Solved: Spyware removal

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

aferroyt

Thread Starter
Joined
Jan 3, 2006
Messages
14
Hello there,

One of my computers seems to be bogged down lately... the fan is constantly on from the moment I boot it up. Using some information from another one of my posting (re: another computer), I've run SpySweeper, done an ActiveScan, and run HijackThis. Attached are my results.

Any suggestions? Is there anything out of the ordinary that might be slowing things down?

Thanks!!

-aferroyt-
 

Attachments

Joined
Feb 15, 2004
Messages
12,302
posting your logs!


ACTIVESCAN

Incident Status Location

Adware:Adware/RelatedLinks Not disinfected C:\WINDOWS\lbbho.dll
Adware:adware/p2pnetworking Not disinfected C:\Documents and Settings\xxxxx\Local Settings\Temp\p2psetup.exe
Adware:adware/ezula Not disinfected C:\WINDOWS\SYSTEM32\ezStubi.dll
Adware:adware/igetnet Not disinfected C:\WINDOWS\SYSTEM32\NLNP!3.exe
Adware:adware/msview Not disinfected C:\WINDOWS\SYSTEM32\nostalgia.dll
Adware:adware/gator Not disinfected C:\GatorPatch.log
Spyware:spyware/new.net Not disinfected C:\WINDOWS\NDNuninstall6_38.exe
Spyware:application/bestoffer Not disinfected C:\WINDOWS\smdat32a.sys
Spyware:spyware/altnet Not disinfected Windows Registry
Adware:Adware/P2PNetworking Not disinfected C:\Documents and Settings\xxxxx\Desktop\backups\backup-20051010-130857-909.dll
Adware:Adware/P2PNetworking Not disinfected C:\Documents and Settings\xxxxx\Local Settings\Temp\P2P Networkingp2p9.EXE
Adware:Adware/P2PNetworking Not disinfected C:\Documents and Settings\xxxxx\Local Settings\Temp\p2psetup.exe
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\STAR45EF\assassin[1].html
Spyware:Cookie/XXXtoolbar Not disinfected C:\RECYCLER\S-1-5-21-3996124043-3543216420-3386161781-1006\Dc512.txt
Spyware:Cookie/Tickle Not disinfected C:\RECYCLER\S-1-5-21-3996124043-3543216420-3386161781-1006\Dc514.txt
Adware:Adware/RelatedLinks Not disinfected C:\WINDOWS\lbbho.dll
Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall6_38.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\SYSTEM32\cm1.dll
Virus:Trj/Downloader.CHU Disinfected C:\WINDOWS\SYSTEM32\ctbv2.dll
Adware:Adware/eZula Not disinfected C:\WINDOWS\SYSTEM32\ezStubi.dll
Adware:Adware/IGetNet Not disinfected C:\WINDOWS\SYSTEM32\NLNP!3.exe
Adware:Adware/IGetNet Not disinfected C:\WINDOWS\SYSTEM32\NLNP13.dll
Adware:Adware/MSView Not disinfected C:\WINDOWS\SYSTEM32\nostalgia.dll
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\SYSTEM32\OMsetup.exe
Virus:Trj/Mitglieder.GB Disinfected Local Folders\Deleted Items\Syndony\Jeffrey.zip[1.exe]
Virus:W32/Bagle.GC.worm Disinfected Local Folders\Deleted Items\Nicholas\Margret.zip[1FC02132.exe]
Virus:W32/Bagle.GC.worm Disinfected Local Folders\Deleted Items\Dorothy\Isabell.zip[1FC02132.exe]
Virus:Trj/Mitglieder.FK Disinfected Local Folders\Deleted Items\max.zip[t_535475.exe]
Virus:Trj/Mitglieder.BO Not disinfected Local Folders\Deleted Items\34544.rar[dddd.exe]
-----------------------------------------------------------------


HIJACKTHIS

Logfile of HijackThis v1.99.1
Scan saved at 4:49:59 AM, on 10/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office3\Office\OSA.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\xxxxx\Desktop\HijackThis.exe



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {BC8B3620-5107-45C9-8E6A-E3083C959E7D} - C:\WINDOWS\lbbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: Check for Free Q-WordSpeak Professional Updates.lnk = C:\Q-WordSpeakPro\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office3\Office\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/CA/install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
 
Joined
Feb 15, 2004
Messages
12,302
hi, welcome to TSG.


Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php





* Download the trial version of Ewido Security Suite here


http://www.ewido.net/en/

* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.


