I recently became heavily infected by spyware, I cleaned most of it up. I had things like schmidt-c and virtumonde. I thought I got everything but it seems something is still here. I slowly get random IE popups when I am idling at the desktop. I also get popups from ebay or some other search style website with a search for my last input at a different legit search site. I have tried just about everything so I am coming here to ask for help. Everything says I am clean.
Help remove spyware
- Thread starter blitzo
- Start date
Logfile of HijackThis v1.99.1
Scan saved at 12:53:59 PM, on 3/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe
C:\Program Files\Port Explorer\PortExplorer.exe
C:\hijack\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = removed
O17 - HKLM\Software\..\Telephony: DomainName = removed.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = removed.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = removed.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
I removed my domain from the log
Scan saved at 12:53:59 PM, on 3/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe
C:\Program Files\Port Explorer\PortExplorer.exe
C:\hijack\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = removed
O17 - HKLM\Software\..\Telephony: DomainName = removed.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = removed.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = removed.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
I removed my domain from the log
Welcome to the forum and thanks for the feedback. HJT is showing nothing and it looks like you ran online scans, but you did not post the results for me? Did you read this information?
"BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
Popups can be either infections you mentioned, could you describe the frequency and tell me where they direct you to.
Remove any of Smitfraudfix you have onboard and download it new from here:
http://siri.geekstogo.com/SmitfraudFix.php <<< follow ONLY these directions:
Search: Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm
Return to here: C:\hijack\HijackThis.exe <<< rename HJT.exe, call it blitzo.exe or whatever you wish. Restart the computer and post the C:\rapport.txt from Smitfraudfix, a new HJT log, any information I requested and any comments you think will help.
If you still have the scan results from any online scan, I would like to see it.
Thanks
"BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
Popups can be either infections you mentioned, could you describe the frequency and tell me where they direct you to.
Remove any of Smitfraudfix you have onboard and download it new from here:
http://siri.geekstogo.com/SmitfraudFix.php <<< follow ONLY these directions:
Search: Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm
Return to here: C:\hijack\HijackThis.exe <<< rename HJT.exe, call it blitzo.exe or whatever you wish. Restart the computer and post the C:\rapport.txt from Smitfraudfix, a new HJT log, any information I requested and any comments you think will help.
If you still have the scan results from any online scan, I would like to see it.
Thanks
info
Thanks for the reply, sorry for the lack of info. I did a couple online scans and they only came up with a few cookies. Once they were gone scans came up clean. The cookies seem to be related to the popups I get. If I leave every program closed I get the IE popups 1 every 3 minutes or so. They popup and the address redirects, (they open up with lets says c5.zedo.com/adserv and go to some other ad like www.hollywood.com). If I set IE to work offline I get no more popups. Now upon doing some research it looks like my explorer.exe makes connections to some strange address's on port 80. One of these sites is www.in-t-e-r-n-e-t.com, I have gotten this address to resolve to a few different IP's. They other address is 64-194-221-33.wcg.net.
Posted below are some logs you requested.
Thanks for the reply, sorry for the lack of info. I did a couple online scans and they only came up with a few cookies. Once they were gone scans came up clean. The cookies seem to be related to the popups I get. If I leave every program closed I get the IE popups 1 every 3 minutes or so. They popup and the address redirects, (they open up with lets says c5.zedo.com/adserv and go to some other ad like www.hollywood.com). If I set IE to work offline I get no more popups. Now upon doing some research it looks like my explorer.exe makes connections to some strange address's on port 80. One of these sites is www.in-t-e-r-n-e-t.com, I have gotten this address to resolve to a few different IP's. They other address is 64-194-221-33.wcg.net.
Posted below are some logs you requested.
SmitFraudFix v2.162
Scan done at 13:01:31.31, Sat 03/31/2007
Run from C:\spy\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\jk
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\jk\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JK\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.72.65
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F3A359C5-F8EC-4C7C-ADB5-AADA77D534D2}: DhcpNameServer=192.168.72.65
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F3A359C5-F8EC-4C7C-ADB5-AADA77D534D2}: DhcpNameServer=192.168.72.65
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F3A359C5-F8EC-4C7C-ADB5-AADA77D534D2}: DhcpNameServer=192.168.72.65
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.72.65
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.72.65
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.72.65
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Scan done at 13:01:31.31, Sat 03/31/2007
Run from C:\spy\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\jk
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\jk\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JK\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.72.65
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F3A359C5-F8EC-4C7C-ADB5-AADA77D534D2}: DhcpNameServer=192.168.72.65
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F3A359C5-F8EC-4C7C-ADB5-AADA77D534D2}: DhcpNameServer=192.168.72.65
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F3A359C5-F8EC-4C7C-ADB5-AADA77D534D2}: DhcpNameServer=192.168.72.65
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.72.65
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.72.65
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.72.65
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Incident Status Location
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\TSF\nircmd.exe
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\jk\Cookies\jk@hitbox[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\jk\Cookies\jk@mediaplex[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\spy\SDFix\SDFix\apps\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\spy\SDFix\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\spy\SDFix.zip[SDFix.exe][SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\spy\SmitfraudFix\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\TSF\nircmd.exe
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\jk\Cookies\jk@hitbox[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\jk\Cookies\jk@mediaplex[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\spy\SDFix\SDFix\apps\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\spy\SDFix\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\spy\SDFix.zip[SDFix.exe][SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\spy\SmitfraudFix\SmitfraudFix\Process.exe
Logfile of HijackThis v1.99.1
Scan saved at 1:07:20 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\hijack\blitzo.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = edit
O17 - HKLM\Software\..\Telephony: DomainName = edit
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = edit
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = edit
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Scan saved at 1:07:20 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\hijack\blitzo.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = edit
O17 - HKLM\Software\..\Telephony: DomainName = edit
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = edit
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = edit
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Last edited by a moderator:
Here is a list of ads that popped up while I ran my scans.
http://www.pcsecurityshield.com/webApp/90076.asp?trk=WTK&affid=541
http://www.broadcaster.com/fresh/oj...n=Traffic&utm_source=Adon&utm_medium=popunder
http://www.maniatv.com/adlive?OTC-Adon&attr=adlive
http://www.3bsoftwarepromo.com/rr/e/20060405CCAREYRR9E/SCAN/index.html
http://www.hollywood.com/?CMP=OTC-gen0307adon
http://laughnetwork.com/d1.php
http://www.pcsecurityshield.com/webApp/90076.asp?trk=WTK&affid=541
http://www.broadcaster.com/fresh/oj...n=Traffic&utm_source=Adon&utm_medium=popunder
http://www.maniatv.com/adlive?OTC-Adon&attr=adlive
http://www.3bsoftwarepromo.com/rr/e/20060405CCAREYRR9E/SCAN/index.html
http://www.hollywood.com/?CMP=OTC-gen0307adon
http://laughnetwork.com/d1.php
Thanks for returning the information and the feedback, Smitfraudfix is clean and no Vundo infection showed, let's go looking for whatever this is.
1) Please download F-Secure BlackLight Beta:
https://europe.f-secure.com/exclude/blacklight/index.shtml
Save it to its own folder in the Desktop
Double-click blbeta.exe to run the program
Click : Scan
A list of all items found is created
The list is in the BlackLight folder on the Desktop, and named fsbl.xxxxxxx.log (xxxxxxx are numbers).
Please provide the log created by BlackLight in your next reply.
(please do not fix anything, most if not all will be valid)
2) Follow the directions in this link to download, install and update AVG Anti-Spyware. Make sure you delete or at least quarantine anything located and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165
3) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
4) You don't have the initial log from ComboFix and SDFix do you? If so, post them.
Restart the computrr and post the log from BlackLight, the scan report from AVG Anti-Spyware, the uninstall list and any comments you think will help.
