1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HELP!! virus/malware/adware keeps coming back!!

Discussion in 'Virus & Other Malware Removal' started by moviebuff, May 20, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. moviebuff

    moviebuff Thread Starter

    Joined:
    May 20, 2005
    Messages:
    66
    Please help!!! I'm at a loss to keep vicious stuff off my computer after deleting it. Norton found W32.allim after my daughter clicked on Hey check this out! in AOL AIM. I think I got if off the computer because Norton doesn't find it anymore. However, I'm getting a dozen other things that I get off only to come back after restart such as Esyndicate, Aproposmedia, the stupid Hunt Bar constantly comes back, and upon restart, I get the message that C:/windows/system332/gmi4i9ir.exe is causing Runtime to terminate in an unusual way. I've run Microsoft Antispyware, Adaware, Xoftspy, Spybot Search & Destroy. It seems to be affecting my web browser--changing the URL home page and pop-ups are occurring. The following is my Hijackthis log file.

    Logfile of HijackThis v1.99.1
    Scan saved at 2:44:41 AM, on 5/20/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\msaccrt.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    C:\windows\system32\uKZIWXP.exe
    C:\windows\system32\ad1l2S.exe
    C:\WINDOWS\system32\rdpepim1.exe
    C:\WINDOWS\system32\rcpmsdrm.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Network ICE\BlackICE\blackice.exe
    C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\system32\uKZIWXP.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\WINDOWS\system32\hpoipm07.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\Documents and Settings\Keith & Sandy\Desktop\hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\msaccrt.exe
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.foxnews.com/"); (C:\Documents and Settings\Keith & Sandy\Application Data\Mozilla\Profiles\default\eqj5znis.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Keith & Sandy\Application Data\Mozilla\Profiles\default\eqj5znis.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file)
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [uKZIWXP.exe] c:\windows\system32\uKZIWXP.exe
    O4 - HKLM\..\Run: [ad1l2S] C:\windows\system32\ad1l2S.exe
    O4 - HKLM\..\Run: [gmi4i9ir] C:\WINDOWS\system32\gmi4i9ir.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [sFrT38U] rdpepim1.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKCU\..\Run: [do03RUYnR] rcpmsdrm.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: BlackICE Agent.lnk = ?
    O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
    O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi moviebuff

    Welcome to TSG! :)

    * Go here to download and install CCleaner
    Do not use it yet.


    * Click Here and download the the new version of Killbox and save it to your desktop.


    * Click here for info on how to boot to safe mode if you don't already know how.


    * Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.


    * Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    R3 - Default URLSearchHook is missing

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\msaccrt.exe

    O3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file)

    O4 - HKLM\..\Run: [uKZIWXP.exe] c:\windows\system32\uKZIWXP.exe

    O4 - HKLM\..\Run: [ad1l2S] C:\windows\system32\ad1l2S.exe

    O4 - HKLM\..\Run: [gmi4i9ir] C:\WINDOWS\system32\gmi4i9ir.exe

    O4 - HKLM\..\Run: [sFrT38U] rdpepim1.exe

    O4 - HKCU\..\Run: [do03RUYnR] rcpmsdrm.exe



    * Restart your computer into safe mode now. Perform the following steps in safe mode:


    * Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\msaccrt.exe

    c:\windows\system32\uKZIWXP.exe

    C:\windows\system32\ad1l2S.exe

    C:\WINDOWS\system32\gmi4i9ir.exe

    C:\WINDOWS\system32\rdpepim1.exe

    C:\WINDOWS\system32\rcpmsdrm.exe


    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    Exit the Killbox.


    * Start Ccleaner and click Run Cleaner


    * Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    * Restart back into Windows normally now.


    * Run ActiveScan online virus scan here

    When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
    - Save the results from the scan!

    Post a new HiJackThis log along with the results from ActiveScan
     
  3. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    After you have completed the above, please do this:

    Killbox creates backups of the files it removes in a C:\!Submit folder. Go to the forum here and upload the files found in the C:\!Submit folder.

    Here are the directions for uploading the files:

    Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the files on your computer. If there are multiple files to be uploaded click the "More attachments" button for each extra file and browse to the files. When all the files are listed in the windows click "Post" to upload the files.
     
  4. moviebuff

    moviebuff Thread Starter

    Joined:
    May 20, 2005
    Messages:
    66
    I did everything exactly as you stated. However, I couldn't find anywhere to delete stuff in the Active scan. Here's the neew Hijackthis log along with the Active Scan report. I'm going to try the second part you told me to do now.

    Logfile of HijackThis v1.99.1
    Scan saved at 9:10:37 PM, on 5/20/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Network ICE\BlackICE\blackice.exe
    C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\system32\hpoipm07.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Keith & Sandy\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.foxnews.com/"); (C:\Documents and Settings\Keith & Sandy\Application Data\Mozilla\Profiles\default\eqj5znis.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Keith & Sandy\Application Data\Mozilla\Profiles\default\eqj5znis.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKCU\..\Run: [do03RUYnR] rcpmsdrm.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: BlackICE Agent.lnk = ?
    O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
    O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
  5. moviebuff

    moviebuff Thread Starter

    Joined:
    May 20, 2005
    Messages:
    66
    Incident Status Location

    Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\cache277
    Adware:Adware/eZula No disinfected Windows Registry
    Adware:Adware/nCase No disinfected C:\Temp\salm.???
    Spyware:Spyware/ISTbar No disinfected Windows Registry
    Adware:Adware/Apropos No disinfected C:\DOCUME~1\KEITH&~1\LOCALS~1\Temp\AutoUpdate0
    Adware:Adware/WinTools No disinfected Windows Registry
    Adware:Adware/SideSearch No disinfected C:\WINDOWS\sepsd.bin
    Adware:Adware/WUpd No disinfected Windows Registry
    Adware:Adware/PowerSearch No disinfected C:\WINDOWS\system32\stlb2.xml
    Adware:Adware/ESyndicate No disinfected Windows Registry
    Adware:Adware/StatBlaster No disinfected C:\!Submit\ad1l2S.exe
    Adware:Adware/SAHAgent No disinfected C:\!Submit\gmi4i9ir.exe
    Virus:W32/Gaobot.GQE.worm Disinfected C:\!Submit\msaccrt.exe
    Adware:Adware/Apropos No disinfected C:\!Submit\rcpmsdrm.exe
    Adware:Adware/Apropos No disinfected C:\!Submit\rdpepim1.exe
    Virus:Trj/Bhotcher.A Disinfected C:\!Submit\uKZIWXP.exe
    Adware:Adware/Apropos No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\AI_Euro.exe
    Adware:Adware/Apropos No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\all_files7.exe
    Adware:Adware/Apropos No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\auf0.exe
    Adware:Adware/Envolo No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\AutoUpdate0\setup.inf
    Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\fca0IVf.exe
    Adware:Adware/MemoryWatcher No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\instnotify.exe
    Adware:Adware/MemoryWatcher No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\mw.exe
    Adware:Adware/MemoryWatcher No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\mw_4s_stub.exe
    Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\setup4002b.cab
    Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\setup4002b.cab[lkir8l2gm_.dll]
    Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\setup4002b.cab[abasa5jrp_.exe]
    Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\setup4002b.cab[u6f6uftuc_.exe]
    Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\setup4002b.cab[hochkaod3_.exe]
    Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\setup4002b.cab[u6f6uftuc_.ini]
    Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\setup4002b.cab[hochkaod3_.ini]
    Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\setup4002b.cab[setup4002b.ini]
    Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\setup4002b.cab[webinstaller.dll]
    Adware:Adware/StatBlaster No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\tXz.exe
    Adware:Adware/Comet No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\unpack\CC_43.inf
    Adware:Adware/Comet No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\unpack\inst43.exe
    Adware:Adware/StatBlaster No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\update_1.exe
    Adware:Adware/StatBlaster No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\WinWildApp.exe
    Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Emily\Local Settings\Temporary Internet Files\Content.IE5\MJHPGFWM\MediaTicket[1].exe
    Adware:Adware/eZula No disinfected C:\Documents and Settings\Emily\Local Settings\Temporary Internet Files\Content.IE5\OL2RCPAF\ezw-102[1].0000
    Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Emily\Local Settings\Temporary Internet Files\Content.IE5\SH2RKHEF\MediaTicket[1].exe
    Adware:Adware/eZula No disinfected C:\Documents and Settings\Emily\Start Menu\Programs\TopText iLookup\My Keywords.lnk
    Adware:Adware/eZula No disinfected C:\Documents and Settings\Emily\Start Menu\Programs\TopText iLookup\My Preferences.lnk
    Adware:Adware/eZula No disinfected C:\Documents and Settings\Emily\Start Menu\Programs\TopText iLookup\TopText Button Show - Hide.lnk
    Adware:Adware/Envolo No disinfected C:\Documents and Settings\Keith & Sandy\Local Settings\Temp\AutoUpdate0\setup.inf
    Adware:Adware/Envolo No disinfected C:\Documents and Settings\Keith & Sandy\Local Settings\Temporary Internet Files\Content.IE5\H239928A\AutoUpdaterInstaller[1].exe
    Adware:Adware/Envolo No disinfected C:\Documents and Settings\Liz\Local Settings\Temp\AutoUpdate0\setup.inf
    Adware:Adware/Apropos No disinfected C:\Documents and Settings\Liz\Local Settings\Temporary Internet Files\Content.IE5\E1X3N3K7\AproposClientInstaller[1].exe
    Adware:Adware/Envolo No disinfected C:\Documents and Settings\Liz\Local Settings\Temporary Internet Files\Content.IE5\ETZSLK3Q\AutoUpdaterInstaller[1].exe
    Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Steve\Local Settings\Temp\fca0IVf.exe
    Adware:Adware/WinTools No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\0ZB7E8D9\tb3[1].cab[toolbar.dll]
    Adware:Adware/WinTools No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\0ZB7E8D9\WinTS[1].cab[WToolsS.exe]
    Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\20LOP2XK\istdownload[1].exe
    Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\37H3BT8W\xml_istbar[1].xml
    Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\4HI2JRVA\newmajorse2[1].cab
    Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\4HI2JRVA\newmajorse2[1].cab[newmajorse2.txt]
    Adware:Adware/PowerScan No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\CBRZICTP\power_remove[1].exe
    Adware:Adware/WinTools No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\E1X3N3K7\Toolbar3[1].cab[IExploreSkins.exe]
    Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\E1X3N3K7\Toolbar3[1].cab[TBPS.exe]
    Adware:Adware/WinTools No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\E1X3N3K7\Toolbar3[1].cab[common.dll]
    Adware:Adware/WinTools No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\E1X3N3K7\Toolbar3[1].cab[toolbar.dll]
     
  6. moviebuff

    moviebuff Thread Starter

    Joined:
    May 20, 2005
    Messages:
    66
    Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\JZEV290S\istsvc[1].exe
    Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\L44J9L8L\TBPS[1].cab[TBPS.exe]
    Adware:Adware/WinTools No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\L44J9L8L\WToolsD[1].cab
    Adware:Adware/WinTools No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\L44J9L8L\WToolsD[1].cab[WToolsD.cfg]
    Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\UP7O58VA\newton[1].ch[g.exe]
    Adware:Adware/WinAD No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\UP7O58VA\newton[1].ch[l.exe]
    Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\UP7O58VA\TBPSSvc[1].cab[TBPSSvc.exe]
    Virus:Trj/Multidropper.QW Disinfected C:\iMeshInst.exe
    Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\AB9E8B54-BFB4-46FF-8E70-EFA029\EB1D804E-F739-4ACC-B619-3D4643
    Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\AB9E8B54-BFB4-46FF-8E70-EFA029\FC3A011E-CCC5-4B67-998B-854287
    Adware:Adware/PurityScan No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\BC71034F-4A9E-479C-B719-96DA0C\BE9322E7-EFDC-446E-9894-F6C205
    Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C5E48A9D-E665-4870-91EF-544E03\15E0D54A-DD36-49CB-A215-0CFCDD
    Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C5E48A9D-E665-4870-91EF-544E03\2746F14A-6304-4B2C-8917-8D8CE0
    Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C5E48A9D-E665-4870-91EF-544E03\48A93F39-97C9-447F-8092-9B2A3B
    Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\CA9F6D40-3495-4376-9772-B185CB\E81FF38A-D1CD-428F-980D-5C893B
    Adware:Adware/eZula No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E03AB2A0-BC26-411D-A57E-6CA6DC\5960EB8D-74D1-4300-BC92-F60922
    Adware:Adware/eZula No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E03AB2A0-BC26-411D-A57E-6CA6DC\DF92DA4E-ACA5-43F6-8E1C-8F7D57
    Adware:Adware/eZula No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E03AB2A0-BC26-411D-A57E-6CA6DC\E06D1B02-573E-4212-A091-20507B
    Adware:Adware/eZula No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E03AB2A0-BC26-411D-A57E-6CA6DC\F65B6D9F-53A3-4A5F-BCEA-E31F37
    Possible Virus. No disinfected C:\spread.exe
    Adware:Adware/nCase No disinfected C:\temp\salm.log
    Adware:Adware/nCase No disinfected C:\temp\salmau.dat
    Adware:Adware/nCase No disinfected C:\temp\salm_gdf.dat
    Adware:Adware/nCase No disinfected C:\temp\salm_kyf.dat
    Spyware:Spyware/ISTbar No disinfected C:\tmp.exe[g.exe]
    Adware:Adware/WinAD No disinfected C:\tmp.exe[l.exe]
    Virus:Bck/Agent.SZ Disinfected C:\update.exe
    Adware:Adware/SAHAgent No disinfected C:\WINDOWS\db63fnas.exe
    Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\hochkaod3_.ini
    Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.ini
    Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\g.exe
    Adware:Adware/WinAD No disinfected C:\WINDOWS\l.exe
    Adware:Adware/SideSearch No disinfected C:\WINDOWS\sepsd.bin
    Virus:Trj/Bhotcher.A Disinfected C:\WINDOWS\system32\BHOW.exe
    Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\inarmd0e.dll
    Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\pidfos.exe
    Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\q5icda20.exe
    Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\regidr07.exe
    Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\rsagshex.exe
    Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\scscfg.exe
    Adware:Adware/PowerSearch No disinfected C:\WINDOWS\system32\stlb2.xml
    Adware:Adware/StatBlaster No disinfected C:\WINDOWS\system32\update.exe
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I am attaching a delete.zip file to this post. It contains a delete.bat file. Download delete.zip and save it to your desktop. Unzip the file and have it ready to run.


    Fix this with Hijack THis:

    O4 - HKCU\..\Run: [do03RUYnR] rcpmsdrm.exe



    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"


    Now restart to safe mode.

    Once you are in safe mode, doubleclick on the delete.bat file and let it run.

    Delete this folder:

    C:\Documents and Settings\Emily\Start Menu\Programs\TopText iLookup


    Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Now navigate to the C:\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.


    Run CCleaner again.


    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    Empty the Recycle Bin

    Boot back to windows normally now.

    Go back to the Activescan online scan and run it again. Save the results.

    Come back here and post another HJT log and the results from Activescan
     
  8. moviebuff

    moviebuff Thread Starter

    Joined:
    May 20, 2005
    Messages:
    66
    I did everything but it would not let me delete or even open the folders in the C:\Windows\Temp folder. Here's the latest Active Scan report and HJT log.

    Logfile of HijackThis v1.99.1
    Scan saved at 8:36:39 PM, on 5/21/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Network ICE\BlackICE\blackice.exe
    C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\WINDOWS\system32\hpoipm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Documents and Settings\Keith & Sandy\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.foxnews.com/"); (C:\Documents and Settings\Keith & Sandy\Application Data\Mozilla\Profiles\default\eqj5znis.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Keith & Sandy\Application Data\Mozilla\Profiles\default\eqj5znis.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: BlackICE Agent.lnk = ?
    O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
    O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
  9. moviebuff

    moviebuff Thread Starter

    Joined:
    May 20, 2005
    Messages:
    66
    Here's the Active Scan Report


    Incident Status Location

    Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\cache277
    Adware:Adware/eZula No disinfected Windows Registry
    Adware:Adware/Apropos No disinfected C:\DOCUME~1\KEITH&~1\LOCALS~1\Temp\AutoUpdate0
    Adware:Adware/WinTools No disinfected Windows Registry
    Adware:Adware/StatBlaster No disinfected C:\!Submit\ad1l2S.exe
    Adware:Adware/SAHAgent No disinfected C:\!Submit\gmi4i9ir.exe
    Adware:Adware/Apropos No disinfected C:\!Submit\rcpmsdrm.exe
    Adware:Adware/Apropos No disinfected C:\!Submit\rdpepim1.exe
    Adware:Adware/Apropos No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\AI_Euro.exe
    Adware:Adware/Apropos No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\all_files7.exe
    Adware:Adware/Apropos No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\auf0.exe
    Adware:Adware/Envolo No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\AutoUpdate0\setup.inf
    Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\fca0IVf.exe
    Adware:Adware/MemoryWatcher No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\instnotify.exe
    Adware:Adware/MemoryWatcher No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\mw.exe
    Adware:Adware/MemoryWatcher No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\mw_4s_stub.exe
    Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\setup4002b.cab
    Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\setup4002b.cab[lkir8l2gm_.dll]
    Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\setup4002b.cab[abasa5jrp_.exe]
    Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\setup4002b.cab[u6f6uftuc_.exe]
    Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\setup4002b.cab[hochkaod3_.exe]
    Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\setup4002b.cab[u6f6uftuc_.ini]
    Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\setup4002b.cab[hochkaod3_.ini]
    Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\setup4002b.cab[setup4002b.ini]
    Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\setup4002b.cab[webinstaller.dll]
    Adware:Adware/StatBlaster No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\tXz.exe
    Adware:Adware/Comet No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\unpack\CC_43.inf
    Adware:Adware/Comet No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\unpack\inst43.exe
    Adware:Adware/StatBlaster No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\update_1.exe
    Adware:Adware/StatBlaster No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\WinWildApp.exe
    Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Emily\Local Settings\Temporary Internet Files\Content.IE5\MJHPGFWM\MediaTicket[1].exe
    Adware:Adware/eZula No disinfected C:\Documents and Settings\Emily\Local Settings\Temporary Internet Files\Content.IE5\OL2RCPAF\ezw-102[1].0000
    Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Emily\Local Settings\Temporary Internet Files\Content.IE5\SH2RKHEF\MediaTicket[1].exe
    Adware:Adware/Envolo No disinfected C:\Documents and Settings\Keith & Sandy\Local Settings\Temp\AutoUpdate0\setup.inf
    Adware:Adware/Envolo No disinfected C:\Documents and Settings\Keith & Sandy\Local Settings\Temporary Internet Files\Content.IE5\H239928A\AutoUpdaterInstaller[1].exe
    Adware:Adware/Envolo No disinfected C:\Documents and Settings\Liz\Local Settings\Temp\AutoUpdate0\setup.inf
    Adware:Adware/Apropos No disinfected C:\Documents and Settings\Liz\Local Settings\Temporary Internet Files\Content.IE5\E1X3N3K7\AproposClientInstaller[1].exe
    Adware:Adware/Envolo No disinfected C:\Documents and Settings\Liz\Local Settings\Temporary Internet Files\Content.IE5\ETZSLK3Q\AutoUpdaterInstaller[1].exe
    Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Steve\Local Settings\Temp\fca0IVf.exe
    Adware:Adware/WinTools No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\0ZB7E8D9\tb3[1].cab[toolbar.dll]
    Adware:Adware/WinTools No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\0ZB7E8D9\WinTS[1].cab[WToolsS.exe]
    Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\20LOP2XK\istdownload[1].exe
    Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\37H3BT8W\xml_istbar[1].xml
    Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\4HI2JRVA\newmajorse2[1].cab
    Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\4HI2JRVA\newmajorse2[1].cab[newmajorse2.txt]
    Adware:Adware/PowerScan No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\CBRZICTP\power_remove[1].exe
    Adware:Adware/WinTools No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\E1X3N3K7\Toolbar3[1].cab[IExploreSkins.exe]
    Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\E1X3N3K7\Toolbar3[1].cab[TBPS.exe]
    Adware:Adware/WinTools No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\E1X3N3K7\Toolbar3[1].cab[common.dll]
    Adware:Adware/WinTools No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\E1X3N3K7\Toolbar3[1].cab[toolbar.dll]
    Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\JZEV290S\istsvc[1].exe
    Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\L44J9L8L\TBPS[1].cab[TBPS.exe]
    Adware:Adware/WinTools No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\L44J9L8L\WToolsD[1].cab
    Adware:Adware/WinTools No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\L44J9L8L\WToolsD[1].cab[WToolsD.cfg]
    Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\UP7O58VA\newton[1].ch[g.exe]
    Adware:Adware/WinAD No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\UP7O58VA\newton[1].ch[l.exe]
    Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\UP7O58VA\TBPSSvc[1].cab[TBPSSvc.exe]
    Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\AB9E8B54-BFB4-46FF-8E70-EFA029\EB1D804E-F739-4ACC-B619-3D4643
    Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\AB9E8B54-BFB4-46FF-8E70-EFA029\FC3A011E-CCC5-4B67-998B-854287
    Adware:Adware/PurityScan No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\BC71034F-4A9E-479C-B719-96DA0C\BE9322E7-EFDC-446E-9894-F6C205
    Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C5E48A9D-E665-4870-91EF-544E03\15E0D54A-DD36-49CB-A215-0CFCDD
    Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C5E48A9D-E665-4870-91EF-544E03\2746F14A-6304-4B2C-8917-8D8CE0
    Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C5E48A9D-E665-4870-91EF-544E03\48A93F39-97C9-447F-8092-9B2A3B
    Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\CA9F6D40-3495-4376-9772-B185CB\E81FF38A-D1CD-428F-980D-5C893B
    Adware:Adware/eZula No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E03AB2A0-BC26-411D-A57E-6CA6DC\5960EB8D-74D1-4300-BC92-F60922
    Adware:Adware/eZula No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E03AB2A0-BC26-411D-A57E-6CA6DC\DF92DA4E-ACA5-43F6-8E1C-8F7D57
    Adware:Adware/eZula No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E03AB2A0-BC26-411D-A57E-6CA6DC\E06D1B02-573E-4212-A091-20507B
    Adware:Adware/eZula No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E03AB2A0-BC26-411D-A57E-6CA6DC\F65B6D9F-53A3-4A5F-BCEA-E31F37
    Spyware:Spyware/ISTbar No disinfected C:\tmp.exe[g.exe]
    Adware:Adware/WinAD No disinfected C:\tmp.exe[l.exe]
    Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\hochkaod3_.ini
    Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.ini
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    What happened when you tried to open the temp folders?
     
  11. moviebuff

    moviebuff Thread Starter

    Joined:
    May 20, 2005
    Messages:
    66
    I went back to see exactly what it said and it let me delete them now. It had said something like access denied and check to see if the disk was in use. I went ahead and deleted the cookies and history and the third folder (I forgot what it was titled) that were in the windows/temp folder. I hope I didn't mess anything up. I went ahead and started running CCleaner again after I deleted that but I forgot to do it in safe mode so I stopped it after a few seconds. I haven't done anything else. I did not empty the recycle bin again.

    The windows/temp folder also has a bunch of $NTUninstall files in it now that weren't there before.
     
  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    The $NTUninstall files are in the Windows folder, not the C:\Windows\Temp folder. I hope you haven't been deleting files from the Windows folder!

    How is everything now?
     
  13. moviebuff

    moviebuff Thread Starter

    Joined:
    May 20, 2005
    Messages:
    66
    No, I haven't deleted anything from the windows folder. I had it confused. I ran Ad-Aware again and it detected the following:
    Ezula
    IBIS Toolbar
    WindUpdates
    ZyncosMark
    StatBlaster
    CoolWebSearch
    eSyndicate
    Possible Browser hijack attempt
    Tracking Cookie
    Rads01.Quadrogram
    MemoryWatcher
    SahAgent
    PeopleOnPage
    MdADdle

    Xoftspy found some of the above plus: (I do not have this software to delete the stuff though).
    CometSystems
    Orbit Explorer
    lycos Sidesearch
    Xupiter.Orbitexplorer

    As you can see, a bunch of this stuff is the same stuff reappearing and won't go away.
     
  14. moviebuff

    moviebuff Thread Starter

    Joined:
    May 20, 2005
    Messages:
    66
    I ran another HJT log. Here it is.

    Logfile of HijackThis v1.99.1
    Scan saved at 10:16:10 PM, on 5/22/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Network ICE\BlackICE\blackice.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
    C:\WINDOWS\hh.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Keith & Sandy\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.foxnews.com/"); (C:\Documents and Settings\Keith & Sandy\Application Data\Mozilla\Profiles\default\eqj5znis.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Keith & Sandy\Application Data\Mozilla\Profiles\default\eqj5znis.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: BlackICE Agent.lnk = ?
    O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
    O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
  15. moviebuff

    moviebuff Thread Starter

    Joined:
    May 20, 2005
    Messages:
    66
    Why won't this stuff go away? Here's another Active Scan Report:


    Incident Status Location

    Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\cache277
    Adware:Adware/eZula No disinfected Windows Registry
    Adware:Adware/StatBlaster No disinfected C:\!Submit\ad1l2S.exe
    Adware:Adware/SAHAgent No disinfected C:\!Submit\gmi4i9ir.exe
    Adware:Adware/Apropos No disinfected C:\!Submit\rcpmsdrm.exe
    Adware:Adware/Apropos No disinfected C:\!Submit\rdpepim1.exe
    Adware:Adware/Apropos No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\AI_Euro.exe
    Adware:Adware/Apropos No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\all_files7.exe
    Adware:Adware/Apropos No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\auf0.exe
    Adware:Adware/Envolo No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\AutoUpdate0\setup.inf
    Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\fca0IVf.exe
    Adware:Adware/MemoryWatcher No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\mw.exe
    Adware:Adware/StatBlaster No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\tXz.exe
    Adware:Adware/Comet No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\unpack\CC_43.inf
    Adware:Adware/Comet No disinfected C:\Documents and Settings\Emily\Local Settings\Temp\unpack\inst43.exe
    Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Emily\Local Settings\Temporary Internet Files\Content.IE5\MJHPGFWM\MediaTicket[1].exe
    Adware:Adware/eZula No disinfected C:\Documents and Settings\Emily\Local Settings\Temporary Internet Files\Content.IE5\OL2RCPAF\ezw-102[1].0000
    Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Emily\Local Settings\Temporary Internet Files\Content.IE5\SH2RKHEF\MediaTicket[1].exe
    Adware:Adware/Envolo No disinfected C:\Documents and Settings\Liz\Local Settings\Temp\AutoUpdate0\setup.inf
    Adware:Adware/Apropos No disinfected C:\Documents and Settings\Liz\Local Settings\Temporary Internet Files\Content.IE5\E1X3N3K7\AproposClientInstaller[1].exe
    Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Steve\Local Settings\Temp\fca0IVf.exe
    Adware:Adware/WinTools No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\0ZB7E8D9\tb3[1].cab[toolbar.dll]
    Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\20LOP2XK\istdownload[1].exe
    Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\37H3BT8W\xml_istbar[1].xml
    Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\4HI2JRVA\newmajorse2[1].cab
    Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\4HI2JRVA\newmajorse2[1].cab[newmajorse2.txt]
    Adware:Adware/PowerScan No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\CBRZICTP\power_remove[1].exe
    Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\JZEV290S\istsvc[1].exe
    Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\L44J9L8L\TBPS[1].cab[TBPS.exe]
    Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\UP7O58VA\newton[1].ch[g.exe]
    Adware:Adware/WinAD No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\UP7O58VA\newton[1].ch[l.exe]
    Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\UP7O58VA\TBPSSvc[1].cab[TBPSSvc.exe]
    Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\AB9E8B54-BFB4-46FF-8E70-EFA029\EB1D804E-F739-4ACC-B619-3D4643
    Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\AB9E8B54-BFB4-46FF-8E70-EFA029\FC3A011E-CCC5-4B67-998B-854287
    Adware:Adware/PurityScan No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\BC71034F-4A9E-479C-B719-96DA0C\BE9322E7-EFDC-446E-9894-F6C205
    Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C5E48A9D-E665-4870-91EF-544E03\15E0D54A-DD36-49CB-A215-0CFCDD
    Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C5E48A9D-E665-4870-91EF-544E03\2746F14A-6304-4B2C-8917-8D8CE0
    Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C5E48A9D-E665-4870-91EF-544E03\48A93F39-97C9-447F-8092-9B2A3B
    Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\CA9F6D40-3495-4376-9772-B185CB\E81FF38A-D1CD-428F-980D-5C893B
    Adware:Adware/eZula No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E03AB2A0-BC26-411D-A57E-6CA6DC\DF92DA4E-ACA5-43F6-8E1C-8F7D57
    Adware:Adware/eZula No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E03AB2A0-BC26-411D-A57E-6CA6DC\E06D1B02-573E-4212-A091-20507B
    Adware:Adware/eZula No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E03AB2A0-BC26-411D-A57E-6CA6DC\F65B6D9F-53A3-4A5F-BCEA-E31F37
    Spyware:Spyware/ISTbar No disinfected C:\tmp.exe[g.exe]
    Adware:Adware/WinAD No disinfected C:\tmp.exe[l.exe]
    Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\hochkaod3_.ini
    Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.ini
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/363965

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice