1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

safetyhomepage

Discussion in 'Virus & Other Malware Removal' started by lees58, Aug 8, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. lees58

    lees58 Thread Starter

    Joined:
    Aug 8, 2006
    Messages:
    34
    havin alot of problems with safetyhomepage.com. its taken over as my home page for internet explorer and seems to be causing alot of unwanted popups........tried to get rid of the problem but nothing seems to be working.....any suggestions?
     
  2. cfa-ddg2

    cfa-ddg2

    Joined:
    Oct 30, 2005
    Messages:
    175
    Hello lees58...welcome to TSG!


    Please do this:

    Click here to download HJTsetup.exe.
    • Save HJTsetup.exe to your desktop.
    • Doubleclick on the HJTsetup.exe icon on your desktop
    • By default it will install to C:\Program Files\Hijack This
    • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again. Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on Edit>Select All; then click on Edit>Copy to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. lees58

    lees58 Thread Starter

    Joined:
    Aug 8, 2006
    Messages:
    34
    Scan saved at 4:51:03 PM, on 8/9/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MessengerPlus! 3\MsgPlus.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Documents and Settings\All Users\Documents\Ares\Ares.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
    C:\WINDOWS\svchost.exe

    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=userinit.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [fnffmxyA] C:\WINDOWS\fnffmxyA.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [ares] "C:\Documents and Settings\All Users\Documents\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ferrylanddowns.spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://map.hamilton.ca/InteractiveMaps/acgm/acgm.cab
    O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\r08slal71dq.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
     
  4. cfa-ddg2

    cfa-ddg2

    Joined:
    Oct 30, 2005
    Messages:
    175
    Hello lees58....

    Please download Look2Me-Destroyer.exe to your desktop.


    • * Close all windows before continuing.
      * Double-click Look2Me-Destroyer.exe to run it.
      * Put a check next to Run this program as a task.
      * You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
      * When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
      * Once it's done scanning, click the Remove L2M button.
      * You will receive a Done Scanning message, click OK.
      * When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
      * Your computer will then shutdown.
      * Turn your computer back on.
      * Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

    If you receive a message from your firewall about this program accessing the internet please allow it.

    If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
    http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
     
  5. lees58

    lees58 Thread Starter

    Joined:
    Aug 8, 2006
    Messages:
    34
    hey.....here's the L2M LOG..........


    Look2Me-Destroyer V1.0.12

    Scanning for infected files.....
    Scan started at 8/9/2006 11:21:03 PM

    Infected! C:\WINDOWS\system32\dnjq0115e.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP163\A0007799.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP163\A0007805.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP165\A0007828.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP165\A0007833.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP166\A0007891.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP166\A0007898.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP166\A0007910.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP166\A0007911.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP166\A0007914.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP167\A0007927.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP167\A0007932.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP167\A0007943.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP167\A0007947.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP167\A0007966.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP167\A0007967.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP169\A0007990.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0008002.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP171\A0008045.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP171\A0008049.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP171\A0008109.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP171\A0008113.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP172\A0008234.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP172\A0008239.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP174\A0008343.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP178\A0008484.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008499.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008532.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008536.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008541.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008548.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008551.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008565.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008569.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP181\A0008593.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP181\A0008595.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP181\A0008600.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP181\A0008623.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP181\A0008632.dll
    Infected! C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP181\A0008633.dll
    Infected! C:\WINDOWS\system32\dnjq0115e.dll
    Infected! C:\WINDOWS\system32\fpls0337e.dll
    Infected! C:\WINDOWS\system32\oae2.dll
    Infected! C:\WINDOWS\system32\uvib.dll
    Infected! C:\WINDOWS\system32\guard.tmp

    Attempting to delete infected files...

    Attempting to delete: C:\WINDOWS\system32\dnjq0115e.dll
    C:\WINDOWS\system32\dnjq0115e.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP163\A0007799.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP163\A0007799.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP163\A0007805.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP163\A0007805.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP165\A0007828.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP165\A0007828.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP165\A0007833.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP165\A0007833.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP166\A0007891.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP166\A0007891.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP166\A0007898.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP166\A0007898.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP166\A0007910.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP166\A0007910.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP166\A0007911.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP166\A0007911.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP166\A0007914.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP166\A0007914.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP167\A0007927.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP167\A0007927.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP167\A0007932.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP167\A0007932.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP167\A0007943.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP167\A0007943.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP167\A0007947.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP167\A0007947.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP167\A0007966.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP167\A0007966.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP167\A0007967.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP167\A0007967.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP169\A0007990.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP169\A0007990.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0008002.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0008002.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP171\A0008045.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP171\A0008045.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP171\A0008049.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP171\A0008049.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP171\A0008109.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP171\A0008109.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP171\A0008113.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP171\A0008113.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP172\A0008234.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP172\A0008234.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP172\A0008239.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP172\A0008239.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP174\A0008343.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP174\A0008343.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP178\A0008484.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP178\A0008484.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008499.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008499.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008532.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008532.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008536.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008536.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008541.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008541.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008548.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008548.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008551.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008551.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008565.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008565.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008569.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP179\A0008569.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP181\A0008593.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP181\A0008593.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP181\A0008595.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP181\A0008595.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP181\A0008600.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP181\A0008600.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP181\A0008623.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP181\A0008623.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP181\A0008632.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP181\A0008632.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP181\A0008633.dll
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP181\A0008633.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\dnjq0115e.dll
    C:\WINDOWS\system32\dnjq0115e.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\fpls0337e.dll
    C:\WINDOWS\system32\fpls0337e.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\oae2.dll
    C:\WINDOWS\system32\oae2.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\uvib.dll
    C:\WINDOWS\system32\uvib.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\guard.tmp
    C:\WINDOWS\system32\guard.tmp Deleted successfully!

    Making registry repairs.

    Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{DDE25C59-C84E-4CBD-912E-4AF355C89C86}"
    HKCR\Clsid\{DDE25C59-C84E-4CBD-912E-4AF355C89C86}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A03B0CF9-69C7-45A2-B0AF-1922796B8C91}"
    HKCR\Clsid\{A03B0CF9-69C7-45A2-B0AF-1922796B8C91}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{65CF0964-A8C3-4C67-96E3-76A8E63E763C}"
    HKCR\Clsid\{65CF0964-A8C3-4C67-96E3-76A8E63E763C}

    Restoring Windows certificates.

    Replaced hosts file with default windows hosts file


    Restoring SeDebugPrivilege for Administrators - Succeeded







    AND THE NEW HIJACK THIS LOG......THANKS AGAIN....THINGS SEEM TO BE GETTING BETTER







    Logfile of HijackThis v1.99.1
    Scan saved at 11:30:54 PM, on 8/9/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\MessengerPlus! 3\MsgPlus.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Documents and Settings\All Users\Documents\Ares\Ares.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRA~1\MSNMES~1\msnmsgr.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=userinit.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [fnffmxyA] C:\WINDOWS\fnffmxyA.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [ares] "C:\Documents and Settings\All Users\Documents\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ferrylanddowns.spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://map.hamilton.ca/InteractiveMaps/acgm/acgm.cab
    O20 - AppInit_DLLs: MsgPlusLoader.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
     
  6. cfa-ddg2

    cfa-ddg2

    Joined:
    Oct 30, 2005
    Messages:
    175
    Hello lees58...looks better, but still some work to do:

    1. First download ewido anti-spyware from HERE and save that file to your desktop.
    This is a 30 day trial of the program
    1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
    2. Once the setup is complete you will need run ewido and update the definition files.
    3. On the main screen select the icon "Update" then select the "Update now" link.
      • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    6. Under "Reports"
      • Select "Automatically generate report after every scan"
      • Un-Select "Only if threats were found"
    Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

    2. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [fnffmxyA] C:\WINDOWS\fnffmxyA.exe

    Now close all windows other than HiJackThis, then click Fix Checked.

    3. Reboot into safe mode by restarting your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    4. Please delete these files using Windows Explorer(if present):
    • Click Start>>All Programs>>Accessories>>Windows Explorer
    • Navigate to the listed files, then right-click to select them and click delete:


    C:\WINDOWS\fnffmxyA.exe
    C:\WINDOWS\svchost.exe<==IMPORTANT! DO NOT delete C:\windows\system32\svchost.exe which is a legitimate system file. If you have any doubts, right click to highlight the file and select 'properties'..if it is a Microsoft file, do not delete it!


    5. IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
    • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • ewido will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"
    • Next select the "Reports" icon at the top.
    • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    • Close ewido and reboot your system back into Normal Mode.

    6. Post the results of the ewido report scan, a new HJT log and let me know if your computer is having any problems!
     
  7. lees58

    lees58 Thread Starter

    Joined:
    Aug 8, 2006
    Messages:
    34
    heres the results...........during the quarintine i was told that there was a file that couldnt be removed, i was then asked if it should be quarintined and i said yes.........also mentioned something about the file being embedded?

    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 6:35:35 PM 8/10/2006

    + Scan result:



    C:\WINDOWS\system32\aif644a0.dll -> Adware.IEHelper : Cleaned with backup (quarantined).
    HKU\S-1-5-21-3100389338-3426401208-1273447278-1003\Software\IST -> Adware.ISTBar : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr7D59 -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\temp.frBF31 -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
    C:\Program Files\Microsoft AntiSpyware\Quarantine\49641858-8E44-44C3-915C-09A74C\5AD62B73-F135-4810-B721-426321 -> Adware.NavExcel : Cleaned with backup (quarantined).
    C:\Program Files\Microsoft AntiSpyware\Quarantine\49641858-8E44-44C3-915C-09A74C\83E2FD57-C878-42A1-ABC0-F9AA56 -> Adware.NavExcel : Cleaned with backup (quarantined).
    C:\Program Files\Microsoft AntiSpyware\Quarantine\80B5CCE7-F082-405D-9EFF-CE8586\E357F7E4-D40D-4F5A-AFDA-3D3321 -> Adware.NavExcel : Cleaned with backup (quarantined).
    C:\Program Files\Microsoft AntiSpyware\Quarantine\80B5CCE7-F082-405D-9EFF-CE8586\FEFADC18-06CA-41CF-A512-844223/NHUpdater.exe -> Adware.NavExcel : Cleaned with backup (quarantined).
    C:\Program Files\Microsoft AntiSpyware\Quarantine\80B5CCE7-F082-405D-9EFF-CE8586\FEFADC18-06CA-41CF-A512-844223/NHelper.dll -> Adware.NavExcel : Cleaned with backup (quarantined).
    C:\Program Files\Microsoft AntiSpyware\Quarantine\80B5CCE7-F082-405D-9EFF-CE8586\FEFADC18-06CA-41CF-A512-844223/navapp.exe -> Adware.NavExcel : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Application Data\Starware -> Adware.Starware : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Application Data\Starware\Manager -> Adware.Starware : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Application Data\Starware\Manager\ManagerOptions.xml -> Adware.Starware : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Application Data\Starware\Manager\ManagerOptions.xml.backup -> Adware.Starware : Cleaned with backup (quarantined).
    C:\Program Files\Microsoft AntiSpyware\Quarantine\E7395AD7-07C2-4086-BCD3-B61244\96E26648-5CD9-40E9-9DBB-421408 -> Adware.SurfAccuracy : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup (quarantined).
    C:\Program Files\Microsoft AntiSpyware\Quarantine\2398D9F2-6FC8-421F-8F64-5FE017\8B7E5155-C7E4-4EE8-8DC6-5E4DCF -> Adware.WinAD : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\CDSJGZ83\int_ver34[1].CAB/int_ver34.ocx -> Dialer.VB.j : Cleaned with backup (quarantined).
    C:\nwnmff_7.exe -> Downloader.Adload.dj : Cleaned with backup (quarantined).
    C:\kybrdff_7.exe -> Downloader.Adload.dl : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\switch.exe -> Downloader.IstBar : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\w191f7bf.dll -> Downloader.Small : Cleaned with backup (quarantined).
    C:\ac3_0010.exe -> Downloader.Small : Cleaned with backup (quarantined).
    C:\drsmartload45a7i.exe -> Downloader.VB.aiw : Cleaned with backup (quarantined).
    C:\drsmartload46a7i.exe -> Downloader.VB.aiw : Cleaned with backup (quarantined).
    C:\drsmartload849a7i.exe -> Downloader.VB.aiw : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Desktop\hijackthis\backups\backup-20060125-162234-709.dll -> Downloader.Zlob.fi : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Desktop\hijackthis\backups\backup-20060730-231958-983.dll -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Desktop\hijackthis\backups\backup-20060801-232057-299.dll -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\4TEJW9QN\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\CDSJGZ83\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\CDSJGZ83\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\CDSJGZ83\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\CDSJGZ83\popup[4].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\CZRR6GLT\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\CZRR6GLT\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\J6CFR90P\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\JF9FNDSW\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\KHOTIFS9\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\NJX7ZL8W\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q18FYT25\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q18FYT25\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\UBAJEHAR\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\UBAJEHAR\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\V2X4ECYT\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BM8R7TOT\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\STG3GNSB\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Program Files\Outlook Express\howywywev.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
    C:\Program Files\Windows NT\kyzezez.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
    C:\dfndrff_7.exe -> Hijacker.VB.ly : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\J6CFR90P\send_ocx_sof[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
    :mozilla.68:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
    :mozilla.69:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Aavalue : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Aavalue : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
    :mozilla.96:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
    :mozilla.97:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
    :mozilla.99:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
    :mozilla.35:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
    :mozilla.95:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
    :mozilla.17:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
    C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
    C:\Documents and Settings\Guest\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
    :mozilla.57:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
    C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
    :mozilla.36:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
    :mozilla.12:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
    :mozilla.91:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
    :mozilla.62:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
    :mozilla.63:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
    :mozilla.64:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
    :mozilla.65:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
    :mozilla.66:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
    :mozilla.90:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
    :mozilla.16:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Paycounter : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Paycounter : Cleaned with backup (quarantined).
    :mozilla.31:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
    :mozilla.32:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
    :mozilla.33:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
    :mozilla.34:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
    C:\Documents and Settings\Guest\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup (quarantined).
    :mozilla.77:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
    :mozilla.78:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
    :mozilla.79:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
    :mozilla.80:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Sexlist : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Sexlist : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
    :mozilla.82:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
    :mozilla.38:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
    :mozilla.39:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
    :mozilla.40:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
    :mozilla.93:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
    :mozilla.103:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
    :mozilla.104:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
    :mozilla.105:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
    :mozilla.106:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\kse6f5fc.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
    C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
    C:\Program Files\Hvdoe\Dwon.exe -> Trojan.Small.cy : Cleaned with backup (quarantined).


    ::Report end













    and the HJT scan......................




    Logfile of HijackThis v1.99.1
    Scan saved at 6:44:28 PM, on 8/10/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MessengerPlus! 3\MsgPlus.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Documents and Settings\All Users\Documents\Ares\Ares.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
    C:\WINDOWS\svchost.exe

    F2 - REG:system.ini: UserInit=userinit.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [ares] "C:\Documents and Settings\All Users\Documents\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ferrylanddowns.spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://map.hamilton.ca/InteractiveMaps/acgm/acgm.cab
    O20 - AppInit_DLLs: MsgPlusLoader.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
     
  8. cfa-ddg2

    cfa-ddg2

    Joined:
    Oct 30, 2005
    Messages:
    175
    Hello lees58....

    Were you able to delete this file: C:\WINDOWS\svchost.exe in the last set of instructions? It's still there in the HJT log...

    1. Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    2. Credit: swandog46

    1) Please download the Killbox.
    Unzip it to the desktop but do NOT run it yet.

    2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

    3) Once in Safe Mode, please run Killbox.

    4) Select "Delete on Reboot".

    5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\WINDOWS\svchost.exe

    6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

    7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again..

    Let the system reboot.

    3. Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

    4. Post the contents of the ActiveScan report, a new HJT log and let me know how your system is running...
     
  9. beachem

    beachem

    Joined:
    Aug 11, 2006
    Messages:
    2
  10. cfa-ddg2

    cfa-ddg2

    Joined:
    Oct 30, 2005
    Messages:
    175
    Frank,

    While I appreciate your opinion and input, this site (and most other malware removal sites) asks that non-qualified individuals do not post advice into threads. This is a matter of quality control, and I hope you understand.

    In this case, SpySweeper may indeed be justified and we may use it if needed...but often the advice offered to victims by non-qualified/verified 'experts' can be harmful.

    If you believe you are qualified to post advice to victims regarding malware removal, please apply to do so with the site's admins who will determine your level of expertise before posting.

    If you wish to train in malware removal, there are many excellent training sites...semd me a PM and I can give you links.
     
  11. pugmug

    pugmug Banned

    Joined:
    Jun 13, 2005
    Messages:
    2,857
    cfa-ddg2,can you show me where a rule is written in TSG that states what you just posted to Frank?
     
  12. TechGuy

    TechGuy Administrator

    Joined:
    Feb 12, 1999
    Messages:
    14,195
    First Name:
    Mike
    So that advice given to users is consistant and of the highest quality, it is highly recommended that you complete training before helping folks with security (and malware) related issues. It is rare that we need to step in and force people to stop helping, but if their advice is harmful or distracting, we will do so.
     
  13. pugmug

    pugmug Banned

    Joined:
    Jun 13, 2005
    Messages:
    2,857
    So are you stating that Frank's post is not helpful?
     
  14. JohnWill

    JohnWill Retired Moderator

    Joined:
    Oct 19, 2002
    Messages:
    106,418
    When you check the rules link, the first thing you see is the following text...

    The following rules are guidelines for using the Tech Support Guy Bulletin Board. These rules were designed merely to give users a framework in which to conform their conduct while participating on the Board. The Administration, in its discretion has final say as to the specific action to be taken, if any, for violations of rules. Further, the Administration reserves the right to close or delete any thread or post that it deems unacceptable for any reason, regardless of whether such thread or post violates a specific rule or rules. Keep in mind that our goal is to provide useful technical support in a congenial atmosphere, which is the ultimate guideline we will use when evaluating any post or thread, or the conduct of any member. If you have any questions, email [email protected].
     
  15. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    You'd "THINK" that with Tech Guy posting in this thread, he'd get the hint. The ice is getting thinner ;)

    My first thought, was, here is a guy, with two posts, and in each, hyping the same software. Sends up a red flag for me in any event :rolleyes: Not to mention, his other post was in a thread already marked solved :rolleyes:

    BTW, I see another thread where Cookiegal referred pugmug to the forum rules as well.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/490647

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice