1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: [email protected] problems

Discussion in 'Virus & Other Malware Removal' started by Bazookajt, Jan 28, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. Bazookajt

    Bazookajt Thread Starter

    Joined:
    Jan 28, 2006
    Messages:
    17
    Okay, Norton Anti-Virus detected and cleaned [email protected] a few days ago. I followed up by going to the Symantec web site and following the instructions, which included deleting the following registry keys:
    Hkey_local_Machine>Software>Microsoft>Windows>Run>inet20002\services.exe
    Hkey_local_Machine>Software>Microsoft>Windows>Explorer>Browser Helper Objects>{5321E378-FFAD-4999-8C62-03CA8155F0B3}

    However, the virus is still respawning on reboot, under C:\Windows\inet20002\services.exe and C:\Windows\inet20002\alg.exe

    I ran a Norton Anti-Virus system scan, CWShreader, and Spyware Search and Destroy. I found some associated files, which were easily cleaned. However, the [email protected] infection still remains, and I am stumped

    On a side note, A window called "Result:" pops up every few minutes, with a string of True/False indicators, numbers, and a few websites (http://netlook.biz/search.php?qq=travel, for example). It ends with the phrase "Wait for Complete and Feel Forms" (not sure if this information is helpful, but it is probably part fo the virus). When these windows are closed, even with the Task Manager, they open a IE page with the specified link.

    Here is the HijackThis! Logfile (I think I can see problems, but I dont want to mess up my computer anymore):

    Logfile of HijackThis v1.99.1
    Scan saved at 10:18:01 AM, on 1/28/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\inet20002\services.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\TrayComm.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\progra~1\yahoo!\YCentral\YahooCentral.exe
    C:\WINDOWS\System32\jhdiapwt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\dcniaaaa.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\DllHost.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\srshost.exe
    C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IExplore.exe
    C:\Program Files\Internet Explorer\IExplore.exe
    C:\Program Files\Internet Explorer\IExplore.exe
    C:\Program Files\Internet Explorer\IExplore.exe
    C:\Program Files\Internet Explorer\IExplore.exe
    C:\Program Files\Internet Explorer\IExplore.exe
    C:\Program Files\Internet Explorer\IExplore.exe
    C:\Program Files\Internet Explorer\IExplore.exe
    C:\Program Files\Internet Explorer\IExplore.exe
    C:\Program Files\Internet Explorer\IExplore.exe
    C:\Program Files\Internet Explorer\IExplore.exe
    C:\Program Files\Internet Explorer\IExplore.exe
    C:\Program Files\Internet Explorer\IExplore.exe
    C:\Program Files\Internet Explorer\IExplore.exe
    C:\Program Files\Internet Explorer\IExplore.exe
    C:\Program Files\Internet Explorer\IExplore.exe
    C:\Program Files\Norton AntiVirus\OPScan.exe
    D:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/wdgt3/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/wdgt3/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/wdgt3/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/wdgt3/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/wdgt3/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/wdgt3/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
    F3 - REG:win.ini: run=C:\WINDOWS\inet20002\services.exe
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\System32\getui.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [TrayComm] TrayComm.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [YCentral] c:\progra~1\yahoo!\YCentral\YahooCentral.exe
    O4 - HKLM\..\Run: [Microsoft Windows System] jhdiapwt.exe
    O4 - HKLM\..\Run: [dcniaaaa] C:\WINDOWS\System32\dcniaaaa.exe
    O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20002\services.exe
    O4 - HKLM\..\RunServices: [Microsoft Windows System] jhdiapwt.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
    O4 - HKCU\..\Run: [dcniaaaa] C:\WINDOWS\System32\dcniaaaa.exe
    O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20002\services.exe
    O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
    O16 - DPF: {47CEF84E-92D8-4C4A-86D7-CB982889DCC0} (FlashNet Class) - http://mp1.mplay.oberon-media.com/client/flashnet.cab
    O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://playroom.icq.com/odyssey_web11.cab
    O16 - DPF: {ED324F9E-715D-4BE2-B6DF-44FCB674AADF} (DDSC Class) - http://portal.bcs-tx.com/troop285/Portal/resources/msddsc.cab
    O20 - Winlogon Notify: getui - C:\WINDOWS\SYSTEM32\getui.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O21 - SSODL: IEFilter - {9ADBFFBC-D5A1-4C74-BD2C-7975CE7B7CAA} - C:\WINDOWS\system32\IEFilter.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: PSPShuffleIndexer - - c:\program files\psp shuffle\pspshuffleindexer.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    Thank you very much for the help
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Please download http://www.atribune.org/ccount/click.php?id=4 to your desktop.
    · Double-click VundoFix.exe to run it.
    · Click the Scan for Vundo button.
    · Once it's done scanning, click the Remove Vundo button.
    · You will receive a prompt asking if you want to remove the files, click YES
    · Once you click yes, your desktop will go blank as it starts removing Vundo.
    · When completed, it will prompt that it will shutdown your computer, click OK.
    · Turn your computer back on.
    · Please post the contents of C:\vundofix.txt and a new HiJackThis log.
    ==================
    Go to the link below and download the trial version of SpySweeper:

    SpySweeper http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=tsg

    * Click the Free Trial link under "SpySweeper" to download the program.
    * Install it. Once the program is installed, it will open.
    * It will prompt you to update to the latest definitions, click Yes.
    * Once the definitions are installed, click Options on the left side.
    * Click the Sweep Options tab.
    * Under What to Sweep please put a check next to the following:
    o Sweep Memory
    o Sweep Registry
    o Sweep Cookies
    o Sweep All User Accounts
    o Enable Direct Disk Sweeping
    o Sweep Contents of Compressed Files
    o Sweep for Rootkits

    o Please UNCHECK Do not Sweep System Restore Folder.

    * Click Sweep Now on the left side.
    * Click the Start button.
    * When it's done scanning, click the Next button.
    * Make sure everything has a check next to it, then click the Next button.
    * It will remove all of the items found.
    * Click Session Log in the upper right corner, copy everything in that window.
    * Click the Summary tab and click Finish.
    * Paste the contents of the session log you copied into your next reply.
    Also post a new Hijack This log.
     
  3. Bazookajt

    Bazookajt Thread Starter

    Joined:
    Jan 28, 2006
    Messages:
    17
    Okay, I ran the VundoFix, but it did not detect any files. I am running Webroot right now, It has already detected some CWS variants (must have downloaded themselves again, or gotten past CWShreader). I will edit the logs in here when the scan is done.

    While I was opening Webroot, it said that Services.exe was attempting to form a BHO, which I blocked, was that the right thing to do?

    Edit: The Webroot search found tons of things (most were cookies), and the startup viruses havent shown up this time, or the "Result:" windows. Here is the log:

    11:22 AM: | Start of Session, Saturday, January 28, 2006 |
    11:22 AM: Spy Sweeper started
    11:22 AM: Sweep initiated using definitions version 606
    11:22 AM: Found Adware: coolwebsearch (cws)
    11:22 AM: HKLM\software\microsoft\windows\currentversion\run\ || xp_system (ID = 1058916)
    11:22 AM: services.exe (ID = 1058916)
    11:22 AM: Found Adware: virtumonde
    11:22 AM: HKCR\clsid\{f85e86d8-f796-4c97-aaa2-26664a98a42c}\inprocserver32\ (2 subtraces) (ID = 1064461)
    11:22 AM: getui.dll (ID = 1064461)
    11:22 AM: HKU\S-1-5-21-1472088925-2815215258-2582357402-1008\software\microsoft\windows\currentversion\run\ || xp_system (ID = 1058917)
    11:22 AM: services.exe (ID = 1058917)
    11:22 AM: Starting Memory Sweep
    11:29 AM: Found Trojan Horse: backdoor mixus
    11:29 AM: Detected running threat: C:\WINDOWS\SYSTEM32\dcniaaaa.exe (ID = 213912)
    11:29 AM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || dcniaaaa (ID = 0)
    11:29 AM: HKU\S-1-5-21-1472088925-2815215258-2582357402-1008\Software\Microsoft\Windows\CurrentVersion\Run || dcniaaaa (ID = 0)
    11:34 AM: Memory Sweep Complete, Elapsed Time: 00:11:42
    11:34 AM: Starting Registry Sweep
    11:34 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{5321e378-ffad-4999-8c62-03ca8155f0b3}\ (1 subtraces) (ID = 111753)
    11:34 AM: HKLM\software\microsoft\windows\currentversion\run\ || xp_system (ID = 112471)
    11:34 AM: Found System Monitor: perfect keylogger
    11:34 AM: HKCR\interface\{1e1b2878-88ff-11d3-8d96-d7acac95951a}\ (8 subtraces) (ID = 136696)
    11:34 AM: HKLM\software\classes\interface\{1e1b2878-88ff-11d3-8d96-d7acac95951a}\ (8 subtraces) (ID = 136703)
    11:34 AM: HKLM\software\classes\typelib\{1e1b286c-88ff-11d3-8d96-d7acac95951a}\ (9 subtraces) (ID = 136706)
    11:34 AM: HKCR\typelib\{1e1b286c-88ff-11d3-8d96-d7acac95951a}\ (9 subtraces) (ID = 136714)
    11:34 AM: Found Trojan Horse: trojan_backdoor_retro64
    11:34 AM: HKCR\interface\{450b9e4d-4014-4de3-b34e-014a81468293}\ (8 subtraces) (ID = 144995)
    11:34 AM: HKCR\retro64_loader.r64loader.1\ (3 subtraces) (ID = 144996)
    11:34 AM: HKCR\retro64_loader.r64loader\ (5 subtraces) (ID = 144997)
    11:34 AM: HKLM\software\classes\interface\{450b9e4d-4014-4de3-b34e-014a81468293}\ (8 subtraces) (ID = 145000)
    11:34 AM: HKLM\software\classes\retro64_loader.r64loader.1\ (3 subtraces) (ID = 145001)
    11:34 AM: HKLM\software\classes\retro64_loader.r64loader\ (5 subtraces) (ID = 145002)
    11:34 AM: HKLM\software\classes\typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7}\ (9 subtraces) (ID = 145003)
    11:34 AM: HKCR\typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7}\ (9 subtraces) (ID = 145004)
    11:34 AM: Found Trojan Horse: komforochka smtp relay
    11:34 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{5321e378-ffad-4999-8c62-03ca8155f0b3}\ (1 subtraces) (ID = 816109)
    11:34 AM: Found Trojan Horse: spamrelayer_alpiok
    11:34 AM: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || iefilter (ID = 889885)
    11:34 AM: HKCR\iepl.iepl\ (5 subtraces) (ID = 1064370)
    11:34 AM: HKCR\iepl.iepl.1\ (3 subtraces) (ID = 1064376)
    11:34 AM: HKCR\clsid\{f85e86d8-f796-4c97-aaa2-26664a98a42c}\ (12 subtraces) (ID = 1064380)
    11:34 AM: HKLM\software\classes\iepl.iepl\ (5 subtraces) (ID = 1064403)
    11:34 AM: HKLM\software\classes\iepl.iepl.1\ (3 subtraces) (ID = 1064409)
    11:34 AM: HKLM\software\classes\clsid\{f85e86d8-f796-4c97-aaa2-26664a98a42c}\ (12 subtraces) (ID = 1064413)
    11:34 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{f85e86d8-f796-4c97-aaa2-26664a98a42c}\ (ID = 1064431)
    11:34 AM: HKLM\software\microsoft\windows\currentversion\uninstall\sd_is1 optimizer\ (2 subtraces) (ID = 1064432)
    11:34 AM: HKLM\software\microsoft\windows\currentversion\run\ || xp_system (ID = 1109437)
    11:34 AM: HKU\S-1-5-21-1472088925-2815215258-2582357402-1008\software\microsoft\internet explorer\keywords\ (17 subtraces) (ID = 109820)
    11:34 AM: HKU\S-1-5-21-1472088925-2815215258-2582357402-1008\software\microsoft\internet explorer\sites\ (20 subtraces) (ID = 109822)
    11:34 AM: HKU\S-1-5-21-1472088925-2815215258-2582357402-1008\software\microsoft\windows\currentversion\run\ || xp_system (ID = 112421)
    11:34 AM: HKU\S-1-5-21-1472088925-2815215258-2582357402-1008\software\microsoft\internet explorer\keywords\ (17 subtraces) (ID = 1035782)
    11:34 AM: HKU\S-1-5-21-1472088925-2815215258-2582357402-1008\software\microsoft\windows nt\currentversion\windows\ || run (ID = 1059118)
    11:34 AM: HKU\S-1-5-21-1472088925-2815215258-2582357402-1008\software\microsoft\windows nt\currentversion\windows\ || run (ID = 1062376)
    11:34 AM: Found Trojan Horse: trojan-backdoor-babagdaac
    11:34 AM: HKU\S-1-5-21-1472088925-2815215258-2582357402-1008\software\microsoft\windows\currentversion\run\ || srshost.exe (ID = 1067338)
    11:34 AM: HKU\S-1-5-21-1472088925-2815215258-2582357402-1008\software\microsoft\windows\currentversion\run\ || xp_system (ID = 1109434)
    11:34 AM: Registry Sweep Complete, Elapsed Time:00:00:39
    11:34 AM: Starting Cookie Sweep
    11:34 AM: Found Spy Cookie: 2o7.net cookie
    11:34 AM: [email protected][2].txt (ID = 1957)
    11:34 AM: Found Spy Cookie: websponsors cookie
    11:34 AM: [email protected][2].txt (ID = 3665)
    11:34 AM: Found Spy Cookie: yieldmanager cookie
    11:34 AM: [email protected][2].txt (ID = 3751)
    11:34 AM: Found Spy Cookie: adecn cookie
    11:34 AM: [email protected][2].txt (ID = 2063)
    11:34 AM: Found Spy Cookie: adknowledge cookie
    11:34 AM: [email protected][2].txt (ID = 2072)
    11:34 AM: Found Spy Cookie: adlegend cookie
    11:34 AM: [email protected][1].txt (ID = 2074)
    11:34 AM: Found Spy Cookie: hbmediapro cookie
    11:34 AM: [email protected][2].txt (ID = 2768)
    11:34 AM: Found Spy Cookie: specificclick.com cookie
    11:34 AM: [email protected][1].txt (ID = 3400)
    11:34 AM: Found Spy Cookie: nextag cookie
    11:34 AM: [email protected][1].txt (ID = 5015)
    11:34 AM: Found Spy Cookie: adrevolver cookie
    11:34 AM: [email protected][1].txt (ID = 2088)
    11:34 AM: [email protected][3].txt (ID = 2088)
    11:34 AM: Found Spy Cookie: addynamix cookie
    11:34 AM: [email protected][1].txt (ID = 2062)
    11:34 AM: Found Spy Cookie: cc214142 cookie
    11:34 AM: [email protected][1].txt (ID = 2367)
    11:34 AM: Found Spy Cookie: pointroll cookie
    11:34 AM: [email protected][2].txt (ID = 3148)
    11:34 AM: Found Spy Cookie: ads.rampidads.com cookie
    11:34 AM: [email protected][2].txt (ID = 2125)
    11:34 AM: Found Spy Cookie: advertising cookie
    11:34 AM: [email protected][1].txt (ID = 2175)
    11:34 AM: Found Spy Cookie: falkag cookie
    11:34 AM: [email protected][1].txt (ID = 2650)
    11:34 AM: Found Spy Cookie: askmen cookie
    11:34 AM: [email protected][2].txt (ID = 2247)
    11:34 AM: Found Spy Cookie: ask cookie
    11:34 AM: [email protected][1].txt (ID = 2245)
    11:34 AM: Found Spy Cookie: atlas dmt cookie
    11:34 AM: [email protected][2].txt (ID = 2253)
    11:34 AM: Found Spy Cookie: belnk cookie
    11:34 AM: [email protected][2].txt (ID = 2293)
    11:34 AM: Found Spy Cookie: atwola cookie
    11:34 AM: [email protected][2].txt (ID = 2255)
    11:34 AM: Found Spy Cookie: azjmp cookie
    11:34 AM: [email protected][1].txt (ID = 2270)
    11:34 AM: Found Spy Cookie: banner cookie
    11:34 AM: [email protected][2].txt (ID = 2276)
    11:34 AM: [email protected][2].txt (ID = 2292)
    11:34 AM: Found Spy Cookie: bluestreak cookie
    11:34 AM: [email protected][1].txt (ID = 2314)
    11:34 AM: Found Spy Cookie: bravenet cookie
    11:34 AM: [email protected][1].txt (ID = 2322)
    11:34 AM: Found Spy Cookie: bs.serving-sys cookie
    11:34 AM: [email protected][2].txt (ID = 2330)
    11:34 AM: Found Spy Cookie: burstnet cookie
    11:34 AM: [email protected][2].txt (ID = 2336)
    11:34 AM: Found Spy Cookie: zedo cookie
    11:34 AM: [email protected][1].txt (ID = 3763)
    11:34 AM: Found Spy Cookie: casalemedia cookie
    11:34 AM: [email protected][2].txt (ID = 2354)
    11:34 AM: [email protected][1].txt (ID = 1958)
    11:34 AM: Found Spy Cookie: centrport net cookie
    11:34 AM: [email protected][2].txt (ID = 2374)
    11:34 AM: Found Spy Cookie: clickbank cookie
    11:34 AM: [email protected][2].txt (ID = 2398)
    11:34 AM: Found Spy Cookie: coolsavings cookie
    11:34 AM: [email protected][1].txt (ID = 2465)
    11:34 AM: Found Spy Cookie: 360i cookie
    11:34 AM: [email protected][1].txt (ID = 1962)
    11:34 AM: Found Spy Cookie: customer cookie
    11:34 AM: [email protected][1].txt (ID = 2481)
    11:34 AM: [email protected][1].txt (ID = 2293)
    11:34 AM: Found Spy Cookie: ru4 cookie
    11:34 AM: [email protected][1].txt (ID = 3269)
    11:34 AM: [email protected][1].txt (ID = 1958)
    11:34 AM: Found Spy Cookie: exitexchange cookie
    11:34 AM: [email protected][1].txt (ID = 2633)
    11:34 AM: Found Spy Cookie: fastclick cookie
    11:34 AM: [email protected][1].txt (ID = 2651)
    11:34 AM: Found Spy Cookie: fe.lea.lycos.com cookie
    11:34 AM: [email protected][1].txt (ID = 2660)
    11:34 AM: Found Spy Cookie: findwhat cookie
    11:34 AM: [email protected][1].txt (ID = 2674)
    11:34 AM: Found Spy Cookie: fortunecity cookie
    11:34 AM: [email protected][1].txt (ID = 2686)
    11:34 AM: Found Spy Cookie: gamespy cookie
    11:34 AM: [email protected][1].txt (ID = 2719)
    11:34 AM: Found Spy Cookie: go.com cookie
    11:34 AM: [email protected][1].txt (ID = 2728)
    11:34 AM: Found Spy Cookie: clickandtrack cookie
    11:34 AM: [email protected][2].txt (ID = 2397)
    11:34 AM: [email protected][1].txt (ID = 2355)
    11:34 AM: [email protected][1].txt (ID = 1958)
    11:34 AM: Found Spy Cookie: domainsponsor cookie
    11:34 AM: [email protected][1].txt (ID = 2535)
    11:34 AM: Found Spy Cookie: linksynergy cookie
    11:34 AM: [email protected][2].txt (ID = 2926)
    11:34 AM: Found Spy Cookie: maxserving cookie
    11:34 AM: [email protected][2].txt (ID = 2966)
    11:34 AM: Found Spy Cookie: mediaplex cookie
    11:34 AM: [email protected][1].txt (ID = 6442)
    11:34 AM: [email protected][1].txt (ID = 1958)
    11:34 AM: [email protected][1].txt (ID = 5014)
    11:34 AM: Found Spy Cookie: okcounter.com cookie
    11:34 AM: [email protected][1].txt (ID = 3093)
    11:34 AM: Found Spy Cookie: overture cookie
    11:34 AM: [email protected][2].txt (ID = 3105)
    11:34 AM: Found Spy Cookie: partypoker cookie
    11:34 AM: [email protected][1].txt (ID = 3111)
    11:34 AM: [email protected][1].txt (ID = 3106)
    11:34 AM: Found Spy Cookie: pub cookie
    11:34 AM: [email protected][1].txt (ID = 3205)
    11:34 AM: Found Spy Cookie: questionmarket cookie
    11:34 AM: [email protected][1].txt (ID = 3217)
    11:34 AM: Found Spy Cookie: realmedia cookie
    11:34 AM: [email protected][2].txt (ID = 3235)
    11:34 AM: Found Spy Cookie: revenue.net cookie
    11:34 AM: [email protected][1].txt (ID = 3257)
    11:34 AM: Found Spy Cookie: adjuggler cookie
    11:34 AM: [email protected][2].txt (ID = 2071)
    11:34 AM: [email protected][1].txt (ID = 2466)
    11:34 AM: Found Spy Cookie: server.iad.liveperson cookie
    11:34 AM: [email protected][1].txt (ID = 3341)
    11:34 AM: Found Spy Cookie: serving-sys cookie
    11:34 AM: [email protected][1].txt (ID = 3343)
    11:34 AM: Found Spy Cookie: servlet cookie
    11:34 AM: [email protected][1].txt (ID = 3345)
    11:34 AM: [email protected][1].txt (ID = 1958)
    11:34 AM: Found Spy Cookie: starware.com cookie
    11:34 AM: [email protected][2].txt (ID = 3441)
    11:34 AM: Found Spy Cookie: statcounter cookie
    11:34 AM: [email protected][2].txt (ID = 3447)
    11:34 AM: Found Spy Cookie: webtrendslive cookie
    11:34 AM: [email protected][1].txt (ID = 3667)
    11:34 AM: Found Spy Cookie: tacoda cookie
    11:34 AM: [email protected][2].txt (ID = 6444)
    11:34 AM: Found Spy Cookie: targetnet cookie
    11:34 AM: [email protected][1].txt (ID = 3489)
    11:34 AM: Found Spy Cookie: tickle cookie
    11:34 AM: [email protected][2].txt (ID = 3529)
    11:34 AM: Found Spy Cookie: tradedoubler cookie
    11:34 AM: [email protected][1].txt (ID = 3575)
    11:34 AM: Found Spy Cookie: trafficmp cookie
    11:34 AM: [email protected][2].txt (ID = 3581)
    11:34 AM: Found Spy Cookie: tribalfusion cookie
    11:34 AM: [email protected][2].txt (ID = 3589)
    11:34 AM: Found Spy Cookie: tripod cookie
    11:34 AM: [email protected][1].txt (ID = 3591)
    11:34 AM: Found Spy Cookie: coremetrics cookie
    11:34 AM: [email protected][1].txt (ID = 2472)
    11:34 AM: Found Spy Cookie: valuead cookie
    11:34 AM: [email protected][1].txt (ID = 3626)
    11:34 AM: Found Spy Cookie: realtracker cookie
    11:34 AM: [email protected][2].txt (ID = 3242)
    11:34 AM: Found Spy Cookie: affiliatefuel.com cookie
    11:34 AM: [email protected][2].txt (ID = 2202)
    11:34 AM: Found Spy Cookie: burstbeacon cookie
    11:34 AM: [email protected][2].txt (ID = 2335)
    11:34 AM: Found Spy Cookie: screensavers.com cookie
    11:34 AM: [email protected][2].txt (ID = 3298)
    11:34 AM: Found Spy Cookie: web-stat cookie
    11:34 AM: [email protected][2].txt (ID = 3649)
    11:34 AM: Found Spy Cookie: yadro cookie
    11:34 AM: [email protected][1].txt (ID = 3743)
    11:34 AM: [email protected][1].txt (ID = 3749)
    11:34 AM: Found Spy Cookie: adserver cookie
    11:34 AM: [email protected][1].txt (ID = 2142)
    11:34 AM: [email protected][2].txt (ID = 3762)
    11:34 AM: [email protected][2].txt (ID = 1957)
    11:34 AM: Found Spy Cookie: about cookie
    11:34 AM: [email protected][2].txt (ID = 2037)
    11:34 AM: [email protected][2].txt (ID = 3751)
    11:34 AM: [email protected][1].txt (ID = 2072)
    11:34 AM: [email protected][2].txt (ID = 3400)
    11:34 AM: [email protected][1].txt (ID = 2088)
    11:34 AM: [email protected][2].txt (ID = 2175)
    11:34 AM: [email protected][1].txt (ID = 2729)
    11:34 AM: [email protected][2].txt (ID = 2650)
    11:34 AM: [email protected][1].txt (ID = 2245)
    11:34 AM: [email protected][2].txt (ID = 2253)
    11:34 AM: [email protected][2].txt (ID = 2255)
    11:34 AM: [email protected][1].txt (ID = 2292)
    11:34 AM: [email protected][2].txt (ID = 2322)
    11:34 AM: [email protected][1].txt (ID = 2330)
    11:34 AM: [email protected][2].txt (ID = 2336)
    11:34 AM: [email protected][2].txt (ID = 2354)
    11:34 AM: [email protected][2].txt (ID = 2374)
    11:34 AM: [email protected][1].txt (ID = 2038)
    11:34 AM: [email protected][1].txt (ID = 3530)
    11:34 AM: [email protected][2].txt (ID = 1962)
    11:34 AM: [email protected][1].txt (ID = 2472)
    11:34 AM: Found Spy Cookie: dealtime cookie
    11:34 AM: [email protected][1].txt (ID = 2505)
    11:34 AM: [email protected][2].txt (ID = 2293)
    11:34 AM: [email protected][1].txt (ID = 2729)
    11:34 AM: [email protected][1].txt (ID = 2651)
    11:34 AM: [email protected][2].txt (ID = 2728)
    11:34 AM: [email protected][1].txt (ID = 2729)
    11:34 AM: [email protected][1].txt (ID = 2926)
    11:34 AM: [email protected][2].txt (ID = 2966)
    11:34 AM: [email protected][2].txt (ID = 6442)
    11:34 AM: [email protected][2].txt (ID = 5014)
    11:34 AM: [email protected][1].txt (ID = 2729)
    11:34 AM: Found Spy Cookie: qsrch cookie
    11:34 AM: [email protected][1].txt (ID = 3215)
    11:34 AM: [email protected][1].txt (ID = 3217)
    11:34 AM: [email protected][1].txt (ID = 3235)
    11:34 AM: Found Spy Cookie: rightmedia cookie
    11:34 AM: [email protected][1].txt (ID = 3259)
    11:34 AM: Found Spy Cookie: servedby advertising cookie
    11:34 AM: [email protected][1].txt (ID = 3335)
    11:34 AM: [email protected][2].txt (ID = 3343)
    11:34 AM: [email protected][1].txt (ID = 2038)
    11:34 AM: [email protected][1].txt (ID = 2506)
    11:34 AM: [email protected][1].txt (ID = 3667)
    11:34 AM: [email protected][1].txt (ID = 3489)
    11:34 AM: [email protected][1].txt (ID = 3529)
    11:34 AM: [email protected][1].txt (ID = 3581)
    11:34 AM: [email protected][1].txt (ID = 3589)
    11:34 AM: [email protected][1].txt (ID = 3591)
    11:34 AM: [email protected][1].txt (ID = 2472)
    11:34 AM: Found Spy Cookie: adminder cookie
    11:34 AM: [email protected][1].txt (ID = 2079)
    11:34 AM: [email protected][2].txt (ID = 2335)
    11:34 AM: [email protected][1].txt (ID = 2729)
    11:34 AM: [email protected][1].txt (ID = 2729)
    11:34 AM: Found Spy Cookie: xiti cookie
    11:34 AM: [email protected][1].txt (ID = 3717)
    11:34 AM: [email protected][1].txt (ID = 3749)
    11:34 AM: [email protected][1].txt (ID = 2142)
    11:34 AM: [email protected][2].txt (ID = 3762)
    11:35 AM: Found Spy Cookie: 247realmedia cookie
    11:35 AM: the [email protected][1].txt (ID = 1953)
    11:35 AM: the [email protected][1].txt (ID = 1957)
    11:35 AM: the [email protected][1].txt (ID = 2729)
    11:35 AM: Found Spy Cookie: abcsearch cookie
    11:35 AM: the [email protected][1].txt (ID = 2033)
    11:35 AM: the [email protected][1].txt (ID = 2037)
    11:35 AM: the [email protected][2].txt (ID = 3751)
    11:35 AM: the [email protected][1].txt (ID = 2072)
    11:35 AM: the [email protected][1].txt (ID = 2074)
    11:35 AM: the [email protected][2].txt (ID = 3400)
    11:35 AM: the [email protected][1].txt (ID = 2062)
    11:35 AM: Found Spy Cookie: belointeractive cookie
    11:35 AM: the [email protected][2].txt (ID = 2295)
    11:35 AM: the [email protected][1].txt (ID = 2367)
    11:35 AM: the [email protected][2].txt (ID = 3148)
    11:35 AM: the [email protected][1].txt (ID = 2141)
    11:35 AM: Found Spy Cookie: adtech cookie
    11:35 AM: the [email protected][2].txt (ID = 2155)
    11:35 AM: Found Spy Cookie: alt cookie
    11:35 AM: the [email protected][2].txt (ID = 2217)
    11:35 AM: Found Spy Cookie: apmebf cookie
    11:35 AM: the [email protected][2].txt (ID = 2229)
    11:35 AM: the [email protected][1].txt (ID = 2650)
    11:35 AM: the [email protected][2].txt (ID = 2650)
    11:35 AM: the [email protected][1].txt (ID = 2245)
    11:35 AM: the [email protected][2].txt (ID = 2253)
    11:35 AM: the [email protected][1].txt (ID = 2255)
    11:35 AM: the [email protected][1].txt (ID = 2276)
    11:35 AM: the [email protected][2].txt (ID = 2294)
    11:35 AM: the [email protected][2].txt (ID = 2314)
    11:35 AM: the [email protected][1].txt (ID = 2336)
    11:35 AM: Found Spy Cookie: enhance cookie
    11:35 AM: the [email protected][1].txt (ID = 2614)
    11:35 AM: the [email protected][1].txt (ID = 3763)
    11:35 AM: the [email protected][1].txt (ID = 2354)
    11:35 AM: the [email protected][2].txt (ID = 2374)
    11:35 AM: the [email protected][1].txt (ID = 1958)
    11:35 AM: the [email protected][2].txt (ID = 3269)
    11:35 AM: the [email protected][1].txt (ID = 2729)
    11:35 AM: the [email protected][1].txt (ID = 2729)
    11:35 AM: the [email protected][1].txt (ID = 2719)
    11:35 AM: the [email protected][1].txt (ID = 2728)
    11:35 AM: Found Spy Cookie: kmpads cookie
    11:35 AM: the [email protected][1].txt (ID = 2909)
    11:35 AM: the [email protected][2].txt (ID = 2966)
    11:35 AM: Found Spy Cookie: monstermarketplace cookie
    11:35 AM: the [email protected][2].txt (ID = 3006)
    11:35 AM: the [email protected][2].txt (ID = 2295)
    11:35 AM: the [email protected][1].txt (ID = 3105)
    11:35 AM: the [email protected][2].txt (ID = 3111)
    11:35 AM: the [email protected][1].txt (ID = 3106)
    11:35 AM: Found Spy Cookie: qksrv cookie
    11:35 AM: the [email protected][2].txt (ID = 3213)
    11:35 AM: the [email protected][1].txt (ID = 3217)
    11:35 AM: the [email protected][1].txt (ID = 2202)
    11:35 AM: the [email protected][1].txt (ID = 2729)
    11:35 AM: the [email protected][1].txt (ID = 3235)
    11:35 AM: the [email protected][1].txt (ID = 3257)
    11:35 AM: the [email protected][1].txt (ID = 2729)
    11:35 AM: the [email protected][1].txt (ID = 2729)
    11:35 AM: the [email protected][1].txt (ID = 3343)
    11:35 AM: the [email protected][2].txt (ID = 2729)
    11:35 AM: the [email protected][2].txt (ID = 3447)
    11:35 AM: Found Spy Cookie: stlyrics cookie
    11:35 AM: the [email protected][1].txt (ID = 3461)
    11:35 AM: the [email protected][2].txt (ID = 2038)
    11:35 AM: the [email protected][1].txt (ID = 1958)
    11:35 AM: the [email protected][2].txt (ID = 6444)
    11:35 AM: the [email protected][1].txt (ID = 3581)
    11:35 AM: Found Spy Cookie: trb.com cookie
    11:35 AM: the [email protected][1].txt (ID = 3587)
    11:35 AM: the [email protected][2].txt (ID = 3589)
    11:35 AM: the [email protected][1].txt (ID = 2335)
    11:35 AM: the [email protected][1].txt (ID = 3462)
    11:35 AM: Found Spy Cookie: seeq cookie
    11:35 AM: the [email protected][1].txt (ID = 3332)
    11:35 AM: the [email protected][1].txt (ID = 3749)
    11:35 AM: the [email protected][1].txt (ID = 2142)
    11:35 AM: the [email protected][1].txt (ID = 3762)
    11:35 AM: Cookie Sweep Complete, Elapsed Time: 00:00:10
    11:35 AM: Starting File Sweep
    11:35 AM: a0168618.dll (ID = 220754)
    11:44 AM: 3.00.13.dll (ID = 220754)
    11:45 AM: dcniaaaa.exe (ID = 213912)
    11:45 AM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || dcniaaaa (ID = 0)
    11:45 AM: HKU\S-1-5-21-1472088925-2815215258-2582357402-1008\Software\Microsoft\Windows\CurrentVersion\Run || dcniaaaa (ID = 0)
    11:45 AM: gjoyuoos.exe (ID = 213877)
    12:35 PM: File Sweep Complete, Elapsed Time: 01:00:09
    12:35 PM: Full Sweep has completed. Elapsed time 01:12:52
    12:35 PM: Traces Found: 446
    1:32 PM: Removal process initiated
    1:32 PM: Quarantining All Traces: komforochka smtp relay
    1:32 PM: Quarantining All Traces: perfect keylogger
    1:32 PM: Quarantining All Traces: spamrelayer_alpiok
    1:32 PM: Quarantining All Traces: virtumonde
    1:32 PM: virtumonde is in use. It will be removed on reboot.
    1:32 PM: getui.dll is in use. It will be removed on reboot.
    1:32 PM: Quarantining All Traces: backdoor mixus
    1:32 PM: backdoor mixus is in use. It will be removed on reboot.
    1:32 PM: C:\WINDOWS\SYSTEM32\dcniaaaa.exe is in use. It will be removed on reboot.
    1:32 PM: Quarantining All Traces: coolwebsearch (cws)
    1:32 PM: coolwebsearch (cws) is in use. It will be removed on reboot.
    1:32 PM: services.exe is in use. It will be removed on reboot.
    1:32 PM: services.exe is in use. It will be removed on reboot.
    1:32 PM: Quarantining All Traces: trojan_backdoor_retro64
    1:32 PM: Quarantining All Traces: trojan-backdoor-babagdaac
    1:32 PM: Quarantining All Traces: 247realmedia cookie
    1:32 PM: Quarantining All Traces: 2o7.net cookie
    1:32 PM: Quarantining All Traces: 360i cookie
    1:32 PM: Quarantining All Traces: abcsearch cookie
    1:32 PM: Quarantining All Traces: about cookie
    1:32 PM: Quarantining All Traces: addynamix cookie
    1:32 PM: Quarantining All Traces: adecn cookie
    1:32 PM: Quarantining All Traces: adjuggler cookie
    1:32 PM: Quarantining All Traces: adknowledge cookie
    1:32 PM: Quarantining All Traces: adlegend cookie
    1:32 PM: Quarantining All Traces: adminder cookie
    1:32 PM: Quarantining All Traces: adrevolver cookie
    1:32 PM: Quarantining All Traces: ads.rampidads.com cookie
    1:32 PM: Quarantining All Traces: adserver cookie
    1:32 PM: Quarantining All Traces: adtech cookie
    1:32 PM: Quarantining All Traces: advertising cookie
    1:32 PM: Quarantining All Traces: affiliatefuel.com cookie
    1:32 PM: Quarantining All Traces: alt cookie
    1:32 PM: Quarantining All Traces: apmebf cookie
    1:32 PM: Quarantining All Traces: ask cookie
    1:32 PM: Quarantining All Traces: askmen cookie
    1:32 PM: Quarantining All Traces: atlas dmt cookie
    1:32 PM: Quarantining All Traces: atwola cookie
    1:32 PM: Quarantining All Traces: azjmp cookie
    1:32 PM: Quarantining All Traces: banner cookie
    1:32 PM: Quarantining All Traces: belnk cookie
    1:32 PM: Quarantining All Traces: belointeractive cookie
    1:32 PM: Quarantining All Traces: bluestreak cookie
    1:32 PM: Quarantining All Traces: bravenet cookie
    1:32 PM: Quarantining All Traces: bs.serving-sys cookie
    1:33 PM: Quarantining All Traces: burstbeacon cookie
    1:33 PM: Quarantining All Traces: burstnet cookie
    1:33 PM: Quarantining All Traces: casalemedia cookie
    1:33 PM: Quarantining All Traces: cc214142 cookie
    1:33 PM: Quarantining All Traces: centrport net cookie
    1:33 PM: Quarantining All Traces: clickandtrack cookie
    1:33 PM: Quarantining All Traces: clickbank cookie
    1:33 PM: Quarantining All Traces: coolsavings cookie
    1:33 PM: Quarantining All Traces: coremetrics cookie
    1:33 PM: Quarantining All Traces: customer cookie
    1:33 PM: Quarantining All Traces: dealtime cookie
    1:33 PM: Quarantining All Traces: domainsponsor cookie
    1:33 PM: Quarantining All Traces: enhance cookie
    1:33 PM: Quarantining All Traces: exitexchange cookie
    1:33 PM: Quarantining All Traces: falkag cookie
    1:33 PM: Quarantining All Traces: fastclick cookie
    1:33 PM: Quarantining All Traces: fe.lea.lycos.com cookie
    1:33 PM: Quarantining All Traces: findwhat cookie
    1:33 PM: Quarantining All Traces: fortunecity cookie
    1:33 PM: Quarantining All Traces: gamespy cookie
    1:33 PM: Quarantining All Traces: go.com cookie
    1:33 PM: Quarantining All Traces: hbmediapro cookie
    1:33 PM: Quarantining All Traces: kmpads cookie
    1:33 PM: Quarantining All Traces: linksynergy cookie
    1:33 PM: Quarantining All Traces: maxserving cookie
    1:33 PM: Quarantining All Traces: mediaplex cookie
    1:33 PM: Quarantining All Traces: monstermarketplace cookie
    1:33 PM: Quarantining All Traces: nextag cookie
    1:33 PM: Quarantining All Traces: okcounter.com cookie
    1:33 PM: Quarantining All Traces: overture cookie
    1:33 PM: Quarantining All Traces: partypoker cookie
    1:33 PM: Quarantining All Traces: pointroll cookie
    1:33 PM: Quarantining All Traces: pub cookie
    1:33 PM: Quarantining All Traces: qksrv cookie
    1:33 PM: Quarantining All Traces: qsrch cookie
    1:33 PM: Quarantining All Traces: questionmarket cookie
    1:33 PM: Quarantining All Traces: realmedia cookie
    1:33 PM: Quarantining All Traces: realtracker cookie
    1:33 PM: Quarantining All Traces: revenue.net cookie
    1:33 PM: Quarantining All Traces: rightmedia cookie
    1:33 PM: Quarantining All Traces: ru4 cookie
    1:33 PM: Quarantining All Traces: screensavers.com cookie
    1:33 PM: Quarantining All Traces: seeq cookie
    1:33 PM: Quarantining All Traces: servedby advertising cookie
    1:33 PM: Quarantining All Traces: server.iad.liveperson cookie
    1:33 PM: Quarantining All Traces: serving-sys cookie
    1:33 PM: Quarantining All Traces: servlet cookie
    1:33 PM: Quarantining All Traces: specificclick.com cookie
    1:33 PM: Quarantining All Traces: starware.com cookie
    1:33 PM: Quarantining All Traces: statcounter cookie
    1:33 PM: Quarantining All Traces: stlyrics cookie
    1:33 PM: Quarantining All Traces: tacoda cookie
    1:33 PM: Quarantining All Traces: targetnet cookie
    1:33 PM: Quarantining All Traces: tickle cookie
    1:33 PM: Quarantining All Traces: tradedoubler cookie
    1:33 PM: Quarantining All Traces: trafficmp cookie
    1:33 PM: Quarantining All Traces: trb.com cookie
    1:33 PM: Quarantining All Traces: tribalfusion cookie
    1:33 PM: Quarantining All Traces: tripod cookie
    1:33 PM: Quarantining All Traces: valuead cookie
    1:33 PM: Quarantining All Traces: websponsors cookie
    1:33 PM: Quarantining All Traces: web-stat cookie
    1:33 PM: Quarantining All Traces: webtrendslive cookie
    1:33 PM: Quarantining All Traces: xiti cookie
    1:33 PM: Quarantining All Traces: yadro cookie
    1:33 PM: Quarantining All Traces: yieldmanager cookie
    1:33 PM: Quarantining All Traces: zedo cookie
    1:33 PM: Warning: Timed out waiting for explorer.exe
    1:33 PM: Warning: Timed out waiting for explorer.exe
    1:33 PM: Warning: Timed out waiting for explorer.exe
    1:33 PM: Warning: Quarantine process could not restart Explorer.
    1:34 PM: Removal process completed. Elapsed time 00:02:02

    As you can see, I had some IE problems near the end.
     
  4. Bazookajt

    Bazookajt Thread Starter

    Joined:
    Jan 28, 2006
    Messages:
    17
    The HijackThis log was too long to fit in that post, so here it is:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:52:06 PM, on 1/28/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\TrayComm.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\progra~1\yahoo!\YCentral\YahooCentral.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\Service.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\System32\jhdiapwt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\System32\DllHost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\srshost.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\cidaemon.exe
    D:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/wdgt3/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/wdgt3/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/wdgt3/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/wdgt3/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/wdgt3/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/wdgt3/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [TrayComm] TrayComm.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [YCentral] c:\progra~1\yahoo!\YCentral\YahooCentral.exe
    O4 - HKLM\..\Run: [Microsoft Windows System] jhdiapwt.exe
    O4 - HKLM\..\RunServices: [Microsoft Windows System] jhdiapwt.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
    O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
    O16 - DPF: {47CEF84E-92D8-4C4A-86D7-CB982889DCC0} (FlashNet Class) - http://mp1.mplay.oberon-media.com/client/flashnet.cab
    O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://playroom.icq.com/odyssey_web11.cab
    O16 - DPF: {ED324F9E-715D-4BE2-B6DF-44FCB674AADF} (DDSC Class) - http://portal.bcs-tx.com/troop285/Portal/resources/msddsc.cab
    O20 - Winlogon Notify: getui - getui.dll (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: PSPShuffleIndexer - - c:\program files\psp shuffle\pspshuffleindexer.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    All of the side effects seem to be gone, so I think it is solved (I'll let someone tell me that after they see the HJT log, can't know for sure)
     
  5. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Add remove programs remove Viewpoint

    Fix these with HJT – mark them, close IE, click fix checked

    O2 - BHO: (no name) - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - (no file)

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    O4 - HKLM\..\Run: [TrayComm] TrayComm.exe

    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    O4 - HKLM\..\Run: [Microsoft Windows System] jhdiapwt.exe

    O4 - HKLM\..\RunServices: [Microsoft Windows System] jhdiapwt.exe

    O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe


    O20 - Winlogon Notify: getui - getui.dll (file missing)

    DownLoad http://www.downloads.subratam.org/KillBox.zip

    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\system32\srshost.exe
    C:\Program Files\Viewpoint
    C:\WINDOWS\System32\jhdiapwt.exe

    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    START – RUN – type in %temp% OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Empty the recycle bin
    Boot and post a new log from normal NOT safe mode

    Please give feedback on what worked/didn’t work and the current status of your system
     
  6. Bazookajt

    Bazookajt Thread Starter

    Joined:
    Jan 28, 2006
    Messages:
    17
    I followed the instructions, and they went off without a hitch. However, one of the files in the Temp folder, ~DFCC07.tmp, could not be deleted because it was in use. Is there any problem with that, I dont even know what it is used for, but it was created today at 2:20 (CMT), long after the infection. Is it still a security threat?

    Otherwise, my computer is running pristenely, with no more pop ups, odd CPU usage, or crashes. Thank you very much for the help!
     
  7. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    That is normal - post a new log to makes sure all is gone
     
  8. Bazookajt

    Bazookajt Thread Starter

    Joined:
    Jan 28, 2006
    Messages:
    17
    Logfile of HijackThis v1.99.1
    Scan saved at 4:18:56 PM, on 1/28/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    c:\program files\psp shuffle\pspshuffleindexer.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\Service.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\progra~1\yahoo!\YCentral\YahooCentral.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\DllHost.exe
    D:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/wdgt3/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/wdgt3/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/wdgt3/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/wdgt3/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/wdgt3/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/wdgt3/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [YCentral] c:\progra~1\yahoo!\YCentral\YahooCentral.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
    O16 - DPF: {47CEF84E-92D8-4C4A-86D7-CB982889DCC0} (FlashNet Class) - http://mp1.mplay.oberon-media.com/client/flashnet.cab
    O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://playroom.icq.com/odyssey_web11.cab
    O16 - DPF: {ED324F9E-715D-4BE2-B6DF-44FCB674AADF} (DDSC Class) - http://portal.bcs-tx.com/troop285/Portal/resources/msddsc.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: PSPShuffleIndexer - - c:\program files\psp shuffle\pspshuffleindexer.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  9. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Clean [​IMG] - If you feel it is fixed, mark it solved via thread tools above - if not what is the current situation?

    Restore points
    Turn off restore points, boot, turn them back on – here’s how

    XP
    http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam
    ==================
    Get all of these and/or verify you have the current versions

    SpywareBlaster 3.5.1 http://majorgeeks.com/download2859.html
    SpyBot V1.4 http://www.majorgeeks.com/download2471.html
    AdAware SE 1.06 http://www.majorgeeks.com/download506.html
    MS AntiSpy - http://www.microsoft.com/downloads/...a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en (XP and W2K only)

    DownLoad them (they are free), install them, check each for their
    definition updates
    and then run AdAware, MS AntiSpy (W2k/XP) and Spybot, fixing anything
    they say.

    In SpywareBlaster - Always enable all protection after updates
    In SpyBot - After an update run immunize
     
  10. Bazookajt

    Bazookajt Thread Starter

    Joined:
    Jan 28, 2006
    Messages:
    17
    I downloaded spyware blaster, everything else I already had. Thanks alot for your help, problem solved!
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/437930

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice