1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

spyware

Discussion in 'All Other Software' started by tainle, Jul 24, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. tainle

    tainle Thread Starter

    Joined:
    Jul 24, 2006
    Messages:
    23
    I have serious spyware problem. Last time i went to this site and I got surfsidekick3 aka ssk.exe and i tried to removed it by add/remove program in control panel. it not there anymore.

    when i got ssk into my pc, i also got other viruses and trojan as well. currently i am trying to delete some file in system32 folder but they seem to come back. i also notice new application running in task manager, file name called mmcwk.exe, and there are 3 of them running in task manager. i try to delete them but they keep coming back. There is also a new application running called command.exe. it was never there and it not allowed to delete it. and also this application running called wdlskt.exe, and xijavyk.exe. all the applications i mentioned was never running when i didnt get the virus and trojan. i hear some pop-up noise while on desktop. and i also get pop-up randomly when browsing the net.
    --------------------------------------------------------------
    Logfile of HijackThis v1.99.1
    Scan saved at 2:19:57 AM, on 7/24/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS1\System32\smss.exe
    C:\WINDOWS1\system32\csrss.exe
    C:\WINDOWS1\system32\winlogon.exe
    C:\WINDOWS1\system32\services.exe
    C:\WINDOWS1\system32\lsass.exe
    C:\WINDOWS1\system32\svchost.exe
    C:\WINDOWS1\system32\svchost.exe
    C:\WINDOWS1\System32\svchost.exe
    C:\WINDOWS1\System32\svchost.exe
    C:\WINDOWS1\System32\svchost.exe
    C:\WINDOWS1\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
    C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS1\VGltIExl\command.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS1\system32\nvsvc32.exe
    C:\WINDOWS1\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS1\system32\wdfmgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS1\Explorer.EXE
    C:\WINDOWS1\system32\wscntfy.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\SYMANT~1\vptray.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS1\CTHELPER.EXE
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\CursorXP\CursorXP.exe
    C:\Documents and Settings\All Users.WINDOWS1\Start Menu\Programs\Startup\palstart.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\Winamp\Winamp.exe
    C:\Program Files\Internet Explorer\iexplore.exe


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
    R3 - URLSearchHook: (no name) - <default> - (no file)
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS1\system32\mmcwk.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS1\system32\userinit.exe,xijavyk.exe
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS1\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
    O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS1\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: palstart.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121124000279
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127605449843
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS1\System32\NavLogon.dll
    O20 - Winlogon Notify: Telephony - C:\WINDOWS1\system32\mtrd2x40.dll (file missing)
    O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS1\VGltIExl\command.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS1\system32\nvsvc32.exe
    O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
    O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,009
    Hi and welcome to TSG,

    Please download Qoofix by Rubber Ducky to your desktop.
    • Right click on the Qoofix folder, and choose "Extract All". Extract Qoofix to your C: drive
    • Close all windows and programs, including internet windows.
    • Go to C:\Qoofix and open the folder, then double click on Qoofix.exe
    • Click Begin Removal and wait for the scan to finish
    • If Qoofix finds an infection, select yes to restart your computer
    • You will now find a log from this tool, located at C:\Qoofix\Qoofix Logfile.txt Copy and paste the contents of that report into your next reply here.
     
  3. tainle

    tainle Thread Starter

    Joined:
    Jul 24, 2006
    Messages:
    23
    Hi, I did according to what you said. Here is the log file. Thanks for the help, but the processes that was there are terminated. are there still any risk someone can have access to my pc?


    Qoofix v1.02 by http://www.malwarebytes.org
    Scan started on [7/24/2006] at [1:15:50 PM]
    -------------------------------------------------------------
    Terminated module: ckksccu.dll found in Qoofix.exe (1612)
    Terminated module: ckksccu.dll found in SDMCP.exe (1668)
    Terminated module: ckksccu.dll found in wbload.exe (1720)
    Terminated module: ckksccu.dll found in wscntfy.exe (608)
    Terminated module: ckksccu.dll found in mmcwk.exe (1312)
    Terminated module: ckksccu.dll found in mmcwk.exe (1424)
    Terminated module: ckksccu.dll found in wdlskt.exe (2052)
    Terminated module: ckksccu.dll found in sunThreatEngine.exe (2148)
    Terminated module: ckksccu.dll found in SunProtectionServer.exe (2564)
    Terminated module: ckksccu.dll found in ccApp.exe (2592)
    Terminated module: ckksccu.dll found in realsched.exe (2600)
    Terminated module: ckksccu.dll found in VPTray.exe (2628)
    Terminated module: ckksccu.dll found in SunServer.exe (2660)
    Terminated module: ckksccu.dll found in iTunesHelper.exe (2688)
    Terminated module: ckksccu.dll found in CTHELPER.EXE (2756)
    Terminated module: ckksccu.dll found in DrgToDsc.exe (2892)
    Terminated module: ckksccu.dll found in RxMon.exe (2908)
    Terminated module: ckksccu.dll found in aim.exe (2968)
    Terminated module: ckksccu.dll found in CursorXP.exe (2976)
    Terminated module: ckksccu.dll found in Playlist.exe (3076)
    Terminated module: ckksccu.dll found in palstart.exe (3100)
    Terminated module: ckksccu.dll found in SpybotSD.exe (1572)
    Terminated module: ckksccu.dll found in iexplore.exe (2560)
    Terminated module: ckksccu.dll found in wmplayer.exe (3764)
    -------------------------------------------------------------
    C:\WINDOWS1\system32\cbavw.dat will be deleted on reboot!
    C:\WINDOWS1\system32\ckksccu.dll will be deleted on reboot!
    C:\WINDOWS1\system32\mmcwk.exe will be deleted on reboot!
    C:\WINDOWS1\system32\wdlskt.exe will be deleted on reboot!
    C:\WINDOWS1\system32\xijavyk.exe will be deleted on reboot!
    C:\Documents and Settings\All Users.WINDOWS1\Start Menu\Programs\Startup\okwtr.exe will be deleted on reboot!

    User prompted YES to reboot, system now rebooting...
    -------------------------------------------------------------
    Scan COMPLETED SUCCESSFULLY on [7/24/2006] at [1:19:01 PM]

    Note: Some registry keys may have been removed.
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,009
    Here's a summary of what Qoologic can do, depending on the variant:

    Clear all pop-ups
    Set foreground window
    Remove programs/windows from the taskbar
    Create full-screen pop-ups
    Generate an exception (i.e. - crash a program)
    Monitor its own hooks
    Execute tasks from a remote server
    Create pop-ups
    Dump debug data to a remote server
    Display a fake uninstalled message dialog
    Update itself
    Show a pop-up message
    Monitor mouse clicks and keystrokes
    Modify the user's registry
    Browser hijack (redirects)


    Please post a new HijackThis log.
     
  5. tainle

    tainle Thread Starter

    Joined:
    Jul 24, 2006
    Messages:
    23
    Here is the JackThisLog after using the Qoologic


    Logfile of HijackThis v1.99.1
    Scan saved at 9:05:03 PM, on 7/24/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS1\System32\smss.exe
    C:\WINDOWS1\system32\winlogon.exe
    C:\WINDOWS1\system32\services.exe
    C:\WINDOWS1\system32\lsass.exe
    C:\WINDOWS1\system32\svchost.exe
    C:\WINDOWS1\System32\svchost.exe
    C:\WINDOWS1\system32\spoolsv.exe
    C:\WINDOWS1\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\vptray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS1\CTHELPER.EXE
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS1\system32\nvsvc32.exe
    C:\WINDOWS1\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Documents and Settings\All Users.WINDOWS1\Start Menu\Programs\Startup\palstart.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS1\system32\wscntfy.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Winamp\Winamp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
    R3 - URLSearchHook: (no name) - <default> - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS1\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
    O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS1\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: palstart.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121124000279
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127605449843
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS1\System32\NavLogon.dll
    O20 - Winlogon Notify: Telephony - C:\WINDOWS1\system32\mtrd2x40.dll (file missing)
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS1\system32\nvsvc32.exe
    O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
    O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,009
    Download the trial version of Ewido Anti-spyware from HERE and save that file to your desktop. When the trial period expires it becomes freeware with reduced functions but still worth keeping.



    • Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
    • Once the setup is complete you will need run Ewido and update the definition files.
    • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    • Once in the Settings screen click on "Recommended actions" and then select "Quarantine"
    • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"

    Close Ewido Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.



    Please download Brute Force Uninstaller to your desktop.
    • Right click the BFU folder on your desktop, and choose Extract All
    • Click "Next"
    • In the box to choose where to extract the files to,
    • Click "Browse"
    • Click on the + sign next to "My Computer"
    • Click on "Local Disk (C: or whatever your primary drive is)
    • Click "Make New Folder"
    • Type in BFU
    • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
    RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
    Save it in the same folder you made earlier (c:\BFU).

    Do not do anything with this yet!

    Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.


    Then, please go to Start > My Computer and navigate to the C:\BFU folder.
    • Start the Brute Force Uninstaller by doubleclicking BFU.exe
    • Behind the scriptline to execute field click the folder icon [​IMG] and select alcanshorty.bfu
    • Press Execute and let the program do its job. (You ought to see a progress bar if you did this correctly.)
    • Wait for the complete script execution box to pop up and press OK.
    • Press exit to terminate the BFU program.

    IMPORTANT: Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process:
    • Launch Ewido Anti-spyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • Ewido will now begin the scanning process. Be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"
    • Next select the "Reports" icon at the top.
    • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    • Close Ewido and reboot your system back into Normal Mode.


    Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


    Come back here and post a new HijackThis log along with the logs from the Ewido and Panda scans.
     
  7. tainle

    tainle Thread Starter

    Joined:
    Jul 24, 2006
    Messages:
    23
    Here is the the hijackthis log and activescan, and ewido

    Logfile of HijackThis v1.99.1
    Scan saved at 11:17:12 PM, on 7/24/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS1\System32\smss.exe
    C:\WINDOWS1\system32\winlogon.exe
    C:\WINDOWS1\system32\services.exe
    C:\WINDOWS1\system32\lsass.exe
    C:\WINDOWS1\system32\svchost.exe
    C:\WINDOWS1\System32\svchost.exe
    C:\WINDOWS1\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS1\Explorer.EXE
    C:\WINDOWS1\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\SYMANT~1\vptray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS1\CTHELPER.EXE
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\AIM\aim.exe
    C:\Documents and Settings\All Users.WINDOWS1\Start Menu\Programs\Startup\palstart.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS1\system32\nvsvc32.exe
    C:\WINDOWS1\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS1\system32\wscntfy.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
    R3 - URLSearchHook: (no name) - <default> - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS1\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
    O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS1\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: palstart.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121124000279
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127605449843
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS1\System32\NavLogon.dll
    O20 - Winlogon Notify: Telephony - C:\WINDOWS1\system32\mtrd2x40.dll (file missing)
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS1\system32\nvsvc32.exe
    O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
    O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS1\system32\ZoneLabs\vsmon.exe
    ---------------------------------------------------------------------

    active scan section


    Incident Status Location

    Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Local Settings\Temporary Internet Files\Ssk.log
    Spyware:spyware/media-motor Not disinfected Windows Registry
    Adware:adware/popupsearches Not disinfected Windows Registry
    Adware:adware/mirar Not disinfected Windows Registry
    Adware:adware/sidesearch Not disinfected Windows Registry
    Adware:Adware/Mirar Not disinfected C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Application Data\PC Tools\Spyware Doctor\quarantine\Temp\00000003.000[MSOData]
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt
    Spyware:Cookie/adultfriendfinder Not disinfected C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt
    Spyware:Cookie/Apmebf Not disinfected C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt
    Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt
    Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt
    Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt
    Spyware:Cookie/bravenetA Not disinfected C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt
    Spyware:Cookie/Cgi-bin Not disinfected C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt
    Spyware:Cookie/Cgi-bin Not disinfected C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][4].txt
    Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt
    Spyware:Cookie/Maxserving Not disinfected C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt
    Spyware:Cookie/RealMedia Not disinfected C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt
    Spyware:Cookie/Rn11 Not disinfected C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt
    Spyware:Cookie/Searchportal Not disinfected C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt
    Adware:Adware/CommAd Not disinfected C:\WINDOWS1\VGltIExl\p35QKHU5.vbs
    -----------------------------------------------------------
     
  8. tainle

    tainle Thread Starter

    Joined:
    Jul 24, 2006
    Messages:
    23
    This is the Ewido report


    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 4:20:38 PM 7/24/2006

    + Scan result:



