Problem with Spyware

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Steve89

Thread Starter
Joined
Dec 21, 2004
Messages
168
Hello,

Could anyone please help me with the followimg prob.

I use Google to search for things, but when I click on the link results, the page opens not the page that was shown. Only after few time of clicking it that i can get to the page.


I am running Wins Xp Professional. I have run Spybot, Ad-Aware and AVG virus detector, and they found some nasties but had been deleted.

The following is my log for HiJackThis.


Logfile of HijackThis v1.99.1
Scan saved at 7:55:01 PM, on 10/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\ZoneAlarm\ZoneAlarm\zlclient.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\HiJackThis\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\ZoneAlarm\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AdTools Service] D:\Program Files\AdTools Service\AdTools.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [UnSpyPC] "D:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - D:\Documents and Settings\Lam\Desktop\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Documents and Settings\Lam\Desktop\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E9F319C-231B-4A58-886A-6CEFFA176BD8}: NameServer = 85.255.116.134,85.255.112.228
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E9F319C-231B-4A58-886A-6CEFFA176BD8}: NameServer = 85.255.116.134,85.255.112.228
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E9F319C-231B-4A58-886A-6CEFFA176BD8}: NameServer = 85.255.116.134,85.255.112.228
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

Thanks

Steve
 
Joined
Jul 26, 2002
Messages
46,349
** First you need to download the following tools and have them ready to run. Do not run any of them until instructed to do so:


* Click here to download Fixwareout.exe and save it to your desktop.


* Click Here and download Killbox and save it to your desktop.


* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Run Fixwareout:
  • Doubleclick on the Fixwareout.exe file to run it.
  • Click Next, then Install, then make sure "Run fixit" is checked and click Finish.
  • The fix will begin. Follow the prompts.
  • You will be asked to reboot your computer, please do so.
  • Your system may take longer than usual to load, this is normal.
  • When your system reboots, follow the prompts that follow.
  • HijackThis should open automatically.
  • Click the Scan button, and put a check by the following entries:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

    O4 - HKLM\..\Run: [AdTools Service] D:\Program Files\AdTools Service\AdTools.exe

    O4 - HKCU\..\Run: [UnSpyPC] "D:\Program Files\UnSpyPC\UnSpyPC.exe"

    O17 - HKLM\System\CCS\Services\Tcpip\..\{0E9F319C-231B-4A58-886A-6CEFFA176BD8}: NameServer = 85.255.116.134,85.255.112.228

    O17 - HKLM\System\CS1\Services\Tcpip\..\{0E9F319C-231B-4A58-886A-6CEFFA176BD8}: NameServer = 85.255.116.134,85.255.112.228

    O17 - HKLM\System\CS2\Services\Tcpip\..\{0E9F319C-231B-4A58-886A-6CEFFA176BD8}: NameServer = 85.255.116.134,85.255.112.228


  • After checking each of those entries in Hijack This, click the "Fix Checked" button then exit Hijack This.


* Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .

  • Double-click the Network Connections icon
  • Right-click the Local Area Connection icon and select Properties.
  • Hilight Internet Protocol (TCP/IP) and click the Properties button.
  • Be sure Obtain DNS server address automatically is selected.
  • OK your way out.


* Go to Start > Run and type in cmd
  • Click OK.
  • This will open a commad prompt.
  • Type or copy and paste the following line in the command window:

    ipconfig /flushdns

  • Hit Enter
  • Exit the command window



* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Double-click on Killbox.exe to run it.
  • Put a tick by Standard File Kill.
  • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

    D:\Program Files\AdTools Service

    D:\Program Files\UnSpyPC


  • Click on the button that has the red circle with the X in the middle after you enter each file.
  • It will ask for confimation to delete the file.
  • Click Yes.
  • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
  • Killbox may tell you that one or more files do not exist.
  • If that happens, just continue on with all the files. Be sure you don't miss any.
  • Next in Killbox go to Tools > Delete Temp Files
  • In the window that pops up, put a check by ALL the options there except these three:
    • XP Prefetch
    • Recent
    • History
  • Now click the Delete Selected Temp Files button.
  • Exit the Killbox.


* Go to Control Panel > Internet Options.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.


* Restart back into Windows normally now.


* Run Kaspersky online virus scan here.

When given the option, choose the "Extended database" for the scan.

When the scan is finished, Save the results from the scan!

Post a new HiJackThis log along with the results from Kaspersky scan
 

Steve89

Thread Starter
Joined
Dec 21, 2004
Messages
168
Dear Flrman1,

Thanks very much for your reply and advice.

I have followed your instruction and the following are the results:

1) I ran Fixwareout but it didnt ask me to reboot my computer, but it only display a log file as follows:

Check for missing files
.....
D:\WINDOWS\system32\AUTOEXEC.NT not there
.....
End check for missing files
.....
VXD Check
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers]
"VDD"=hex(7):00
.....
End vxd check
.....
please post this at the forum

2) I have checked and fixed the lines shown in HiJackThis

3) I followed the rest of your instructions until the Killbax when I run and tried to delete the files:

D:\Program Files\AdTools Service
D:\Program Files\UnSpyPC
But it said that the files do not exist, but i continued anyway.

4) I ran the Kaspersky virus detector and the following are the result:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, January 11, 2006 19:02:35
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 11/01/2006
Kaspersky Anti-Virus database records: 170507
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 54501
Number of viruses found: 10
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 4652 sec

Infected Object Name - Virus Name
C:\WINDOWS\SYSTEM\sysobj.exe Infected: HackTool.Win32.Hidd.g
C:\WINDOWS\SYSTEM\ntfsnlpa.exe Infected: not-a-virus:AdWare.Win32.Msnagent.b
C:\WINDOWS\SYSTEM32\web.exe Infected: Trojan-Downloader.Win32.Tibs.bn
C:\WINDOWS\Downloaded Program Files\on.exe Infected: Trojan-Downloader.Win32.Small.amb
C:\RECYCLED\Q330995.exe Infected: Trojan-Downloader.Win32.Femad.gen
C:\lo-2001583754.exe Infected: Trojan-Downloader.Win32.Tibs.bn
C:\!Submit\opensdl.exe Infected: not-a-virus:AdWare.Win32.FindSpy.d
D:\WINDOWS\system32\kernels64.exe Infected: Trojan-Downloader.Win32.Tibs.bn
D:\WINDOWS\system32\pppcgm.exe Infected: not-a-virus:AdWare.Win32.Msnagent.b
D:\Documents and Settings\Lam\Local Settings\Temporary Internet Files\Content.IE5\8FZNI411\sex[1].wmf Infected: Trojan-Downloader.Win32.Agent.acd
D:\System Volume Information\_restore{32BA6B98-3256-447F-B83A-F66DC6498F66}\RP14\A0001661.exe Infected: not-a-virus:AdWare.Win32.WinAD.z
D:\System Volume Information\_restore{32BA6B98-3256-447F-B83A-F66DC6498F66}\RP14\A0001662.exe Infected: not-a-virus:AdWare.Win32.WinAD.k
D:\System Volume Information\_restore{32BA6B98-3256-447F-B83A-F66DC6498F66}\RP14\A0001663.dll Infected: not-a-virus:AdWare.Win32.WinAD.z
D:\System Volume Information\_restore{32BA6B98-3256-447F-B83A-F66DC6498F66}\RP15\A0001687.dll Infected: not-a-virus:AdWare.Win32.SBSoft.h

Scan process completed.


You will notice that there are viruses foun fin drives C: and D:

I Have two hard drives C: is running Wins 98 and D: is riunning Win XP. I rarely boot into drive C: now and my original question was about Win XP on D:
However, I would appreciate your advice on how ot get rid of the viruses in drive C:

Here is the Log for HiJackThis at the end of all this:

Logfile of HijackThis v1.99.1
Scan saved at 7:34:05 PM, on 11/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\ZoneAlarm\ZoneAlarm\zlclient.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Microsoft Office\Office10\WINWORD.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\msagent\AgentSvr.exe
D:\Program Files\HiJackThis\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\ZoneAlarm\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - D:\Documents and Settings\Lam\Desktop\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Documents and Settings\Lam\Desktop\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe


Thanks for your help

Steve
 
Joined
Jul 26, 2002
Messages
46,349
You need to fix the AUTOEXEC.NT error then run Fixwareout again.

If you have XP pro download this:

http://homepage.ntlworld.com/spencer.greystrong/XPProfiles.exe

If it's XP Home download this:

http://homepage.ntlworld.com/spencer.greystrong/XPHomeFiles.exe

These are self extracting zip archives so just doubleclick on the file and a WinZip wizard should appear. The default location should be set to unzip to C:\Windows\System32. Click "Unzip" to extract the files.

Now run Fixwareout again please. This time when HJT opens, just close it. Go ahead and boot to safe mode and use Killbox to delete these files:

C:\WINDOWS\SYSTEM\sysobj.exe
C:\WINDOWS\SYSTEM\ntfsnlpa.exe
C:\WINDOWS\SYSTEM32\web.exe
C:\WINDOWS\Downloaded Program Files\on.exe
C:\RECYCLED\Q330995.exe
C:\lo-2001583754.exe
C:\!Submit\opensdl.exe
D:\WINDOWS\system32\kernels64.exe
D:\WINDOWS\system32\pppcgm.exe
 

Steve89

Thread Starter
Joined
Dec 21, 2004
Messages
168
Hi Flrman1

I have downloaded XPProfiles.exe as suggested, but when I double click on the file I have an error message "XPProfiles.exe is not a valid Win32 application"

Could you tell me what to do next?

I am running Win XP Professional with Service Pack 1

Thanks

Steve
 
Joined
Jul 26, 2002
Messages
46,349
Did you download it and save it to your computer first or did you just click "Open" in the download dialogue box?
 

Steve89

Thread Starter
Joined
Dec 21, 2004
Messages
168
Hi Flrman1,

I did downloaded it first by saving th file to a temporary folder in my D: Drive, then I double click it.

Steve
 
Joined
Jul 26, 2002
Messages
46,349
It will not run from a temporary folder. Download it again and save it to your desktop and try again.
 

Steve89

Thread Starter
Joined
Dec 21, 2004
Messages
168
Hi Flrman1,

I have downloaded again the file XPProfiles.exe on the Desktop and run it, it unziped into C:\Windows\System32 folder (Should not this be stored into D:Windows\System32 folder? since my XP is on D: drive?)

BUt when i run the Fxwareout again, thr HJT didnt start, only the same message as last time;

Check for missing files
.....
D:\WINDOWS\system32\AUTOEXEC.NT not there
.....
End check for missing files
.....
VXD Check
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers]
"VDD"=hex(7):00
.....
End vxd check

Then i went into Killbox and tried to delete the files shown in your previous post, and most were deleted, only a couple were not found.

Now, please find below my latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:54:43 PM, on 15/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\ZoneAlarm\ZoneAlarm\zlclient.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\WINDOWS\System32\wbem\wmiapsrv.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe
D:\Program Files\HiJackThis\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\ZoneAlarm\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - D:\Documents and Settings\Lam\Desktop\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Documents and Settings\Lam\Desktop\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

Could yuou please tell me if I still have a problem??

Thanks
Steve
 

Steve89

Thread Starter
Joined
Dec 21, 2004
Messages
168
Hi Flrman1

By the way, I still have the problem with searching using Google, as described in origianl post, that is when i clidk on thr search results, the page was taken to another page, like being hi-jacked, instaed of the page i intended to visit.

i never seen this before.

Steve
 
Joined
Jul 26, 2002
Messages
46,349
Steve89 said:
I have downloaded again the file XPProfiles.exe on the Desktop and run it, it unziped into C:\Windows\System32 folder (Should not this be stored into D:Windows\System32 folder? since my XP is on D: drive?)
Yes it needs to extract to D:Windows\System32 . You need to run it again and change the c: path to d: before you extract it then run Fixwareout again. The Wareout infection is the source of your problems. We have to get it to run before we can finish cleaning this up.

After successfully running fixwareout, go to c: and find the fixwareout.txt file. Post it here along with a new Hijack This log.
 

Steve89

Thread Starter
Joined
Dec 21, 2004
Messages
168
Hi Flrman1,

I followed your advice and the following is the log form Fixwareout and HJT as requested, could you please check to see if there any more problem?

Fixwareout ver 1.003
Last edited 12/5/2005
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\irxmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
D:\WINDOWS\SYSTEM32\CSXIU.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

--------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 7:33:38 PM, on 16/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\ZoneAlarm\ZoneAlarm\zlclient.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\WINDOWS\System32\wbem\wmiapsrv.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe
D:\Program Files\HiJackThis\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\ZoneAlarm\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [dmfcl.exe] D:\WINDOWS\System32\dmfcl.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - D:\Documents and Settings\Lam\Desktop\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Documents and Settings\Lam\Desktop\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe


Thanks
Steve
 
Joined
Jul 26, 2002
Messages
46,349
* Copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [dmfcl.exe] D:\WINDOWS\System32\dmfcl.exe


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Double-click on Killbox.exe to run it.
  • Put a tick by Standard File Kill.
  • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

    D:\WINDOWS\SYSTEM32\CSXIU.EXE

    D:\WINDOWS\System32\dmfcl.exe


  • Click on the button that has the red circle with the X in the middle after you enter each file.
  • It will ask for confimation to delete the file.
  • Click Yes.
  • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
  • Killbox may tell you that one or more files do not exist.
  • If that happens, just continue on with all the files. Be sure you don't miss any.
  • Next in Killbox go to Tools > Delete Temp Files
  • In the window that pops up, put a check by ALL the options there except these three:
    • XP Prefetch
    • Recent
    • History
  • Now click the Delete Selected Temp Files button.
  • Exit the Killbox.


* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

When the scan is finished, save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan
 

Steve89

Thread Starter
Joined
Dec 21, 2004
Messages
168
Hi Flrman1,

The following is the logs for HJT , Activescan in the follwoing post:

Logfile of HijackThis v1.99.1
Scan saved at 9:49:16 PM, on 17/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\ZoneAlarm\ZoneAlarm\zlclient.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Microsoft Office\Office10\WINWORD.EXE
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\HiJackThis\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\ZoneAlarm\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - D:\Documents and Settings\Lam\Desktop\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Documents and Settings\Lam\Desktop\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe


Thanks,

Steve
 

Steve89

Thread Starter
Joined
Dec 21, 2004
Messages
168
Hi Flrman1.

Following is first half of Activescan log:


Incident Status Location

Adware:adware/wupd Not disinfected Windows Registry
Spyware:Cookie/Belnk Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][1].txt
Spyware:Cookie/YieldManager Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][1].txt
Spyware:Cookie/Hbmediapro Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][2].txt
Spyware:Cookie/adultfriendfinder Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][2].txt
Spyware:Cookie/Atlas DMT Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][2].txt
Spyware:Cookie/Bfast Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][2].txt
Spyware:Cookie/MediaTickets Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][2].txt
Spyware:Cookie/Belnk Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][2].txt
Spyware:Cookie/Overture Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][1].txt
Spyware:Cookie/Mediaplex Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][1].txt
Spyware:Cookie/Tribalfusion Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][1].txt
Spyware:Cookie/Clickbank Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][1].txt
Spyware:Cookie/Enhance Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][2].txt
Spyware:Cookie/Com.com Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][2].txt
Spyware:Cookie/2o7.net Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][2].txt
Spyware:Cookie/Findwhat Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][1].txt
Spyware:Cookie/Bs.serving-sys Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][1].txt
Spyware:Cookie/GoClick Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][1].txt
Spyware:Cookie/Sextracker Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][1].txt
Spyware:Cookie/Sextracker Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][2].txt
Spyware:Cookie/Sextracker Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][2].txt
Spyware:Cookie/Sextracker Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][1].txt
Spyware:Cookie/Sextracker Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][1].txt
Spyware:Cookie/Advertising Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][1].txt
Spyware:Cookie/Zedo Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][2].txt
Spyware:Cookie/7search Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][2].txt
Spyware:Cookie/Statcounter Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][2].txt
Spyware:Cookie/GoStats Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][2].txt
Spyware:Cookie/Serving-sys Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][1].txt
Spyware:Cookie/Com.com Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][1].txt
Spyware:Cookie/Tucows Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt
Spyware:Cookie/2o7.net Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt
Spyware:Cookie/WinFixer Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt
Spyware:Cookie/Toplist Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt
Spyware:Cookie/go Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Spyware:Cookie/RealMedia Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt
Spyware:Cookie/PointRoll Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Spyware:Cookie/Adtech Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\[email protected][3].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Spyware:Cookie/24/7 Realmedia Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt
Spyware:Cookie/bravenetA Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt
Spyware:Cookie/2o7.net Not disinfected C:\WINDOWS\Cookies\[email protected][3].txt
Spyware:Cookie/2o7.net Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Spyware:Cookie/CentrPort Not disinfected C:\WINDOWS\Cookies\[email protected]port[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Dialer:Dialer.ABR Not disinfected C:\Program Files\HiJackThis\backups\backup-20050307-184713-892.inf
Adware:Adware/PurityScan Not disinfected C:\Program Files\HiJackThis\backups\backup-20050307-184713-412.inf
Adware:Adware/QuickWeb Not disinfected D:\RECYCLED\Dd6.exe
Virus:Exploit/Metafile Disinfected D:\RECYCLED\Dd24\sex[1].wmf
Virus:Trj/DNSChanger.BD Disinfected D:\RECYCLED\Dd29\sex[1].exe
Spyware:Cookie/Belnk Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][1].txt
Spyware:Cookie/YieldManager Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][1].txt
Spyware:Cookie/Hbmediapro Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][2].txt
Spyware:Cookie/adultfriendfinder Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][2].txt
Spyware:Cookie/Atlas DMT Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][2].txt
Spyware:Cookie/Bfast Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][2].txt
Spyware:Cookie/MediaTickets Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][2].txt
Spyware:Cookie/Belnk Not disinfected D:\Documents and Settings\Lam\Cookies\[email protected][2].txt

Thanks

Steve
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top