1067787018-816764068-1005\Software\Microsoft\Windows\CurrentVersion\Run\\WhenUSave -> Adware.SaveNow : Ignored and added to exceptions
HKLM\SOFTWARE\Classes\SWRT01.RT -> Adware.SecondThought : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SWRT01.RT\Clsid -> Adware.SecondThought : Cleaned with backup (quarantined).
C:\WINDOWS\system32\SWRT01.dll -> Adware.VirtualBouncer : Cleaned with backup (quarantined).
:mozilla.160:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.161:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.162:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.163:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.164:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.165:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.166:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.133:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.134:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.135:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.66:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.67:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.68:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.35:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.36:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.37:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.38:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.183:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Adviva : Cleaned.
:mozilla.184:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Adviva : Cleaned.
:mozilla.41:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.136:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.14:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.15:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.16:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.60:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.26:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.138:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.61:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.150:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Goclick : Cleaned.
:mozilla.124:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.125:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.126:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.140:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.141:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.142:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.155:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.176:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.17:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.18:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.19:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.20:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.21:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.22:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.23:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.45:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.46:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.54:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.55:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.72:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.73:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.74:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.75:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.89:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.154:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.167:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.168:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.169:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.143:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.53:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Realtracker : Cleaned.
:mozilla.110:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Sexlist : Cleaned.
:mozilla.111:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Sexlist : Cleaned.
:mozilla.117:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.118:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.119:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.120:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.48:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.188:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.172:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Weborama : Cleaned.
:mozilla.206:C:\Documents and Settings\Marinin\Application Data\Mozilla\Firefox\Profiles\default.upf\cookies.txt -> TrackingCookie.Zedo : Cleaned.
Hi again :)
Do you know the location/name of the infected file that Symantec warns you ?
Open HijackThis.
Open the Misc Tools section
Open Uninstall Manager
Scroll down to the following entry and select it with your mouse; Zone Media
Delete this entry
Answer Yes
Close HIjackThis
Remove the following folders if found:
C:\Documents and Settings\All Users\Application Data\Roam Error Joy Find
C:\Documents and Settings\Marinin\Application Data\Global Curb
Restart the pc.
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post along with a fresh HijackThis log
sunmar11
2006-11-24, 14:07
Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Trojan.ByteVerify
File: C:\DOCUME~1\Marinin\LOCALS~1\Temp\AAWTMP\C458238\3FAC80\javainstaller\InstallerApplet.class
Location: C:\DOCUME~1\Marinin\LOCALS~1\Temp\AAWTMP\C458238\3FAC80\javainstaller
Computer: MSUN
User: Marinin
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Friday, November 24, 2006 7:50:36 AM
thats the entry that keeps coming up everytime adaware se (personal is scanning)
As well i opened the HJT list and zone media is not in there, but how come its in my add/remove list setting but not on the HJT one, which is basically the same? im sorry i hope this not too much for you, thanks for your help. but i will go look for those files you wanted me to delete. Did you just want me to go in my documents and settings and delete them manually. thanks again
Hi again :)
The Ad-Aware finding is a false detection, you can just ignore it...
Yes, please delete the two folders via My Computer.
Please have a second look to HijackThis's uninstalll list and see if Zone Media is there...
Let me know how everything is running :bigthumb:
sunmar11
2006-11-25, 03:18
Hey me again, well thanks for letting me know that trojan threat is scary, everytime i see but at least i know its a fake. So i checked again on the HJT uninstall program and it does not appear on that list. But it does appear on the add/remove one. Another issue is i go onto the site you pointed out to and everytime i click accept to the terms of the online scan nothing happens. So is it working or is just me. But im happy to report no popups anymore and i deleted those files you told me :bigthumb: :crowned: :laugh: :heart: THANKS ALOT!!! FOR YOUR HELP. Just let me know what else i need to do to make sure im perfectly fine. have a nice day or night.
Hi again, you're very welcome :)
Ok you could try another online scanner instead:
Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run PandaActiveScan...
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.
Download Registry Search Tool (http://www.billsway.com/vbspage) (in the middle of the page)
Unzip it to your desktop
Double click the file that was unzipped and run a search with: Zone Media
Save the results and post those to here
sunmar11
2006-11-28, 19:53
i dont have time but later this week i wil post for you just to let you know
Thanks for the reply.
Please try to keep your computer offline if possible.
sunmar11
2006-12-06, 14:34
hey sorry about the late reply it says when i click the scan your pc button that i need an internet explorer 5.0 or later.
Hi :)
Did you try to run the scanner with Internet Explorer or with some other browser ?
You could try this instead:
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
sunmar11
2006-12-13, 07:28
Hey seriously, the online scanner wont work. i wish i could report and know that im free of bugs but both are not working, any suggestions. sorry for delays i have exams so bit busy. thanks MrJaks and thanks tashi
sunmar11
2006-12-13, 07:29
Oh i ran the first scanner with firefox is that ok? i dont just use internet explorer i dont trust it as much if i make sense. lol
Ok those won't work with FireFox.
Let's do this:
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
You should print these instructions or save these to a text file. Follow these instructions carefully.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
Still there sunmar11 ? :scratch:
This topic is closed due to lack of a response :spider:
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread.
Applies only to the original topic starter.