    HKLM\SOFTWARE\Classes\CLSID\{944864A5-3916-46E2-96A9-A2E84F3F1208} -> Adware.Accoona : Cleaned.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{944864A5-3916-46E2-96A9-A2E84F3F1208} -> Adware.Accoona : Cleaned.
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{944864A5-3916-46E2-96A9-A2E84F3F1208} -> Adware.Accoona : Cleaned.
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{944864A5-3916-46E2-96A9-A2E84F3F1208} -> Adware.Accoona : Cleaned.
    HKU\S-1-5-21-436374069-963894560-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\{944864A5-3916-46E2-96A9-A2E84F3F1208} -> Adware.Accoona : Cleaned.
    HKU\S-1-5-21-436374069-963894560-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{944864A5-3916-46E2-96A9-A2E84F3F1208} -> Adware.Accoona : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP409\A0314863.exe -> Adware.BookedSpace : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP410\A0315164.dll -> Adware.BookedSpace : Cleaned.
    C:\WINDOWS1\cfg32.exe -> Adware.BookedSpace : Cleaned.
    C:\WINDOWS1\cfg32a.exe -> Adware.BookedSpace : Cleaned.
    C:\WINDOWS1\cfg32o.dll -> Adware.BookedSpace : Cleaned.
    C:\WINDOWS1\cfg32r.dll -> Adware.BookedSpace : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP411\A0315229.exe -> Adware.CommAd : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP411\A0315230.dll -> Adware.CommAd : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0315271.exe -> Adware.CommAd : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0315272.dll -> Adware.CommAd : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP414\A0317684.exe -> Adware.CommAd : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP414\A0317685.dll -> Adware.CommAd : Cleaned.
    C:\WINDOWS1\VGltIExl\asappsrv.dll -> Adware.CommAd : Cleaned.
    C:\WINDOWS1\VGltIExl\command.exe -> Adware.CommAd : Cleaned.
    C:\WINDOWS1\system32\nsa30.dll -> Adware.Ezula : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP409\A0314869.exe -> Adware.Look2Me : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316426.dll -> Adware.Look2Me : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316442.exe -> Adware.Look2Me : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316445.exe -> Adware.Look2Me : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316455.dll -> Adware.Look2Me : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP414\A0317596.dll -> Adware.Look2Me : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP414\A0317637.exe -> Adware.Look2Me : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP414\A0317638.exe -> Adware.Look2Me : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Local Settings\Temp\mmxsnet.exe -> Adware.MediaMotor : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0315315.exe -> Adware.MediaMotor : Cleaned.
    C:\WINDOWS1\unstall.exe -> Adware.MediaMotor : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP409\A0314979.exe -> Adware.MediaTicket : Cleaned.
    C:\WINDOWS1\mirar.exe -> Adware.NetNucleus : Cleaned.
    C:\Program Files\Common Files\&#1040;dobe\s&#1089;anregw.exe -> Adware.PurityScan : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316497.dll -> Adware.PurityScan : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP409\A0315058.dll -> Adware.Softomate : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Local Settings\Temp\i40.tmp -> Adware.SurfSide : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP409\A0315131.exe -> Adware.SurfSide : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP409\A0315133.dll -> Adware.SurfSide : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0315313.dll -> Adware.TargetServer : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\18F395DF-C79D-45A0-B46E-B04593\3CB262E5-6259-41D6-AB22-582853 -> Adware.WebHancer : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\18F395DF-C79D-45A0-B46E-B04593\50F236A7-C8ED-4D1F-B577-1BC836 -> Adware.WebHancer : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP409\A0314874.exe -> Downloader.Adload.cu : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316441.exe -> Downloader.Adload.cu : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP414\A0317639.exe -> Downloader.Adload.cu : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316444.exe -> Downloader.Adload.cy : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP414\A0317641.exe -> Downloader.Adload.cy : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP409\A0314872.exe -> Downloader.Adload.de : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316435.exe -> Downloader.Adload.de : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP409\A0314871.exe -> Downloader.Agent.aaf : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP409\A0314981.exe -> Downloader.Agent.aaf : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316438.dll -> Downloader.Agent.agw : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP409\A0314985.exe -> Downloader.Dyfuca.ey : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0315314.exe -> Downloader.Dyfuca.ey : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP409\A0314873.exe -> Downloader.Qoologic.at : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP409\A0315028.exe -> Downloader.Qoologic.at : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316495.exe -> Downloader.Qoologic.bj : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316496.exe -> Downloader.Qoologic.bj : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316498.exe -> Downloader.Qoologic.bj : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP414\A0317576.exe -> Downloader.Qoologic.bj : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP414\A0317577.exe -> Downloader.Qoologic.bj : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP414\A0317578.exe -> Downloader.Qoologic.bj : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP415\A0317895.dll -> Downloader.Qoologic.bj : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP415\A0317896.exe -> Downloader.Qoologic.bj : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP415\A0317897.exe -> Downloader.Qoologic.bj : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP415\A0317898.exe -> Downloader.Qoologic.bj : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP415\A0317899.exe -> Downloader.Qoologic.bj : Cleaned.
    C:\WINDOWS1\pss\okwtr.exeCommon Startup -> Downloader.Qoologic.bj : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Desktop\DC++ Downloaded\wintaskspro.exe/wintasks.exe -> Downloader.Small : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP414\A0317545.exe -> Downloader.Small : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP414\A0317550.exe/wintasks.exe -> Downloader.Small : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP415\A0317811.rbf -> Downloader.Small : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP409\A0314830.exe -> Downloader.Small.ajc : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP409\A0314875.exe -> Downloader.Small.buy : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316430.exe -> Downloader.Small.buy : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316431.exe -> Downloader.Small.buy : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0315342.exe -> Downloader.Small.bwy : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316362.exe -> Downloader.Small.bwy : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP414\A0317644.exe -> Downloader.Small.bwy : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP414\A0317663.exe -> Downloader.Small.bwy : Cleaned.
    C:\Program Files\Common Files\mevopug.dll -> Downloader.Small.ctp : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0315312.exe -> Downloader.TSUpdate.f : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0315306.exe -> Downloader.TSUpdate.l : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0315310.exe -> Downloader.TSUpdate.n : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP409\A0314866.exe -> Downloader.TSUpdate.o : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0315308.exe -> Downloader.TSUpdate.p : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316427.ocx -> Downloader.VB.bo : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP409\A0314867.exe -> Dropper.Agent.mu : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP409\A0314865.exe -> Dropper.Small.qn : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP414\A0317799.exe -> Hijacker.Small : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0315318.exe -> Hijacker.Small.jf : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Local Settings\Temp\drsmartload180a.exe -> Hijacker.VB.fg : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0315341.exe -> Hijacker.VB.fg : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316361.exe -> Hijacker.VB.fg : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316432.exe -> Hijacker.VB.fg : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316433.exe -> Hijacker.VB.fg : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316434.exe -> Hijacker.VB.fg : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP414\A0317642.exe -> Hijacker.VB.fg : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP414\A0317662.exe -> Hijacker.VB.fg : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP409\A0314870.exe -> Hijacker.VB.nh : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316440.exe -> Hijacker.VB.nh : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP414\A0317640.exe -> Hijacker.VB.nh : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Local Settings\Temp\WinAntiVirusPro2006FreeInstall.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0315269.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316429.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned.
    C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.2o7 : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Adbrite : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Addynamix : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Addynamix : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Adserver : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt -> TrackingCookie.Adtrak : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt -> TrackingCookie.Advertising : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Advertising : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected]vedby.advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Adviva : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt -> TrackingCookie.Atdmt : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Atdmt : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Bluestreak : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Bridgetrack : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Burstbeacon : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt -> TrackingCookie.Burstnet : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Burstnet : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Burstnet : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Casalemedia : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Centrport : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Clickbank : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Clickhype : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Clickhype : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Com : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Com : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Coremetrics : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Counted : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Cpvfeed : Cleaned.
    C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned.
    C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\[email protected][1].txt -> TrackingCookie.Enhance : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Enhance : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt -> TrackingCookie.Falkag : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt -> TrackingCookie.Falkag : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Falkag : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Falkag : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Falkag : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Fastclick : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Fastclick : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Findwhat : Cleaned.
    C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\[email protected][2].txt -> TrackingCookie.Goclick : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Hitslink : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt -> TrackingCookie.Hotlog : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Hotlog : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Liveperson : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Masterstats : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Mediaplex : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Onestat : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Overture : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Overture : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Overture : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt -> TrackingCookie.Pointroll : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Pointroll : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Pro-market : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Qksrv : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Questionmarket : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Questionmarket : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Realcastmedia : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected]ue[1].txt -> TrackingCookie.Revenue : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt -> TrackingCookie.Ru4 : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Ru4 : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Searchingbooth : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt -> TrackingCookie.Searchingbooth : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Serving-sys : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Serving-sys : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Sexcounter : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Sextracker : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Sextracker : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt -> TrackingCookie.Specificclick : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Specificclick : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt -> TrackingCookie.Spylog : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Statcounter : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Statcounter : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Tacoda : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Targetnet : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Tracking101 : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Tradedoubler : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Trafficmp : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt -> TrackingCookie.Tribalfusion : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Tribalfusion : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Valuead : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][1].txt -> TrackingCookie.Valuead : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Valueclick : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Webtrendslive : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt -> TrackingCookie.Wegcash : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Yadro : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Cookies\tim [email protected][1].txt -> TrackingCookie.Zedo : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Zedo : Cleaned.
    C:\RECYCLER\S-1-5-21-436374069-963894560-839522115-500\Dc9\tim [email protected][2].txt -> TrackingCookie.Zedo : Cleaned.
    C:\WINDOWS1\system32\M&#1110;crosoft.NET\rundll.exe -> Trojan.PurityAd : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP412\A0316437.exe -> Trojan.Qoologic : Cleaned.
    C:\System Volume Information\_restore{F977E763-54CC-43D7-AF1A-0BBDB13DB1EC}\RP416\A0318272.exe -> Trojan.Starter.65 : Cleaned.


    ::Report end
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,009
    Click here to download Look2Me-Destroyer.exe and save it to your desktop.
    • Close all windows before continuing.
    • Double-click Look2Me-Destroyer.exe to run it.
    • Put a check next to Run this program as a task.
    • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
    • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
    • Once it's done scanning, click the Remove L2M button.
    • You will receive a Done Scanning message, click OK.
    • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
    • Your computer will then shutdown.
    • Turn your computer back on.
    • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
    If Look2Me-Destroyer does not reopen automatically, reboot and try again.

    If you receive a message from your firewall about this program accessing the internet please allow it.

    If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
    http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
     
  10. tainle

    tainle Thread Starter

    Joined:
    Jul 24, 2006
    Messages:
    23
    Hi, Here is the Hijack and Look2Me logs

    Logfile of HijackThis v1.99.1
    Scan saved at 1:36:25 PM, on 7/25/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS1\System32\smss.exe
    C:\WINDOWS1\system32\winlogon.exe
    C:\WINDOWS1\system32\services.exe
    C:\WINDOWS1\system32\lsass.exe
    C:\WINDOWS1\system32\svchost.exe
    C:\WINDOWS1\System32\svchost.exe
    C:\WINDOWS1\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS1\Explorer.EXE
    C:\WINDOWS1\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\SYMANT~1\vptray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS1\CTHELPER.EXE
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Documents and Settings\All Users.WINDOWS1\Start Menu\Programs\Startup\palstart.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS1\system32\nvsvc32.exe
    C:\WINDOWS1\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS1\system32\wscntfy.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\WINDOWS1\system32\wuauclt.exe
    C:\Documents and Settings\Tim Le.GEFORCEZ-NP6A0T\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
    R3 - URLSearchHook: (no name) - <default> - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS1\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
    O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS1\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: palstart.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121124000279
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127605449843
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS1\System32\NavLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS1\system32\nvsvc32.exe
    O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
    O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS1\system32\ZoneLabs\vsmon.exe

    ------------------------------------------------------------------------


    Look2Me-Destroyer V1.0.12

    Scanning for infected files.....
    Scan started at 7/25/2006 1:10:05 PM

    Infected! C:\WINDOWS1\system32\mtrd2x40.dll

    Attempting to delete infected files...

    Making registry repairs.

    Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2F352415-0867-4F7B-BE77-351C36B68A74}"
    HKCR\Clsid\{2F352415-0867-4F7B-BE77-351C36B68A74}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BF4C980E-3E3F-4DF5-81A5-6050A544E197}"
    HKCR\Clsid\{BF4C980E-3E3F-4DF5-81A5-6050A544E197}

    Restoring Windows certificates.

    Replaced hosts file with default windows hosts file


    Restoring SeDebugPrivilege for Administrators - Succeeded
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,009
    Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.


    R3 - URLSearchHook: (no name) - <default> - (no file)



    How are things running now?
     
  12. tainle

    tainle Thread Starter

    Joined:
    Jul 24, 2006
    Messages:
    23
    it working fine now, thanks for your help.
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,009
    That's great!

    Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

    To turn off system restore, on the Desktop, right click on My Computer and click on Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply and then click OK.

    Restart your computer, turn System Restore back on and create a restore point.

    To create a new restore point, click on Start – All Programs – Accessories – System Tools and then select System Restore.

    In the System Restore wizard, select Create a restore point and click the Next button.

    Type a name for your new restore point then click on Create.


    I also recommend downloading SPYWAREBLASTER for added protection.

    Read here for info on how to tighten your security.



    Delete your temporary files:

    In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

    Go to Start - Run and type %temp% in the Run box. The Temp folder will open. Click Edit - Select All then hit Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

    Empty the recycle bin.
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/485839

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice