HELP with DMSetup Trojan & Possibly Remote Storm

W

wordsmith

New member
hello all...i'm new here, so i'll start at the beginning. i've had trouble with browser hijackers before, which my s&d and other software found....this time, though, my computer has been acting fine, aside from having trouble shutting down because a program that appeared out of nowhere keeps getting hung up...but on tuesday, i got a flash from my norton firewall (my norton anti-virus hasn't been updated since 2004 cuz i use the online trendmicro scan) saying "DEFAULT BLOCK DMSETUP TROJAN HORSE FROM ip: 59.28.211.101:1103" - i traced the ip address to korea, but that's as far as i got. apparently this trojan has been around for a while, although there was another "outbreak" of it in june, 2006.

after doing some research, i ran netstat.txt and found the following:

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 69.244.253.97:139 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1033 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:4500 *:*
UDP 69.244.253.97:123 *:*
UDP 69.244.253.97:137 *:*
UDP 69.244.253.97:138 *:*
UDP 69.244.253.97:1900 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*


the first thing i did was run a trendmicro scan, but nothing was caught. i then ran "stinger," but after several hours it still wasn't done & i had to do work, so i turned it off. then i ran "the cleaner," which was recommended by another web site i came across. the only thing it came up with was something called "EICAR Test File" found in: d:\local disk (f)\program files\network associates\mcafee virusscan\new_dats.txt

and

d:\local disk (f)\unzipped\spm-321e\whatsnew.txt

the next day i ran netstat.txt again and this is what it said:

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1033 0.0.0.0:0 LISTENING
TCP 192.168.100.11:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:4500 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.100.11:123 *:*
UDP 192.168.100.11:137 *:*
UDP 192.168.100.11:138 *:*
UDP 192.168.100.11:1900 *:*

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 69.244.253.97:139 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:4500 *:*
UDP 69.244.253.97:123 *:*
UDP 69.244.253.97:137 *:*
UDP 69.244.253.97:138 *:*
UDP 69.244.253.97:1900 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*

i blocked 127.0.0.1:123 (when i blocked 69.244.253.97, my internet stopped working, so i assume it's a necessary communication). i then ran spybot s&d and it just found one thing called "eAcceleration," which i had it delete. i'm really concerned because so far, nothing relating to DMSetup has been found and some of the open ports are suspicious. i read up on closing the netbios (port 445), as well as closing ports 135-139, but i've never done it before, so i don't know if it's wise. i got ahold of a list of the ports & their uses and some of my open ports are used for trojans (like 1025, which is used by Remote Storm)

finally, today, i ran adaware and it found 80 objects, most of which were just MRU's, but 6 were adware.pop (items in the registry - i'm assuming they're pop-ups), 8 were tracking cookies, 1 was "POSSIBLE BROWSER HIJACK ATTEMPT" and 1 was "WIN ANTIVIRUS PRO," which, after some research, i found is spyware.

here is my hijack this log....any help is greatly appreciated....

Logfile of HijackThis v1.99.1
Scan saved at 10:42:44 AM, on 8/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PayPal\Payment Wizard\Outlook Express\OEHook.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PayPal Plug-In for Outlook Express.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://www.inspiredsilver.com
O15 - Trusted Zone: http://*.savinathompson.com
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - https://www.topproduceronline.com/downloads/msjavx86.exe
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://www.topproduceronline.com/Downloads/arview2.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NRFHJWRP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Owner\LOCALS~1\Temp\NRFHJWRP.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

thank you in advance!!!
 
just ran panda

also, i just ran panda and it found 28 pieces of spyware (but it doesn't clean them!!! grrrrr)....it doesn't say what or where they are and the free version doesn't clean them, so i don't know how much to trust it....i'm really concerned about keyloggers, since i had 8 of them on my computer about 3 months ago...8!!!!

thank you again for any help...:(
 
hi
  1. locate the ewido anti-spyware icon on the desktop and double-click it to launch the program.
  2. you will need to run ewido and update the definition files.
  3. On the main screen select the "Update" icon then click "Start Update". The update will start and a progress bar will show the updates being installed.
  4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  6. Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware

reboot your computer into Safe Mode.
  1. Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.
  2. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"
  3. Ewido will now begin the scanning process, be patient this may take a little time.
  4. Ewido will list any infections found on the left hand side. When the scan has finished, it should automatically set the recommended action to Quarantine--if not click on Recommended Action and set it there. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  5. Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  6. Close ewido.

reboot back to normal mode, rescan with hiajckthis and post its report along with the ewido report
NOTE: the ewido report may be large, use several posts if necessary to incude everything in it

good luck
 
Last edited:
About to follow your advice

hi illukka,

i'm just about to follow your advice, but i thought i'd stop in first and say that this morning i've been alerted 3 times by my norton personal firewall that someone was trying to access my computer via UDP (inbound)...i don't know what that is, but it had a remote ip of:

64.120.238.166:17847 and the local ip was good ol' 69.244.253.97:1026 - that was the one i tried to block but my internet stopped working. i traced the remote ip address to teligent, inc. here's their homepage: http://www.teligent.com/teligent.nsf/Home

do you know what my next steps would be in terms of letting them know about the hacker?
 
hi

that looks like one of telingents ( thats a corporate ISP ) clients has a network worm. dont worry, your NIS firewall is more than capable of blocking those.

the network worm is performing port scans to find vulnerable computers with exploitable port 1026.


Code: 
OrgName:    Teligent, Inc. 
OrgID:      TGNT
Address:    460 Herndon Parkway
City:       Herndon
StateProv:  VA
PostalCode: 20170
Country:    US

ReferralServer: rwhois://rwhois.tgnt.net:4321/

NetRange:   64.120.0.0 - 64.120.255.255 
CIDR:       64.120.0.0/16 
NetName:    TGNT-BLK-3
NetHandle:  NET-64-120-0-0-1
Parent:     NET-64-0-0-0-0
NetType:    Direct Allocation
NameServer: HERDNS004I0.TELIGENT.COM
NameServer: HERDNS003I0.TELIGENT.COM
NameServer: HERDNS002I0.TELIGENT.COM
NameServer: HERDNS001I0.TELIGENT.COM
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    2000-07-05
Updated:    2002-10-02

RTechHandle: IT45-ARIN
RTechName:   Teligent, Inc. 
RTechPhone:  +1-888-411-1175
RTechEmail:  support@tgnt.net 

OrgNOCHandle: DNS1049-ARIN
OrgNOCName:   DNS 
OrgNOCPhone:  +1-888-203-6492
OrgNOCEmail:  dns@teligent.com

OrgTechHandle: IT75-ARIN
OrgTechName:   Teligent DNS 
OrgTechPhone:  +1-888-203-6492
OrgTechEmail:  dns@teligent.com

that doesnt list an abuse addy, so you could try contacting them otherwise
 
(sigh) The requested logs

hi,

first, let me beging by saying thank you SOOO much for helping me with this...

second, i didn't get a chance to follow your steps until a couple of hours ago since i work on my computer all day. i literally got over 100 of those alert messages throughout the day and have blocked them every time, but i'm STILL getting them. after i followed your advice and rebooted my computer into normal mode, i got one that was different than the others...the port was completely different. here's what it said:

11:09 pm
Protocol: UDP (Inbound)
Remote Address: 192.168.100.11:bootpc(68)
Local Address: 255.255.255.255:bootps(67)

i did ip searches on some of the remote addresses that came up throughout the day & 1 of them was for my internet service provider (comcast) and another one was the one i told you about, telegent, inc. or something....

now i'm really worried because i've never gotten so many of these alerts.

anyway, here are the logs you requested:

EWIDO:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:58:23 PM 9/5/2006

+ Scan result:



D:\Local Disk (F)\WINDOWS2\SYSTEM\Comet\Bin\csband.dll -> Adware.Comet : Cleaned with backup (quarantined).
D:\Local Disk (F)\WINDOWS2\SYSTEM\Comet\Bin\csbho.dll -> Adware.Comet : Cleaned with backup (quarantined).
:mozilla.11:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.12:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.13:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.14:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.15:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.16:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.17:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.18:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.242:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.44:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.46:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.49:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.50:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.51:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.52:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.53:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.54:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.55:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.56:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.57:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.58:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.59:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.60:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.61:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.62:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.63:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.64:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.65:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.66:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.67:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.68:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.69:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.70:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.71:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.72:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.73:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.74:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.28:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.75:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.249:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
:mozilla.152:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.153:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.154:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.155:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.204:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.205:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.134:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.135:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc12.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.228:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
:mozilla.55:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
:mozilla.10:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.45:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.78:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.79:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.82:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.83:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.84:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.85:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.287:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.122:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.123:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.125:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.138:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.140:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.141:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.197:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.236:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.237:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.209:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.210:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.211:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.203:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Masterstats : Cleaned with backup (quarantined).
:mozilla.167:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.252:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.253:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.49:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.118:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.119:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.120:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.121:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.47:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.194:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.195:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.80:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.81:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.288:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.289:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.91:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.92:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.93:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.94:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.95:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).


::Report end
 
Latest Hijack This Log

AND HERE'S THE LATEST HIJACK THIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 11:04:59 PM, on 9/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\The Cleaner\tca.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PayPal\Payment Wizard\Outlook Express\OEHook.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\VIRUSES & TROJANS\ANTIVIRUS & SPYWARE\HijackThis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PayPal Plug-In for Outlook Express.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.inspiredsilver.com
O15 - Trusted Zone: http://*.savinathompson.com
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - https://www.topproduceronline.com/downloads/msjavx86.exe
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://www.topproduceronline.com/Downloads/arview2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NRFHJWRP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Owner\LOCALS~1\Temp\NRFHJWRP.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

(sigh)...ewido picked up something like 107 tracking cookies & 1 adware, but no malware...the other anti-spyware software i have, just fyi, is:

spybot s&d
cwshredder
winsockxpfix (never used)
mcafee sting (never used)
vx2finder (never used)
adaware
zls? (never used)
bhblaster (browser blaster) (never used)
cpuz (never used)

even as i write this i've gotten 4 of those warnings...

do you think i'll need to reformat? is there any way to castrate the idiots who create these things? i guess that's probably not your area of expertise, though. (cough).

thank you again for your help!!
 
1 more strange thing

also, i forgot to mention that today i was working on my web site with a tech guy from my hosting company & we found a really weird file stored in my file manager - i've never seen it before & the tech said it's definitely not from the company, but it was a web page that talked about networking to computers & it had all sorts of technical information and numerical sequences. unfortunately the tech guy accidentally deleted it, but it was called something like haan...i don't know if it has anything to do with this, but i thought i'd mention it.
 
Search Function Disabled

hi again...a new development....i can search for pictures & music on my computer, but now, all of a sudden, i'm not able to search for files & folders. is there a way for me to just close the ports on my computer??
 
Download and Save Blacklight to your desktop (choose "I ACCEPT" then click "DOWNLOAD" on the website).

Double-click blbeta.exe then accept the agreement, click > "Scan" then > "Next".

You'll see a list of all items found. There will also be a log on your desktop with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"
 
Blacklight Log

i don't know if i did something wrong, but i don't see a "rename" option...i opened blacklight and got a dos window...i accepted the user agreement & it started scanning automatically for "hidden items" - while it was scanning i opened the .txt file, saw that it had a few things in it, then closed it since it was still scanning. the scan lasted about 10 minutes, then i left the room for about 2 minutes...when i came back, the dos window was gone. there isn't any "rename" option - it's just a .txt file & the dos window is completely gone. here's what's in the .txt file:

09/07/06 22:08:18 [Info]: BlackLight Engine 1.0.46 initialized
09/07/06 22:08:18 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/07/06 22:08:18 [Note]: 7019 4
09/07/06 22:08:18 [Note]: 7005 0
09/07/06 22:08:19 [Note]: 7006 0
09/07/06 22:08:19 [Note]: 7011 1488
09/07/06 22:08:19 [Note]: 7026 0
09/07/06 22:08:19 [Note]: 7026 0
09/07/06 22:08:34 [Note]: FSRAW library version 1.7.1019
09/07/06 22:15:49 [Note]: 7007 0

i don't know if it matters, but on the blacklight download page it says that the copy of blacklight will stop working on sept. 1st, 2006. i'm going to try to run it again to see if i interrupted it by opening the .txt file. if the contents change, i'll post them here. also, i turned on my windows firewall yesterday & stopped getting those warning messages...i didn't realize that it had been turned off (my nortons firewall was on though - that's what was giving me the warnings).
 
Re-ran Graphical Blacklight

hi,

i didn't see the graphic interface option when i downloaded the software, so i downloaded that one this time & ran it....it says there are no hidden items found and i think the log is the same as the 1st one i posted, but here it is anyway:

09/07/06 22:08:18 [Info]: BlackLight Engine 1.0.46 initialized
09/07/06 22:08:18 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/07/06 22:08:18 [Note]: 7019 4
09/07/06 22:08:18 [Note]: 7005 0
09/07/06 22:08:19 [Note]: 7006 0
09/07/06 22:08:19 [Note]: 7011 1488
09/07/06 22:08:19 [Note]: 7026 0
09/07/06 22:08:19 [Note]: 7026 0
09/07/06 22:08:34 [Note]: FSRAW library version 1.7.1019
09/07/06 22:15:49 [Note]: 7007 0
 
Possibly Important

sorry i didn't mention this to begin with, but i have 2 harddrives on my computer (i might have a 3rd, i'm not sure - sorry, i don't know anything about hard drives)...i have Presario (C:), Local Disk (D:) and Presario_RP (E:)

also, the former friend who set up my computer for me set up an "owner" and an "administrator" - i can't see that when i turn on my computer normally, but when i start it in safe mode, it gives me the option of going into the "owner" account or the "administrator" account.
 
i know, a lot of posts, sorry

sorry to keep posting, but i keep finding more information...

i just went into my norton firewall & looked under the "statistics," "view logs" area...i went into the "system" file and found that as of august 12th (the 1st entry it has in there - it looks like it deletes entries older than a month), it's started logging the following just about every day:

NIS is protecting your connnection to a newly detected network on adapter "VIA Rhine II Fast Ethernet Adapter - Packet Scheduler Miniport" (IP address: 24.130.71.118)

i don't have my computer networked to anyone...it's the only computer in the house.

THEN, as of 8-21-06, it started logging the same thing, but this time for my old friend, IP address 69.244.253.97 - both ip addresses are in the log up through sept. 6th (along with a 3rd IP address, 192.168.100.11, which came along on 8-23-06) THEN ON SEPT. 6TH IT SAYS:

Firewall setting "Total Network Disconnect" changed

then the user logged off & the following day the "NIS is protecting your connection to a newly detected network, blah blah blah" message is back

UNDER THE "THREAT ALERTS" FILE, THERE ARE LITERALLY ABOUT 100 ENTRIES, BEGINNING WITH MAY OF 2005 FOR 2 THREATS:

W32.Netsky.P@mm!enc (also W32.Netsky.P@mm) and
Spyware.Webhancer

For both of those threats, every entry says either "Delete Failed," "Access denied" or "Repair Failed"

is it possible that my ip address has changed since the last time i saw it a few months ago and the 69.244.253.97 is mine? my name is next to it in the "connections" (although there are also a bunch of "Local Host" connections as well). if that's the case, though, then why is it that when i blocked all of those connections yesterday, i was still able to access the internet? anyway, hopefully something in all of this info was helpful in figuring this out. please let me know if you need any other info.
 
hi

sorry for the late reply. i do have a work and a family too

there are no signs of malware in your logs so far

open hijackthis, click do a system scan only
checkmark these lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/game...ploader_v6.cab
O23 - Service: NRFHJWRP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Owner\LOCALS~1\Temp\NRFHJWRP.exe6:54 14.9.2006

then close all other programs and browser windows, except for hiajckthis
and click fix checked

reboot

I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe.
Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C: (default is C:\Windows)
  • Registry
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". When it's done scanning, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.


also

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

so post the mwaw scan log, winpfind log and a fresh hiajckthis log
 
Sorry!

hi,

i'm sorry for disappearing - i was away this week....i'll take the steps that you suggested tonight...i'll just let it run on the computer while i'm sleeping.

i just got an alert from my norton firewall saying that ip address 0.239.13.14 tried to make contact with my computer (i was just reading a bulletin board message - hadn't done anything unusual). it said it was characteristic of an "INVALID SOURCE ID" ATTACK.

thank you for the help - i'll let you know how it goes with your suggestions!
 
yep norton does alert a lot..

good news is that your norton firewall is very good, and it can block these attacks easily :laugh: if those even are real attacks. i usually refer those as internet background noise

i am not too familiar with its settings, but there should be something to lessen the amount of alerts..in the settings of it
 
Last edited:
Mw Found Things

okay, it's been scanning for over 9 hours (only 1 of my 3 hard drives so far), so this might take all weekend, but here's what the mwantivirus toolkit has found so far:

Object "minibug Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "cws.datanotary Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "cws.datanotary Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cws.datanotary Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "cws.datanotary Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "elite toolbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\COMAdmin.DirectSoundFXCompressorPage.1" refers to invalid object "{062722AB-E8CC-4D2D-F56C-2BBC14813B4B}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSP" refers to invalid object "{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSPDMOProp_Chorus.1" refers to invalid object "{6F63B172-5543-4593-91CE-EDBA65B9FACDB}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\SharePoint.WebPartPage.Document" refers to invalid object "{388ED91D-7FD2-11D0-A60B-00A0C90A43FF}". Action Taken: No Action Taken.
Entry "HKCR\SharePoint.WebPartPage.Document.1.0" refers to invalid object "{388ED91D-7FD2-11D0-A60B-00A0C90A43FF}". Action Taken: No Action Taken.
Entry "HKCR\SNDSrvc.LocationAwareness" refers to invalid object "{5705911C-A065-4568-9B45-E88F240963D9}". Action Taken: No Action Taken.
Entry "HKCR\SNDSrvc.LocationAwareness.1" refers to invalid object "{5705911C-A065-4568-9B45-E88F240963D9}". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjblaunch.exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmfwlaunch.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "c:\Program Files\HP\Digital Imaging\bbfe\director\director2.htm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjbctrl.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMFWCtrl.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMRadioEngine.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "c:\WINDOWS\System32\SNDefs.dat". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Microsoft Office\Office\Actors\CLIPPIT.ACT". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\DIMM.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\Owner\Favorites\Financial Links\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "c:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Works\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Shared Tools\clippit.act" refers to invalid object "C:\Program Files\Microsoft Office\Office\Actors\CLIPPIT.ACT". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Shared Tools\logo.act" refers to invalid object "C:\Program Files\Microsoft Office\Office\Actors\LOGO.ACT". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".1". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".39". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".641". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".675". Action Taken: No Action Taken.


CONTINUED IN NEXT MSG
 
You must log in or register to reply here.
Back
Top