For your information:
Port 80 information: http://www.google.com/search?hl=en&q=port+80&btnG=Search
http://forums.spywareinfo.com/index.php?showtopic=73125
http://whois.domaintools.com/wcg.net (64-194-221-33.wcg.net.)
http://www.benedelman.org/news/101805-1.html
http://www.google.com/search?hl=en&q=adserv+&btnG=Search
adserv cookie <<< You know you can block these cookies:
http://www.mvps.org/winhelp2002/cookies.htm
and these websites: http://www.rivier.edu/staff/acallahan/webpages/Internet Explorer/blockwebsite.htm
1) Please download F-Secure BlackLight Beta:
https://europe.f-secure.com/exclude/blacklight/index.shtml
Save it to its own folder in the Desktop
Double-click blbeta.exe to run the program
Click : Scan
A list of all items found is created
The list is in the BlackLight folder on the Desktop, and named fsbl.xxxxxxx.log (xxxxxxx are numbers).
Please provide the log created by BlackLight in your next reply.
(please do not fix anything, most if not all will be valid)
2) Follow the directions in this link to download, install and update AVG Anti-Spyware. Make sure you delete or at least quarantine anything located and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165
3) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
4) You don't have the initial log from ComboFix and SDFix do you? If so, post them.
Restart the computrr and post the log from BlackLight, the scan report from AVG Anti-Spyware, the uninstall list and any comments you think will help.
For your information:
Port 80 information: http://www.google.com/search?hl=en&q=port+80&btnG=Search
http://forums.spywareinfo.com/index.php?showtopic=73125
http://whois.domaintools.com/wcg.net (64-194-221-33.wcg.net.)
http://www.benedelman.org/news/101805-1.html
http://www.google.com/search?hl=en&q=adserv+&btnG=Search
adserv cookie <<< You know you can block these cookies:
http://www.mvps.org/winhelp2002/cookies.htm
and these websites: http://www.rivier.edu/staff/acallahan/webpages/Internet Explorer/blockwebsite.htm
blacklight
03/31/07 14:09:57 [Info]: BlackLight Engine 1.0.61 initialized
03/31/07 14:09:57 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/31/07 14:09:57 [Note]: 7019 4
03/31/07 14:09:57 [Note]: 7005 0
03/31/07 14:10:01 [Note]: 7006 0
03/31/07 14:10:01 [Note]: 7011 1564
03/31/07 14:10:02 [Note]: 7026 0
03/31/07 14:10:02 [Note]: 7026 0
03/31/07 14:10:04 [Note]: FSRAW library version 1.7.1021
03/31/07 14:15:09 [Note]: 7007 0
03/31/07 14:09:57 [Info]: BlackLight Engine 1.0.61 initialized
03/31/07 14:09:57 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/31/07 14:09:57 [Note]: 7019 4
03/31/07 14:09:57 [Note]: 7005 0
03/31/07 14:10:01 [Note]: 7006 0
03/31/07 14:10:01 [Note]: 7011 1564
03/31/07 14:10:02 [Note]: 7026 0
03/31/07 14:10:02 [Note]: 7026 0
03/31/07 14:10:04 [Note]: FSRAW library version 1.7.1021
03/31/07 14:15:09 [Note]: 7007 0
AVG spyware
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 2:35:42 PM 3/31/2007
+ Scan result:
C:\Documents and Settings\jk\Cookies\jkrawczyk@aavalue[1].txt -> TrackingCookie.Aavalue : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@grouplotto.aavalue[2].txt -> TrackingCookie.Aavalue : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@adrevolver[1].txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@advertising[2].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@ehg-hollywood.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@ehg-maniatv.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@ehg-pcsecurityshield.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.20:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Paypal : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@trafficmp[1].txt -> TrackingCookie.Trafficmp : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@zedo[1].txt -> TrackingCookie.Zedo : No action taken.
::Report end
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 2:35:42 PM 3/31/2007
+ Scan result:
C:\Documents and Settings\jk\Cookies\jkrawczyk@aavalue[1].txt -> TrackingCookie.Aavalue : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@grouplotto.aavalue[2].txt -> TrackingCookie.Aavalue : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@adrevolver[1].txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@advertising[2].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@ehg-hollywood.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@ehg-maniatv.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@ehg-pcsecurityshield.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.20:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Paypal : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@trafficmp[1].txt -> TrackingCookie.Trafficmp : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@zedo[1].txt -> TrackingCookie.Zedo : No action taken.
::Report end
hijack unistall
@icon sushi 1.21
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 8
Agnitum Outpost Firewall 1.0
Atheros Wireless LAN MiniPCI/PCIe card Driver
Atheros Wireless LAN MiniPCI/PCIe card Driver
ATI Control Panel
ATI Display Driver
AVG Anti-Spyware 7.5
AVG Free Edition
BLM 2.6.5
Blockpost plug-in for Agnitum Outpost Firewall (remove only)
CCleaner (remove only)
ClamWin Free Antivirus 0.88.7
DameWare NT Utilities
DiamondCS Port Explorer v2.150
Driver Magician 2.8
Ethereal 0.99.0
FileAlyzer 1.4
Foxit Reader
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
ImgBurn (Remove Only)
Karen's WhoIs
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Virtual PC 2004
Mozilla Firefox (2.0.0.1)
MSConfig CleanUp 1.2
MSXML 4.0 SP2 (KB927978)
Network Stumbler 0.4.0 (remove only)
Panda ActiveScan
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
SmartWhois
Spybot - Search & Destroy 1.4
Symantec pcAnywhere
Synaptics Pointing Device Driver
UltraVNC v1.0.1
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows Server 2003 Administration Tools Pack
Windows Support Tools
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinPcap 4.0
winpcap-nmap 3.1
@icon sushi 1.21
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 8
Agnitum Outpost Firewall 1.0
Atheros Wireless LAN MiniPCI/PCIe card Driver
Atheros Wireless LAN MiniPCI/PCIe card Driver
ATI Control Panel
ATI Display Driver
AVG Anti-Spyware 7.5
AVG Free Edition
BLM 2.6.5
Blockpost plug-in for Agnitum Outpost Firewall (remove only)
CCleaner (remove only)
ClamWin Free Antivirus 0.88.7
DameWare NT Utilities
DiamondCS Port Explorer v2.150
Driver Magician 2.8
Ethereal 0.99.0
FileAlyzer 1.4
Foxit Reader
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
ImgBurn (Remove Only)
Karen's WhoIs
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Virtual PC 2004
Mozilla Firefox (2.0.0.1)
MSConfig CleanUp 1.2
MSXML 4.0 SP2 (KB927978)
Network Stumbler 0.4.0 (remove only)
Panda ActiveScan
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
SmartWhois
Spybot - Search & Destroy 1.4
Symantec pcAnywhere
Synaptics Pointing Device Driver
UltraVNC v1.0.1
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows Server 2003 Administration Tools Pack
Windows Support Tools
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinPcap 4.0
winpcap-nmap 3.1
old logs
I have some old logs from vundofix and sdfix. I also have an original log from avg spyware the first time I ran it when I noticed the infections, its pretty loaded.
VundoFix V6.3.17
Checking Java version...
Sun Java not detected
Scan started at 10:24:47 AM 3/22/2007
Listing files found while scanning....
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\lnylrcio.exe
C:\WINDOWS\system32\ptrtoinw.exe
C:\WINDOWS\system32\stvwa.bak1
C:\WINDOWS\system32\stvwa.bak2
C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\stvwa.ini2
C:\WINDOWS\system32\stvwa.tmp
Beginning removal...
Attempting to delete C:\WINDOWS\system32\lnylrcio.exe
C:\WINDOWS\system32\lnylrcio.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\ptrtoinw.exe
C:\WINDOWS\system32\ptrtoinw.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\stvwa.bak1
C:\WINDOWS\system32\stvwa.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\stvwa.bak2
C:\WINDOWS\system32\stvwa.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\stvwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\stvwa.ini2
C:\WINDOWS\system32\stvwa.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\stvwa.tmp
C:\WINDOWS\system32\stvwa.tmp Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.17
Checking Java version...
Sun Java not detected
Scan started at 10:37:09 AM 3/22/2007
Listing files found while scanning....
C:\WINDOWS\system32\awvts.dll
Beginning removal...
Performing Repairs to the registry.
Done!
VundoFix V6.3.17
Checking Java version...
Sun Java not detected
Scan started at 10:56:30 AM 3/22/2007
Listing files found while scanning....
C:\WINDOWS\system32\awvts.dll
VundoFix V6.3.17
Checking Java version...
Sun Java not detected
Scan started at 1:56:33 PM 3/29/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.3.17
Checking Java version...
Sun Java not detected
Scan started at 10:38:37 AM 3/30/2007
Listing files found while scanning....
I have some old logs from vundofix and sdfix. I also have an original log from avg spyware the first time I ran it when I noticed the infections, its pretty loaded.
VundoFix V6.3.17
Checking Java version...
Sun Java not detected
Scan started at 10:24:47 AM 3/22/2007
Listing files found while scanning....
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\lnylrcio.exe
C:\WINDOWS\system32\ptrtoinw.exe
C:\WINDOWS\system32\stvwa.bak1
C:\WINDOWS\system32\stvwa.bak2
C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\stvwa.ini2
C:\WINDOWS\system32\stvwa.tmp
Beginning removal...
Attempting to delete C:\WINDOWS\system32\lnylrcio.exe
C:\WINDOWS\system32\lnylrcio.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\ptrtoinw.exe
C:\WINDOWS\system32\ptrtoinw.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\stvwa.bak1
C:\WINDOWS\system32\stvwa.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\stvwa.bak2
C:\WINDOWS\system32\stvwa.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\stvwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\stvwa.ini2
C:\WINDOWS\system32\stvwa.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\stvwa.tmp
C:\WINDOWS\system32\stvwa.tmp Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.17
Checking Java version...
Sun Java not detected
Scan started at 10:37:09 AM 3/22/2007
Listing files found while scanning....
C:\WINDOWS\system32\awvts.dll
Beginning removal...
Performing Repairs to the registry.
Done!
VundoFix V6.3.17
Checking Java version...
Sun Java not detected
Scan started at 10:56:30 AM 3/22/2007
Listing files found while scanning....
C:\WINDOWS\system32\awvts.dll
VundoFix V6.3.17
Checking Java version...
Sun Java not detected
Scan started at 1:56:33 PM 3/29/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.3.17
Checking Java version...
Sun Java not detected
Scan started at 10:38:37 AM 3/30/2007
Listing files found while scanning....
sdfix
SDFix: Version 1.74
Run by Administrator - Thu 03/22/2007 - 11:42:52.59
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\spy\SDFix\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Entries
Restoring Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found...
ADS Check:
C:\WINDOWS\system32
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardPr
ofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled
xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network
Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\vexga3me2.exe"="C:\\WINDOWS\\system32\\vexga3me2.exe:*:Enabled:taskmgr32"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProf
ile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network
Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
Remaining Files:
---------------
Checking For Files with Hidden Attributes :
C:\Documents and Settings\jk\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
C:\WINDOWS\system32\ddcya.dll
C:\Program Files\Microsoft Virtual PC\updatedvmm.sys
Finished
SDFix: Version 1.74
Run by Administrator - Wed 03/21/2007 - 22:12:08.17
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\spy\SDFix\SDFix
Safe Mode:
Checking Services:
Name:
Client IP-IPX
"" -e te-110-12-0000271
Client IP-IPX Deleted
Restoring Windows Registry Entries
Restoring Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\91J3GPEB\ICONS_~1.HTM - Deleted
C:\WINDOWS\system32\ldinfo.ldr - Deleted
C:\WINDOWS\system32\svchosts.exe - Deleted
C:\WINDOWS\Uninst2.htm - Deleted
C:\WINDOWS\Unist1.htm - Deleted
Could Not Remove C:\WINDOWS\system32\instcat.dll
ADS Check:
C:\WINDOWS\system32
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\vexga3me2.exe"="C:\\WINDOWS\\system32\\vexga3me2.exe:*:Enabled:taskmgr32"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
Remaining Files:
---------------
C:\WINDOWS\system32\instcat.dll Found
Backups Folder: - C:\spy\SDFix\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes :
C:\Documents and Settings\jk\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
C:\WINDOWS\system32\awvts.dll
C:\Program Files\Microsoft Virtual PC\updatedvmm.sys
C:\WINDOWS\system32\stvwa.tmp
Finished
SDFix: Version 1.74
Run by Administrator - Thu 03/22/2007 - 11:42:52.59
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\spy\SDFix\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Entries
Restoring Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found...
ADS Check:
C:\WINDOWS\system32
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardPr
ofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled
xpsp2res.dll,-22019""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network
Diagnostic\\xpnetdiag.exe:*:Enabled
xpsp3res.dll,-20000""C:\\WINDOWS\\system32\\vexga3me2.exe"="C:\\WINDOWS\\system32\\vexga3me2.exe:*:Enabled:taskmgr32"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProf
ile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled
xpsp2res.dll,-22019""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network
Diagnostic\\xpnetdiag.exe:*:Enabled
xpsp3res.dll,-20000"Remaining Files:
---------------
Checking For Files with Hidden Attributes :
C:\Documents and Settings\jk\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
C:\WINDOWS\system32\ddcya.dll
C:\Program Files\Microsoft Virtual PC\updatedvmm.sys
Finished
SDFix: Version 1.74
Run by Administrator - Wed 03/21/2007 - 22:12:08.17
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\spy\SDFix\SDFix
Safe Mode:
Checking Services:
Name:
Client IP-IPX
"" -e te-110-12-0000271
Client IP-IPX Deleted
Restoring Windows Registry Entries
Restoring Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\91J3GPEB\ICONS_~1.HTM - Deleted
C:\WINDOWS\system32\ldinfo.ldr - Deleted
C:\WINDOWS\system32\svchosts.exe - Deleted
C:\WINDOWS\Uninst2.htm - Deleted
C:\WINDOWS\Unist1.htm - Deleted
Could Not Remove C:\WINDOWS\system32\instcat.dll
ADS Check:
C:\WINDOWS\system32
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled
xpsp2res.dll,-22019""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled
xpsp3res.dll,-20000""C:\\WINDOWS\\system32\\vexga3me2.exe"="C:\\WINDOWS\\system32\\vexga3me2.exe:*:Enabled:taskmgr32"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled
xpsp2res.dll,-22019""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled
xpsp3res.dll,-20000"Remaining Files:
---------------
C:\WINDOWS\system32\instcat.dll Found
Backups Folder: - C:\spy\SDFix\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes :
C:\Documents and Settings\jk\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
C:\WINDOWS\system32\awvts.dll
C:\Program Files\Microsoft Virtual PC\updatedvmm.sys
C:\WINDOWS\system32\stvwa.tmp
Finished
avg spyware original
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 12:01:24 AM 3/22/2007
+ Scan result:
C:\Program Files\Common Files\{3854B583-05BA-1033-0912-060607270001}\Bar888.dll -> Adware.Bar888 : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008302.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008318.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008319.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008320.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008233.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008234.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008305.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008334.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008304.exe -> Adware.Relevant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008308.exe -> Adware.Relevant : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rlls.dll -> Adware.RK : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008132.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008133.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008134.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008136.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008137.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008138.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008181.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008278.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008279.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008280.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008288.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008336.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008290.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008299.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008303.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008296.exe -> Adware.UltimateDefender : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008236.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008297.exe -> Dialer.GBDialer.i : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008355.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008361.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\spy\SDFix\SDFix\backups\backups.zip/backups/svchosts.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008289.dll -> Downloader.VB.apq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rlvknlg.exe -> Proxy.Small.osw : Cleaned with backup (quarantined).
:mozilla.103:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.145:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.16:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.17:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.186:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.18:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.19:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.20:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.21:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.22:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.23:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.24:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.25:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.26:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.27:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.28:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.29:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.30:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.95:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.44:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.45:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.46:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.47:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.381:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.382:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.56:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.57:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.410:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.90:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.91:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.99:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.413:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.414:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.210:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.439:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.52:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.53:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.54:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.55:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.213:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.214:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.236:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.237:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.238:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.246:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.247:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.248:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.249:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.250:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.89:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.269:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.270:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.271:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.289:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.290:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.291:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Trafic : Cleaned.
:mozilla.294:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.346:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.374:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.327:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.328:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.329:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.330:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008249.dll -> Trojan.Agent.acl : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\hsoawqar.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008277.exe -> Trojan.Crypt.y : Cleaned with backup (quarantined).
C:\WINDOWS\system32\user_32.dll -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008360.dll -> Worm.Locksky.aw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\instcat.ddd -> Worm.Locksky.aw : Cleaned with backup (quarantined).
C:\spy\SDFix\SDFix\backups\backups.zip/backups/instcat.dll -> Worm.Locksky.aw : Cleaned with backup (quarantined).
[276] VM_3BF21000 -> Worm.Locksky.aw : Cleaned with backup (quarantined).
[748] VM_3BF21000 -> Worm.Locksky.aw : Cleaned with backup (quarantined).
::Report end
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 12:01:24 AM 3/22/2007
+ Scan result:
C:\Program Files\Common Files\{3854B583-05BA-1033-0912-060607270001}\Bar888.dll -> Adware.Bar888 : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008302.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008318.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008319.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008320.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008233.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008234.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008305.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008334.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008304.exe -> Adware.Relevant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008308.exe -> Adware.Relevant : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rlls.dll -> Adware.RK : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008132.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008133.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008134.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008136.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008137.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008138.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008181.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008278.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008279.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008280.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008288.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008336.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008290.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008299.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008303.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008296.exe -> Adware.UltimateDefender : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008236.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008297.exe -> Dialer.GBDialer.i : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008355.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008361.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\spy\SDFix\SDFix\backups\backups.zip/backups/svchosts.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008289.dll -> Downloader.VB.apq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rlvknlg.exe -> Proxy.Small.osw : Cleaned with backup (quarantined).
:mozilla.103:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.145:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.16:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.17:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.186:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.18:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.19:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.20:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.21:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.22:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.23:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.24:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.25:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.26:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.27:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.28:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.29:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.30:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.95:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.44:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.45:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.46:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.47:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.381:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.382:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.56:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.57:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.410:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.90:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.91:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.99:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.413:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.414:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.210:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.439:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.52:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.53:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.54:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.55:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.213:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.214:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.236:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.237:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.238:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.246:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.247:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.248:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.249:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.250:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.89:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.269:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.270:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.271:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.289:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.290:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.291:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Trafic : Cleaned.
:mozilla.294:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.346:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.374:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.327:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.328:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.329:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.330:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008249.dll -> Trojan.Agent.acl : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\hsoawqar.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008277.exe -> Trojan.Crypt.y : Cleaned with backup (quarantined).
C:\WINDOWS\system32\user_32.dll -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008360.dll -> Worm.Locksky.aw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\instcat.ddd -> Worm.Locksky.aw : Cleaned with backup (quarantined).
C:\spy\SDFix\SDFix\backups\backups.zip/backups/instcat.dll -> Worm.Locksky.aw : Cleaned with backup (quarantined).
[276] VM_3BF21000 -> Worm.Locksky.aw : Cleaned with backup (quarantined).
[748] VM_3BF21000 -> Worm.Locksky.aw : Cleaned with backup (quarantined).
::Report end
Here is what I see:
BlackLight is clean, no rootkit unless it is super hidden.
AVG Anti-Spyware - Scan Report
+ Created at: 2:35:42 PM 3/31/2007
all items: No action taken.
Some cookies look like the ones you are having trouble with.
Uninstall list. I am looking for security issues or malware, it is a good chance for you to look for stuff you no longer use.
ClamWin Free Antivirus 0.88.7 <<< you are using AVG Free (please make sure it is version 7.5) and don't confuse it with the AVG Anti-Spyware 7.5, to different programs doing two different job.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
I suggest you uninstall that program
I am not sure what you use this for:
http://www.liutilities.com/products/wintaskspro/processlibrary/awhost32/
but if these are not part of that, you may want to uninstall those also.
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Mozilla Firefox (2.0.0.1) <<< Firefox is out of date, if you are going to use it, you must keep it updated, just like IE.
Panda ActiveScan <<<I suggest you uninstall that program.
VundoFix V6.3.17Checking Java version...
Sun Java not detected
Scan started at 10:24:47 AM 3/22/2007
As far as I can see all Vundo was removed.
Delete that program if you still have it on the decktop and all files.
SDFix: Version 1.74
Run by Administrator - Thu 03/22/2007 - 11:42:52.59
Seems it remove junk also, you had a very bad infection. I may have suggested a reformat for this had I looked at it in the beginning. Hard to feel secure once backdoor trojans have been onboard.
Delete that program from your computer.
AVG Anti-Spyware - Scan Report
Created at: 12:01:24 AM 3/22/2007
You System Restore files are corrupted, if you have not dones so, follow these instructions to clean them:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Turn it off, reboot then turn it back on.
You also have a load of junk quarantined in this program, follow these instructions:
Clean the quarantine folder
You can remove the files from the AVG AS Quarantine:
-Launch AVG AS and click the Infections button.
-Click the Quarantine tab
-Choose: Select All
-Click: Remove finally
-A window pops asking "Are you sure you want to remove the selected files...??"
-Select: Yes
Once you get to here, post a new HJT log and let me know how things are running.
Thanks
BlackLight is clean, no rootkit unless it is super hidden.
AVG Anti-Spyware - Scan Report
+ Created at: 2:35:42 PM 3/31/2007
all items: No action taken.
Some cookies look like the ones you are having trouble with.
Uninstall list. I am looking for security issues or malware, it is a good chance for you to look for stuff you no longer use.
ClamWin Free Antivirus 0.88.7 <<< you are using AVG Free (please make sure it is version 7.5) and don't confuse it with the AVG Anti-Spyware 7.5, to different programs doing two different job.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
I suggest you uninstall that program
I am not sure what you use this for:
http://www.liutilities.com/products/wintaskspro/processlibrary/awhost32/
but if these are not part of that, you may want to uninstall those also.
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Mozilla Firefox (2.0.0.1) <<< Firefox is out of date, if you are going to use it, you must keep it updated, just like IE.
Panda ActiveScan <<<I suggest you uninstall that program.
VundoFix V6.3.17Checking Java version...
Sun Java not detected
Scan started at 10:24:47 AM 3/22/2007
As far as I can see all Vundo was removed.
Delete that program if you still have it on the decktop and all files.
SDFix: Version 1.74
Run by Administrator - Thu 03/22/2007 - 11:42:52.59
Seems it remove junk also, you had a very bad infection. I may have suggested a reformat for this had I looked at it in the beginning. Hard to feel secure once backdoor trojans have been onboard.
Delete that program from your computer.
AVG Anti-Spyware - Scan Report
Created at: 12:01:24 AM 3/22/2007
You System Restore files are corrupted, if you have not dones so, follow these instructions to clean them:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Turn it off, reboot then turn it back on.
You also have a load of junk quarantined in this program, follow these instructions:
Clean the quarantine folder
You can remove the files from the AVG AS Quarantine:
-Launch AVG AS and click the Infections button.
-Click the Quarantine tab
-Choose: Select All
-Click: Remove finally
-A window pops asking "Are you sure you want to remove the selected files...??"
-Select: Yes
Once you get to here, post a new HJT log and let me know how things are running.
Thanks
I now use AVG free for virus scans, clamwin is mostly an on demand scanner. I removed it anyways.
awhost32.exe is a part of pcanywhere I really don't use that part of the program.
Updated mozilla
removed sdfix and vundo fix
fixed restore files
popups are still here
hijack log
Logfile of HijackThis v1.99.1
Scan saved at 4:39:05 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe
C:\hijack\blitzo.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
awhost32.exe is a part of pcanywhere I really don't use that part of the program.
Updated mozilla
removed sdfix and vundo fix
fixed restore files
popups are still here
hijack log
Logfile of HijackThis v1.99.1
Scan saved at 4:39:05 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe
C:\hijack\blitzo.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Thanks for the feedback, I have no idea where the popups are coming from. I'll give it some thought overnight and maybe have suggestions in the am. If you come up with any thoughts, post them. You are the one sitting in front of the computer.
Thanks