*Download Cleanup from Here

http://www.stevengould.org/software/cleanup/download.html



* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
* Click OK
* DO NOT RUN IT YET



* Click here for info on how to boot to safe mode if you don't already know
how.

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:



have hijack this fix these entries. close all browsers and programmes before
clicking FIX.


O2 - BHO: C:\WINDOWS\lbbho.dll - {BC8B3620-5107-45C9-8E6A-E3083C959E7D} - C:\WINDOWS\lbbho.dll


Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.



Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.



C:\Documents and Settings\xxxxx\Local Settings\Temp\p2psetup.exe
C:\GatorPatch.log
C:\WINDOWS\smdat32a.sys
C:\Documents and Settings\xxxxx\Desktop\backups\backup-20051010-130857-909.dll
C:\Documents and Settings\xxxxx\Local Settings\Temp\P2P Networkingp2p9.EXE
C:\Documents and Settings\xxxxx\Local Settings\Temp\P2P Networking
C:\Documents and Settings\xxxxx\Local Settings\Temp\p2psetup.exe
C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\STAR45EF\assassin[1].html
C:\WINDOWS\lbbho.dll
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\SYSTEM32\cm1.dll
C:\WINDOWS\SYSTEM32\ezStubi.dll
C:\WINDOWS\SYSTEM32\NLNP!3.exe
C:\WINDOWS\SYSTEM32\NLNP13.dll
C:\WINDOWS\SYSTEM32\nostalgia.dll
C:\WINDOWS\SYSTEM32\OMsetup.exe



* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop


* Run Cleanup:

* Click on the "Cleanup" button and let it run.
* Once its done, close the program.


reboot to normal mode and run a few online scans!



Run an online antivirus check from

http://www.kaspersky.com/virusscanner

choose extended database for the scan!


post another hijack this log, the ewido and active scan logs
 
Joined
Feb 15, 2004
Messages
12,302
Disable spysweeper.

Before you proceed with the removal directions below you need to turn off SpySweeper's realtime protection as it will interfere with the changes we are trying to make.

Open Spysweeper and click on Options > Program Options.
Uncheck "load at windows startup".
On the left click "shields" and then uncheck everything there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
Exit the program.
Leave it disabled until we are finished here.
 

aferroyt

Thread Starter
Joined
Jan 3, 2006
Messages
14
Hi there,

Ok, I think I ran everything correctly. The only thing I inadvertently missed was your second posting re: disabling SpySweeper. I didn't do this. How will this affect the results?

-aferroyt-

-----------------------

HIJACKTHIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 7:45:15 AM, on 11/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office3\Office\OSA.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\xxxxx\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: Check for Free Q-WordSpeak Professional Updates.lnk = C:\Q-WordSpeakPro\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office3\Office\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/CA/install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

-----------------------

EWIDO SCAN RESULTS

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:35:52 PM, 10/01/2006
+ Report-Checksum: FFF563AC

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{258A3625-183B-4477-AEE2-EA54DF6D878D} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{29E825AA-13BC-457C-806A-D72E4A25B3C5} -> Spyware.BrilliantDigital : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9D4548CE-92FD-4C6C-AE7F-3DBE3BC763D8} -> Spyware.BrilliantDigital : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{E79DADC6-18D0-4A2A-831F-D196D41F8438} -> Spyware.BrilliantDigital : Cleaned with backup
C:\!KillBox\backup-20051010-130857-909.dll -> Downloader.WebP2PInstaller : Cleaned with backup
C:\!KillBox\cm1.dll -> Spyware.ClientMan : Cleaned with backup
C:\!KillBox\ezStubi.dll -> Adware.EZula : Cleaned with backup
C:\!KillBox\lbbho.dll -> Spyware.Neon : Cleaned with backup
C:\!KillBox\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup
C:\!KillBox\NLNP!3.exe -> Spyware.IGetNet : Cleaned with backup
C:\!KillBox\NLNP13.dll -> Spyware.IGetNet : Cleaned with backup
C:\!KillBox\nostalgia.dll/MSView.dll -> Trojan.KeyHost.e : Cleaned with backup
C:\!KillBox\nostalgia.dll/MSVprep.exe -> Spyware.BiSpy : Cleaned with backup
C:\!KillBox\nostalgia.dll/MSView.dll -> Trojan.KeyHost.e : Cleaned with backup
C:\!KillBox\nostalgia.dll/MSVprep.exe -> Spyware.BiSpy : Cleaned with backup
C:\!KillBox\p2psetup.exe -> Spyware.P2PNetworking : Cleaned with backup
C:\Documents and Settings\xxxxx\Desktop\backups\backup-20060110-183225-911.dll -> Spyware.Neon : Cleaned with backup
C:\Documents and Settings\xxxxx\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\RECYCLER\S-1-5-21-3996124043-3543216420-3386161781-1006\Dc512.txt -> Spyware.Cookie.Xxxtoolbar : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP901\A0039202.DLL -> Spyware.MyWay : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP901\A0039203.EXE -> Spyware.MyWay : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP903\A0039269.DLL -> Spyware.MyWay : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP910\A0039707.exe -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP910\A0039708.dll -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP910\A0039710.dll -> Adware.BrilliantDigital : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP910\A0039711.dll -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP910\A0039712.exe -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP910\A0039713.dll -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP910\A0039714.dll -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP910\A0039715.dll -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP910\A0039716.exe -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP910\A0039718.exe -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP910\A0039719.dll -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP910\A0039720.exe -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP910\A0039721.dll -> Downloader.Braidupdate.d : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP910\A0039722.DLL -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP910\A0039723.dll -> Downloader.Braidupdate.d : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP910\A0039739.exe -> Spyware.404Search.h : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP910\A0039743.dll -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP911\A0039759.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP911\A0039761.exe -> Spyware.P2PNetworking : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP911\A0039835.dll -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP911\A0039923.dll -> Downloader.WebP2PInstaller : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP911\A0039924.dll -> Spyware.Neon : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP911\A0039925.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP911\A0039926.dll -> Spyware.ClientMan : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP911\A0039927.dll -> Adware.EZula : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP911\A0039928.exe -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP911\A0039929.dll -> Spyware.IGetNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP911\A0039930.dll/MSView.dll -> Trojan.KeyHost.e : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP911\A0039930.dll/MSVprep.exe -> Spyware.BiSpy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP911\A0039930.dll/MSView.dll -> Trojan.KeyHost.e : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP911\A0039930.dll/MSVprep.exe -> Spyware.BiSpy : Cleaned with backup

-----------------------

ACTIVESCAN RESULTS

Incident Status Location

Adware:adware/gator Not disinfected C:\WINDOWS\GatorUninstaller_cme.log
Spyware:application/bestoffer Not disinfected C:\WINDOWS\smdat32m.sys
Spyware:spyware/altnet Not disinfected Windows Registry
Adware:Adware/IST.ISTBar Not disinfected C:\!KillBox\assassin[1].html
Adware:Adware/Exact.BargainBuddy Not disinfected C:\!KillBox\OMsetup.exe
Spyware:Cookie/Tickle Not disinfected C:\RECYCLER\S-1-5-21-3996124043-3543216420-3386161781-1006\Dc514.txt
Virus:Trj/Mitglieder.BO Not disinfected Local Folders\Deleted Items\34544.rar[dddd.exe]
-----------------------

KASPERSKY SCAN RESULTS

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, January 10, 2006 22:17:35
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 11/01/2006
Kaspersky Anti-Virus database records: 160119
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Email:
C:\

Scan Statistics:
Total number of scanned objects: 118
Number of viruses found: 1
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 190 sec

Infected Object Name - Virus Name
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Romeo & Juliet<[email protected]>][Date Thu,06 Feb 2003 19:49:54 PM]/Romeo_Juliet.scr Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Iori Yagami<[email protected]>][Date Sat,08 Feb 2003 00:59:43 PM]/UNNAMED/KOF_The_Game.exe Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Iori Yagami<[email protected]>][Date Sat,08 Feb 2003 00:59:43 PM]/UNNAMED Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From American Beauty<[email protected]>][Date Sat,08 Feb 2003 14:53:43 PM]/UNNAMED/Beautifull.scr Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From American Beauty<[email protected]>][Date Sat,08 Feb 2003 14:53:43 PM]/UNNAMED Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Romeo & Juliet<[email protected]>][Date Wed,19 Feb 2003 22:40:38 PM]/UNNAMED/Romeo_Juliet.scr Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Romeo & Juliet<[email protected]>][Date Wed,19 Feb 2003 22:40:38 PM]/UNNAMED Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Norton Antivirus<[email protected]>][Date Wed,05 Mar 2003 21:03:18 PM]/UNNAMED/FixKlez.com Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Norton Antivirus<[email protected]>][Date Wed,05 Mar 2003 21:03:18 PM]/UNNAMED Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Jasmine Stevens<[email protected] >][Date Mon,18 Aug 2003 21:12:37 PM]/UNNAMED/My_Sexy_Pic.scr Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Jasmine Stevens<[email protected] >][Date Mon,18 Aug 2003 21:12:37 PM]/UNNAMED Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Romeo & Juliet<[email protected]>][Date Thu,06 Feb 2003 19:49:54 PM]/UNNAMED/Romeo_Juliet.scr Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Romeo & Juliet<[email protected]>][Date Thu,06 Feb 2003 19:49:54 PM]/UNNAMED Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Iori Yagami<[email protected]>][Date Sat,08 Feb 2003 00:59:43 PM]/UNNAMED/KOF_The_Game.exe Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Iori Yagami<[email protected]>][Date Sat,08 Feb 2003 00:59:43 PM]/UNNAMED Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From American Beauty<[email protected]>][Date Sat,08 Feb 2003 14:53:43 PM]/UNNAMED/Beautifull.scr Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From American Beauty<[email protected]>][Date Sat,08 Feb 2003 14:53:43 PM]/UNNAMED Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Romeo & Juliet<[email protected]>][Date Wed,19 Feb 2003 22:40:38 PM]/UNNAMED/Romeo_Juliet.scr Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Romeo & Juliet<[email protected]>][Date Wed,19 Feb 2003 22:40:38 PM]/UNNAMED Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Norton Antivirus<[email protected]>][Date Wed,05 Mar 2003 21:03:18 PM]/UNNAMED/FixKlez.com Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Norton Antivirus<[email protected]>][Date Wed,05 Mar 2003 21:03:18 PM]/UNNAMED Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Nomadic Screensavers<[email protected]>][Date Wed,03 Sep 2003 19:43:20 PM]/UNNAMED/Screensavers.scr Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Nomadic Screensavers<[email protected]>][Date Wed,03 Sep 2003 19:43:20 PM]/UNNAMED Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Jasmine Stevens<[email protected] >][Date Mon,18 Aug 2003 21:12:37 PM]/UNNAMED/My_Sexy_Pic.scr Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Jasmine Stevens<[email protected] >][Date Mon,18 Aug 2003 21:12:37 PM]/UNNAMED Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Nomadic Screensavers<[email protected]>][Date Wed,03 Sep 2003 19:43:20 PM]/UNNAMED/Screensavers.scr Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Nomadic Screensavers<[email protected]>][Date Wed,03 Sep 2003 19:43:20 PM]/UNNAMED Infected: Email-Worm.Win32.Lentin.i
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx Infected: Email-Worm.Win32.Lentin.i

Scan process completed.
 
Joined
Feb 15, 2004
Messages
12,302
Disable spysweeper.

Before you proceed with the removal directions below you need to turn off SpySweeper's realtime protection as it will interfere with the changes we are trying to make.

Open Spysweeper and click on Options > Program Options.
Uncheck "load at windows startup".
On the left click "shields" and then uncheck everything there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
Exit the program.
Leave it disabled until we are finished here.


Turn it back on after running these scans you should be good to go after this.


How's the computer running now any better?


* Restart your computer into safe mode now. Perform the following steps in
safe mode:


have hijack this fix these entries!


O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-30.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab


Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.



Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.



C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx
C:\Documents and Settings\xxxxx\My Documents\Email Backup\Home Email Backup 04-04-05\Hotmail - Deleted Items.dbx/[From Nomadic Screensavers<[email protected]>][Date Wed,03 Sep 2003 19:43:20 PM]/UNNAMED/Screensavers.scr
C:\WINDOWS\GatorUninstaller_cme.log
C:\WINDOWS\smdat32m.sys


reboot to normal mode and downlaod and run these tools!



go to this site and download these tools and once you get both
adaware Se 1.6 and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk
entries". Click next to start the scan. Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the
immunize button.

reboot again


With CWshredder close all browsers and programmes and select the FIX button.



Go here and download Microsoft Antispyware Beta. First in the top menu click
File then Check for updates to download the definitons updates.

After updating look in the right side of the main window under "Run Quick
Scan Now" and click Spyware scan options. In that window put a tick by Run a
full system scan and then put a check by all three options below that then
click Run Scan now.

When the scan is finished, let it fix anything that it finds (have it
quarantine the items that have that option rather than delete just in case.
It is a beta program and there may be false positives)

Restart your computer.


All tools can be downloaded at the link below and found on that page!


. Microsoft® Windows AntiSpyware
. Trend micro CWShredder
. SpyBot search and destroy
. AdAware SE personal


http://www.majorgeeks.com/downloads31.html
 

aferroyt

Thread Starter
Joined
Jan 3, 2006
Messages
14
Hello again,

Yes, my computer is running much better (and quieter)! Thank you ever so much.

I'm still finding the odd thing when I do a scan. See below for example.

What's a realistic expectation for this kind of stuff... complete removal?

-aferroyt-

P.S. I thought I had removed the Kazaa program...

------------------------------
Spyware Scan Details
Start Date: 12/01/2006 2:00:09 AM
End Date: 12/01/2006 2:17:14 AM
Total Time: 17 mins 5 secs

Detected Threats

ClientMan Browser Plug-in more information...
Details: ClientMan may add advertising links to Web pages, display pop-up advertisements, and redirect search engine results, address bar searches and error pages.
Status: Quarantined
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

Infected files detected
c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp910\a0039727.exe
c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp910\a0039728.exe
c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp910\a0039729.exe


Possible Hosts File Hijack Spyware more information...
Details: Possible Hosts File Hijack changes your Windows hosts file.
Status: Quarantined
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected files detected
c:\windows\hosts

Infected folders detected
c:\windows\hosts


IPInsight Browser Plug-in more information...
Details: IPInsight is a process or Internet Explorer browser helper object that monitors addresses entered into web forms to compile a database of physical locations of IP addresses.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected files detected
c:\windows\sentry.ini

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\ipinsight
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\ipinsight
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\ipinsight Changed 0


BrowserAid Browser Plug-in more information...
Details: BrowserAid is a group of Internet Explorer toolbars that are installed without your consent.
Status: Removed
Elevated threat - Elevated-risk items have some potential for harm. Users should review such programs and remove them if unwanted.

Infected files detected
c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp910\a0039724.dll


Warez P2P Software Bundler more information...
Details: Warez P2P is a file sharing program that installs with adware and spyware including HyperBar, StartNow, and New.Net.
Status: Removed
Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.

Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\clsid\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID iMeshClient.DocHostUIHandler
HKEY_CLASSES_ROOT\clsid\{3F2BBC05-40DF-11D2-9455-00104BC936FF} Implements DocHostUIHandler


Claria.GAIN Adware more information...
Details: Claria.GAIN displays pop-up advertisements based on collected information about you and your Web browsing activities. Claria.GAIN is bundled with advertisement-supported programs from Claria and other companies.
Status: Removed
Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.

Infected files detected
c:\windows\gatoruninstaller_cme_u.log


iMesh Software Bundler more information...
Details: IMesh is adware based file sharing software that uses peer-to-peer technology. IMesh installs pop-up advertisements and adware such as BonziBuddy, GAIN, and Shopathome.
Status: Removed
Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.

Infected files detected
c:\recycler\s-1-5-21-3996124043-3543216420-3386161781-1006\dc386.exe
c:\program files\imesh\client\data1024.dbb
c:\program files\imesh\client\data256.dbb
c:\program files\imesh\client\searchmesh.dll
c:\program files\imesh\client\unwise.ini

Infected folders detected
c:\program files\imesh
c:\program files\imesh\client


KaZaA Under Investigation more information...
Details: KaAaA is peer-to-peer file-sharing software that displays advertising and installs third-party adware on your computer.
Status: Removed
Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.

Infected files detected
c:\program files\kazaa\my shared folder\kmd210_en.exe
c:\program files\kazaa\bgp2p\plugins\bach.xmd
c:\program files\kazaa\data\{b6299c4f-debd-12b0-1d55-e1078fcaf64d}
c:\program files\kazaa\data\{c6fc6490-bcc9-cf2c-0e45-f08e9362aba2}
c:\program files\kazaa\db\ctx4-041111.cab
c:\program files\kazaa\db\ctx4-050823.cab
c:\program files\kazaa\db\data1024.dbb
c:\program files\kazaa\db\data256.dbb
c:\program files\kazaa\db\k7tqkgkk_tssv125.dat
c:\program files\kazaa\db\ova4-050823.cab
c:\program files\kazaa\db\tsi4-041101a.cab
c:\program files\kazaa\db\tsi4-041101b.cab
c:\program files\kazaa\bgp2p\plugins\bzip2.xmd
c:\program files\kazaa\db\tsi4-041116.cab
c:\program files\kazaa\db\tsi4-041125.cab
c:\program files\kazaa\db\tsi4-050801a.cab
c:\program files\kazaa\db\tss4.cab
c:\program files\kazaa\my shared folder\download11288368845703359.dat
c:\program files\kazaa\my shared folder\download11288369305748609.dat
c:\program files\kazaa\my shared folder\download11288382517069812.dat
c:\program files\kazaa\my shared folder\download11288387397558468.dat
c:\program files\kazaa\my shared folder\download11288387627581281.dat
c:\program files\kazaa\my shared folder\download11288387737591812.dat
c:\program files\kazaa\bgp2p\plugins\bzip2.xmd.cab
c:\program files\kazaa\my shared folder\download11288387907609562.dat
c:\program files\kazaa\my shared folder\download11288387957614515.dat
c:\program files\kazaa\my shared folder\hayes-heaven.wma
c:\program files\kazaa\my shared folder\kazaa300_en.exe
c:\program files\kazaa\bgp2p\plugins\cab.xmd
c:\program files\kazaa\bgp2p\plugins\cevakrnl.cvd
c:\program files\kazaa\bgp2p\plugins\cevakrnl.ivd
c:\program files\kazaa\bgp2p\plugins\cevakrnl.rvd
c:\program files\kazaa\bgp2p\plugins\cevakrnl.xmd
c:\program files\kazaa\bgp2p\plugins\ceva_dll.cvd
c:\program files\kazaa\bgp2p\plugins\ceva_dll.cvd.cab
c:\program files\kazaa\tsi2.cab
c:\program files\kazaa\bgp2p\plugins\ceva_emu.cvd.cab
c:\program files\kazaa\bgp2p\plugins\ceva_vfs.cvd
c:\program files\kazaa\bgp2p\plugins\ceva_vfs.cvd.cab
c:\program files\kazaa\bgp2p\plugins\chm.xmd
c:\program files\kazaa\bgp2p\plugins\cpio.xmd
c:\program files\kazaa\bgp2p\plugins\cran.cvd
c:\program files\kazaa\bgp2p\plugins\cran.xmd
c:\program files\kazaa\bgp2p\plugins\dbx.xmd
c:\program files\kazaa\bgp2p\plugins\docfile.xmd
c:\program files\kazaa\bgp2p\plugins\emalware.cvd
c:\program files\kazaa\bgp2p\plugins\ace.xmd
c:\program files\kazaa\bgp2p\plugins\emalware.ivd
c:\program files\kazaa\bgp2p\plugins\emalware.xmd
c:\program files\kazaa\bgp2p\plugins\epoc.xmd
c:\program files\kazaa\bgp2p\plugins\gzip.xmd
c:\program files\kazaa\bgp2p\plugins\ha.xmd
c:\program files\kazaa\bgp2p\plugins\hlp.xmd
c:\program files\kazaa\bgp2p\plugins\hpe.cvd
c:\program files\kazaa\bgp2p\plugins\hpe.xmd
c:\program files\kazaa\bgp2p\plugins\hqx.xmd
c:\program files\kazaa\bgp2p\plugins\html.xmd
c:\program files\kazaa\bgp2p\plugins\adsntfs.xmd.cab
c:\program files\kazaa\bgp2p\plugins\imp.xmd
c:\program files\kazaa\bgp2p\plugins\inno.xmd
c:\program files\kazaa\bgp2p\plugins\instyler.xmd
c:\program files\kazaa\bgp2p\plugins\iso.xmd
c:\program files\kazaa\bgp2p\plugins\java.cvd
c:\program files\kazaa\bgp2p\plugins\java.xmd
c:\program files\kazaa\bgp2p\plugins\jpeg.xmd
c:\program files\kazaa\bgp2p\plugins\lha.xmd
c:\program files\kazaa\bgp2p\plugins\lnk.xmd
c:\program files\kazaa\bgp2p\plugins\mbox.xmd
c:\program files\kazaa\bgp2p\plugins\alz.xmd.cab
c:\program files\kazaa\bgp2p\plugins\mbx.xmd
c:\program files\kazaa\bgp2p\plugins\mdx.xmd
c:\program files\kazaa\bgp2p\plugins\mdx_97.cvd
c:\program files\kazaa\bgp2p\plugins\mdx_97.ivd
c:\program files\kazaa\bgp2p\plugins\mdx_w95.cvd
c:\program files\kazaa\bgp2p\plugins\mdx_x95.cvd
c:\program files\kazaa\bgp2p\plugins\mdx_xf.cvd
c:\program files\kazaa\bgp2p\plugins\mime.xmd
c:\program files\kazaa\bgp2p\plugins\mso.xmd
c:\program files\kazaa\bgp2p\plugins\na.cvd
c:\program files\kazaa\bgp2p\plugins\arc.xmd
c:\program files\kazaa\bgp2p\plugins\na.xmd
c:\program files\kazaa\bgp2p\plugins\nelf.cvd
c:\program files\kazaa\bgp2p\plugins\nelf.xmd
c:\program files\kazaa\bgp2p\plugins\nsis.xmd
c:\program files\kazaa\bgp2p\plugins\objd.xmd
c:\program files\kazaa\bgp2p\plugins\pdf.xmd
c:\program files\kazaa\bgp2p\plugins\pst.xmd
c:\program files\kazaa\bgp2p\plugins\rar.xmd
c:\program files\kazaa\bgp2p\plugins\rpm.xmd
c:\program files\kazaa\bgp2p\plugins\rtf.xmd
c:\program files\kazaa\bgp2p\plugins\arc.xmd.cab
c:\program files\kazaa\bgp2p\plugins\rup.cvd
c:\program files\kazaa\bgp2p\plugins\rup.xmd
c:\program files\kazaa\bgp2p\plugins\sdx.cvd
c:\program files\kazaa\bgp2p\plugins\sdx.ivd
c:\program files\kazaa\bgp2p\plugins\sdx.xmd
c:\program files\kazaa\bgp2p\plugins\sfx.xmd
c:\program files\kazaa\bgp2p\plugins\swf.xmd
c:\program files\kazaa\bgp2p\plugins\tar.xmd
c:\program files\kazaa\bgp2p\plugins\td0.xmd
c:\program files\kazaa\bgp2p\plugins\thebat.xmd
c:\program files\kazaa\bgp2p\plugins\arj.xmd
c:\program files\kazaa\bgp2p\plugins\tnef.xmd
c:\program files\kazaa\bgp2p\plugins\unpack.cvd
c:\program files\kazaa\bgp2p\plugins\unpack.ivd
c:\program files\kazaa\bgp2p\plugins\unpack.xmd
c:\program files\kazaa\bgp2p\plugins\update.txt
c:\program files\kazaa\bgp2p\plugins\uudecode.xmd
c:\program files\kazaa\bgp2p\plugins\ve.cvd
c:\program files\kazaa\bgp2p\plugins\ve.ivd
c:\program files\kazaa\bgp2p\plugins\ve.xmd
c:\program files\kazaa\bgp2p\plugins\vedata.cvd
c:\program files\kazaa\bgp2p\plugins\arj.xmd.cab
c:\program files\kazaa\bgp2p\plugins\viza.xmd
c:\program files\kazaa\bgp2p\plugins\wise.xmd
c:\program files\kazaa\bgp2p\plugins\xishield.xmd
c:\program files\kazaa\bgp2p\plugins\z.xmd
c:\program files\kazaa\bgp2p\plugins\zip.xmd
c:\program files\kazaa\bgp2p\plugins\zoo.xmd
c:\program files\kazaa\bgp2p\plugins.htm
c:\program files\kazaa\bgp2p\versions.dat
c:\program files\kazaa\data\{0b371f71-6845-b1dc-3441-59aa2cd579b3}
c:\program files\kazaa\data\{0f6ee194-64d5-d6d4-9ee2-eb253520449a}

Infected folders detected
c:\program files\kazaa
c:\program files\kazaa\bgp2p
c:\program files\kazaa\data
c:\program files\kazaa\db
c:\program files\kazaa\licenses
c:\program files\kazaa\my shared folder
c:\program files\kazaa\bgp2p\plugins

Infected registry keys/values detected
HKEY_CURRENT_USER\Software\Kazaa\Advanced
HKEY_CURRENT_USER\software\kazaa Tmp 0
HKEY_LOCAL_MACHINE\software\kazaa
HKEY_LOCAL_MACHINE\software\kazaa\Bandwidth\in b0 40460
HKEY_LOCAL_MACHINE\software\kazaa\Bandwidth\in b1 0
HKEY_LOCAL_MACHINE\software\kazaa\Bandwidth\in b0seconds 1503
HKEY_LOCAL_MACHINE\software\kazaa\Bandwidth\LastEstimate b 9323
HKEY_LOCAL_MACHINE\software\kazaa\Bandwidth\LastEstimate time 1128836524
HKEY_LOCAL_MACHINE\software\kazaa\Bandwidth\out b0 44
HKEY_LOCAL_MACHINE\software\kazaa\Bandwidth\out b1 0
HKEY_LOCAL_MACHINE\software\kazaa\Bandwidth\out b0seconds 320
HKEY_CURRENT_USER\Software\Kazaa\Advanced Status Installed
HKEY_LOCAL_MACHINE\software\kazaa\CloudLoad ShareDir
HKEY_LOCAL_MACHINE\software\kazaa\ConnectionInfo +
HKEY_LOCAL_MACHINE\software\kazaa\ConnectionInfo
HKEY_LOCAL_MACHINE\software\kazaa\LocalContent +
HKEY_LOCAL_MACHINE\software\kazaa\LocalContent DownloadDir C:\Program Files\Kazaa\My Shared Folder
HKEY_LOCAL_MACHINE\software\kazaa\LocalContent DatabaseDir C:\Program Files\Kazaa\Db
HKEY_LOCAL_MACHINE\software\kazaa +
HKEY_LOCAL_MACHINE\software\kazaa Tmp 0
HKEY_LOCAL_MACHINE\software\kazaa ListenPort 1687
HKEY_LOCAL_MACHINE\software\kazaa UDP_probe_successes -1431655765
HKEY_CURRENT_USER\software\kazaa
HKEY_LOCAL_MACHINE\software\kazaa
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\p2p networking
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\p2p networking
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\p2p networking Changed 0
HKEY_CURRENT_USER\software\kazaa\Advanced Status Installed
HKEY_CURRENT_USER\software\kazaa\Settings +
HKEY_CURRENT_USER\software\kazaa\Settings Date
HKEY_CURRENT_USER\software\kazaa\Settings UseCount 0
HKEY_CURRENT_USER\software\kazaa\Transfer +
HKEY_CURRENT_USER\software\kazaa\Transfer NoUploadLimitWhenIdle 1


Detected Spyware Cookies
No spyware cookies were found during this scan.
 
Joined
Feb 15, 2004
Messages
12,302
where did you get this log from, what programme?


go here and downlaod kazaa begone and run it!


http://www.majorgeeks.com/KazaaBegone_d3446.html


go to add/remove and uninstall Imesh , delete it's folder from c:zprogrma files.


Look for these folders and if there delete them!


Because XP will not always show you hidden files and folders by default,
Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden
files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View
tab and make sure that "Show hidden files and folders" is checked. Also
uncheck "Hide protected operating system files" and "Hide extensions for
known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


Claria.GAIN or just
claria
Gain




Double-click on Killbox.exe to run it. Now put a tick by Delete on
Reboot. In the "Full Path of File to Delete" box, copy and paste each
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file on next reboot. Click
Yes. It will then ask if you want to reboot now. Click No. Continue
with that same procedure until you have copied and pasted all of
these in the "Paste Full Path of File to Delete" box.Then click yes
to reboot after you entered the last one.


Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.



c:\windows\sentry.ini
c:\windows\gatoruninstaller_cme_u.log
c:\program files\imesh
c:\windows\hosts
c:\program files\kazaa



post another log!
 

aferroyt

Thread Starter
Joined
Jan 3, 2006
Messages
14
Hello again,

That was an online scan from BitDefender.

Since I had already removed Kazaa and iMesh previously, I couldn't find any of the folders you suggested, but I did perform all the steps. Below is my HijackThis log.

Still can't believe how quiet my computer is... almost forgot it should be 'seen and not heard'. (smile)

-aferroyt-

------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:56:40 PM, on 16/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft Office3\Office\OSA.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\Acrodist.exe
C:\Documents and Settings\xxxxxx\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [IE 3.0 RegSvr schannel.dll] C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\schannel.dll
O4 - Startup: Check for Free Q-WordSpeak Professional Updates.lnk = C:\Q-WordSpeakPro\WiseUpdt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office3\Office\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/CA/install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
 
Joined
Feb 15, 2004
Messages
12,302
clean log!


you should now turn off system restore to flush out the bad restore points and
then re-enable it and make a new clean restore point.


How to turn off system restore

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam


http://support.microsoft.com/default.aspx?scid=kb;[LN];310405



here's some free tools to keep you from getting infected in the future.


to stop reinfection get these two tools, spywareguard and spywareblaster
from


http://www.javacoolsoftware.com/downloads.html


get the hosts file from here.



http://www.mvps.org/winhelp2002/hosts.htm



put it into :


Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS



ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

when you visit innocent-looking sites that aren't actually innocent at all.

https://netfiles.uiuc.edu/ehowes/www/resource.htm



http://www.winpatrol.com/winpatrol.html



Use spybot's immunize button and use spywareblaster' enable
protection once you update it. you can put spybot's hosts file into
your own and lock it.



I would also suggest switching to Mozilla's firefox browser, it's safer, has
a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is also a good
e-mail client.

http://www.mozilla.org/


Another good and free browser is Opera!

http://www.opera.com/


Read here to see how to tighten your security:

http://forums.techguy.org/t208517.html


A good overall guide for firewalls, anti-virus, and anti-trojans as well as
regular spyware cleaners.

http://www.firewallguide.com/anti-trojan.htm




you can mark your own thread solved through thread tools at the top of
the page.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top