Lavasoft Support Forums > help identifying malware..?

Kaoscontrol

Jun 18 2006, 01:45 AM

Well i'm having some trouble identifying a malware
my main anti virus panda can't detect it
lavasoft doesnt detect it
Spybot Search and destroy doesnt detect it
yet spyware doctor detects alot more than the others....but i can't tell if these are correct as i dont have a license for it as of yet. spyware doctor does detect a C2.lop spyware...but spybot doesnt...and it acctualy searches for it :S

well anyways these are the symptoms i have discoverd SO FAR

1) a new icon appears on my desktop for cellphone ringtones every now and then *don't know if this is related*

2) i am having a hell of alot more pop ups than normal advertising e-bay,casino's,888.com,cell phones etc.

3)I found a new folder in my application data folder named wait roam bore,that was acctualy detected by spyware doctor as a C2.lop folder, inside i found 6 files one named FLAGKNOB.exe and some with random letters.orignaly i couldnt delete these,but after a system restore all were deleted except the folder itself which is being used elsewhere apparently.

4)in task manager 2 Iexplorer.exe files are open with no internet even connected at a cpu of 80-93, when closed they just regenerate themselves

5) new favorites have been added to my favorite website containing 6 folders for gifts,online gaming,cool stuff etc...all with BUY THIS,BUY THAT etc

6) the 404 page cannot be displayed page has been changed to a page cannot be displayed with a search bar and hundreds of links....and the orignal 404 page is discarded at the bottem...for an image go to this site http://img137.imageshack.us/img137/7177/virus1sj.jpg, and if you zoom into the address bar at the bottem is changed to res://C:\WINDOWS\SYSTEM32\shdoclc.dll\refresh.gif
clearly not the right page.

if anyone has ANY symptoms they would like me to check to see if its something that you have an idea of OR have the acctual name based on what i've said...please let me know. help me smite this bugger

thanks alot
james

LS CalamityJane

Jun 18 2006, 01:12 PM

From your description that definitely sounds like the LOP parasite. Could you please post your Adaware scan log and then a HijackThis log for review. Instructions for both follow:

Please can you make sure that you are using
Ad-aware SE Build 106r1
Note: If your version is 6.0 and not the SE, you need to uninstall and get the latest version from the above link.

[if not Uninstall your old Ad-aware first then install SE]
Then use the WebUpDate
to get the latest Definition file
SE1R112 15.06.2006
To do this Open Ad-aware
Click the WebUpDate
button at the top right hand side of the Ad-aware screen (The world globe).
Click "Connect"
Ad-aware will then download the latest Definition file for you.
To make sure it is updated , look at the main
Ad-aware screen, and look under "Initialization Status"
It should say the Latest Definition file.
then scan doing a "Full Scan"
and then post your logfile here by using the Add-Reply Feature .
As Logs are stored in :
C:\Documents and Settings\USERNAME\Application Data\Lavasoft\Ad-aware\Logs\.
An easy way to get there is to
click Start,
click Run
And type in and press ENTER: %appdata%
then click Lavasoft
then Ad-Aware
and then Logs.
scroll down to find the latest one that you have
(by date & time)
and open it right Click select all
copy and then paste the contents of it here.
(Make sure that all of your Logfile has been posted, sometimes it will require two post's to get it all)
I recommend that you use the WebUpDate just before you scan that way you will always be up to date.

(note The Application Data is a hidden folder, so you will need to show hidden files and folders)
..............................................................
Instructions on creating a HijackThis Log
http://www.lavasoftsupport.com/index.php?showtopic=216

Kaoscontrol

Jun 18 2006, 02:47 PM

thanks alot for the reply CJ

well i've did as you said and it seemed to detect LOP straight away this time but didnt last time which is...confusing...but apparently removed it...but it doesnt seem to be the case as all the same effects are still in place so if you want to check out my Ad-ware report heres the log i'll post hijackthis next post

Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, June 18, 2006 2:21:24 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R112 15.06.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
0 Possible New Malware 0(TAC index:3):1 total references
Lop(TAC index:7):7 total references
MRU List(TAC index:0):36 total references
Tracking Cookie(TAC index:3):19 total references
WhenU(TAC index:3):7 total references
WhenU.WeatherCast(TAC index:2):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

6-18-2006 2:21:24 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\Heather Forrest\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office

MRU List Object Recognized!
Location: : C:\Documents and Settings\Heather Forrest\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\adobe\acrobat reader\5.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\office\11.0\common\general
Description : list of recently used symbols in microsoft office

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\office\11.0\common\open find\microsoft office powerpoint\settings\save as\file name mru
Description : list of recent documents saved by microsoft powerpoint

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\office\11.0\common\open find\microsoft office word\settings\open\file name mru
Description : list of recent documents opened by microsoft word

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\office\11.0\common\open find\microsoft office word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\office\11.0\powerpoint\recent file list
Description : list of recent files used by microsoft powerpoint

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\office\11.0\powerpoint\recent typeface list
Description : list of recently used typefaces in microsoft powerpoint

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\office\11.0\publisher\recent file list
Description : list of recent files used by microsoft publisher

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

MRU List Object Recognized!
Location: : S-1-5-21-3369191974-488174188-68285903-1005\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 428
ThreadCreationTime : 6-18-2006 1:14:17 PM
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 532
ThreadCreationTime : 6-18-2006 1:14:20 PM
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\SYSTEM32\
ProcessID : 560
ThreadCreationTime : 6-18-2006 1:14:21 PM
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 720
ThreadCreationTime : 6-18-2006 1:14:21 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 732
ThreadCreationTime : 6-18-2006 1:14:21 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 876
ThreadCreationTime : 6-18-2006 1:14:23 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 940
ThreadCreationTime : 6-18-2006 1:14:23 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 976
ThreadCreationTime : 6-18-2006 1:14:24 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1032
ThreadCreationTime : 6-18-2006 1:14:24 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1160
ThreadCreationTime : 6-18-2006 1:14:25 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1388
ThreadCreationTime : 6-18-2006 1:14:27 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

Lop Object Recognized!
Type : Process
Data : CoalWma.exe
TAC Rating : 7
Category : Malware
Comment : 4531951840.dll
Object : C:\DOCUME~1\HEATHE~1\APPLIC~1\MIXBOO~1\

Warning! Lop Object found in memory(C:\DOCUME~1\HEATHE~1\APPLIC~1\MIXBOO~1\CoalWma.exe)

"C:\DOCUME~1\HEATHE~1\APPLIC~1\MIXBOO~1\CoalWma.exe"Process terminated successfully

#:12 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1480
ThreadCreationTime : 6-18-2006 1:14:28 PM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:13 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1692
ThreadCreationTime : 6-18-2006 1:14:28 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:14 [wdfmgr.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1760
ThreadCreationTime : 6-18-2006 1:14:29 PM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:15 [wanmpsvc.exe]
FilePath : C:\WINDOWS\
ProcessID : 1872
ThreadCreationTime : 6-18-2006 1:14:29 PM
BasePriority : Normal
FileVersion : 7, 0, 0, 2
ProductVersion : 7, 0, 0, 2
ProductName : America Online
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
LegalCopyright : Copyright © 2001 America Online, Inc.
OriginalFilename : WanMPSvc.exe

#:16 [igfxtray.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1896
ThreadCreationTime : 6-18-2006 1:14:29 PM
BasePriority : Normal
FileVersion : 3,0,0,1918
ProductVersion : 7,0,0,1918
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : igfxTray Module
InternalName : IGFXTRAY
LegalCopyright : Copyright 1999-2002, Intel Corporation
OriginalFilename : IGFXTRAY.EXE

#:17 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1920
ThreadCreationTime : 6-18-2006 1:14:30 PM
BasePriority : Normal
FileVersion : 3,0,0,1918
ProductVersion : 7,0,0,1918
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2002, Intel Corporation
OriginalFilename : HKCMD.EXE

#:18 [agrsmmsg.exe]
FilePath : C:\WINDOWS\
ProcessID : 1960
ThreadCreationTime : 6-18-2006 1:14:30 PM
BasePriority : Normal
FileVersion : 2.1.20 2.1.20 10/18/2002 10:07:17
ProductVersion : 2.1.20 2.1.20 10/18/2002 10:07:17
ProductName : Agere SoftModem Messaging Applet
CompanyName : Agere Systems
FileDescription : SoftModem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © Agere Systems 1998-2000
OriginalFilename : smdmstat.exe

#:19 [ltmoh.exe]
FilePath : C:\Program Files\ltmoh\
ProcessID : 1988
ThreadCreationTime : 6-18-2006 1:14:30 PM
BasePriority : Normal
FileVersion : 1.63
ProductVersion : 1.63
ProductName : LtMoh Application
CompanyName : Agere Systems
FileDescription : LtMoh MFC Application
InternalName : LtMoh
LegalCopyright : Agere Copyright © 2001
LegalTrademarks : LT
OriginalFilename : LtMoh.EXE

#:20 [syntplpr.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ProcessID : 2020
ThreadCreationTime : 6-18-2006 1:14:30 PM
BasePriority : Normal
FileVersion : 7.2.0 15Nov02
ProductVersion : 7.2.0 15Nov02
ProductName : Progressive Touch
CompanyName : Synaptics, Inc.
FileDescription : TouchPad Driver Helper Application
InternalName : SynTPLpr
LegalCopyright : Copyright © Synaptics, Inc. 1996-2002
OriginalFilename : SynTPLpr.exe

#:21 [syntpenh.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ProcessID : 2036
ThreadCreationTime : 6-18-2006 1:14:30 PM
BasePriority : Normal
FileVersion : 7.2.0 15Nov02
ProductVersion : 7.2.0 15Nov02
ProductName : Progressive Touch
CompanyName : Synaptics, Inc.
FileDescription : Synaptics TouchPad Enhancements
InternalName : Scrolleroo
LegalCopyright : Copyright © Synaptics, Inc. 1996-2002
OriginalFilename : SynTPEnh.exe

#:22 [gsicon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 136
ThreadCreationTime : 6-18-2006 1:14:30 PM
BasePriority : Normal
FileVersion : 3.1.1
ProductVersion : 3.1.1
ProductName : BT Voyager ADSL Modem
CompanyName : BT, Inc.
FileDescription : DSL Modem Monitor
InternalName : GSICON.EXE
LegalCopyright : Copyright © 2001 GlobespanVirata, Inc.
OriginalFilename : GSICON.EXE

#:23 [dslagent.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 148
ThreadCreationTime : 6-18-2006 1:14:30 PM
BasePriority : Normal

#:24 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 176
ThreadCreationTime : 6-18-2006 1:14:30 PM
BasePriority : Normal
FileVersion : 7.0.2
ProductVersion : QuickTime 7.0.2
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
FileDescription : QuickTime Task
InternalName : QuickTime Task
LegalCopyright : Copyright Apple Computer, Inc. 1989-2005
OriginalFilename : QTTask.exe

#:25 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 192
ThreadCreationTime : 6-18-2006 1:14:30 PM
BasePriority : Normal
FileVersion : 4.7.1.30
ProductVersion : 4.7.1.30
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:26 [vsnpmi03.exe]
FilePath : C:\WINDOWS\
ProcessID : 172
ThreadCreationTime : 6-18-2006 1:14:30 PM
BasePriority : Normal
FileVersion : 0, 9, 1, 5
ProductVersion : 0, 9, 1, 5
FileDescription : Snapshot Viewer
InternalName : Snapshot_UI
LegalCopyright : Copyright © 2002

#:27 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 200
ThreadCreationTime : 6-18-2006 1:14:30 PM
BasePriority : Normal
FileVersion : 0.1.0.3510
ProductVersion : 0.1.0.3510
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:28 [msgplus.exe]
FilePath : C:\Program Files\MessengerPlus! 3\
ProcessID : 232
ThreadCreationTime : 6-18-2006 1:14:31 PM
BasePriority : Normal

#:29 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 404
ThreadCreationTime : 6-18-2006 1:14:31 PM
BasePriority : Normal
FileVersion : 4.7.3001
ProductVersion : Version 4.7.3001
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright © Microsoft Corporation 2004
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:30 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ProcessID : 456
ThreadCreationTime : 6-18-2006 1:14:31 PM
BasePriority : Normal
FileVersion : 7.5.0324
ProductVersion : 7.5.0324
ProductName : MSN Messenger
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
LegalCopyright : Copyright © Microsoft Corporation 1997-2004
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msnmsgr.exe

#:31 [wg111cfg.exe]
FilePath : C:\Program Files\NETGEAR\WG111 Configuration Utility\
ProcessID : 468
ThreadCreationTime : 6-18-2006 1:14:31 PM
BasePriority : Normal
FileVersion : 2, 0, 2, 7
ProductVersion : 2, 0, 2, 7
ProductName : NETGEAR WG111 Smart Wizard-Wireless Assistance
FileDescription : NETGEAR WG111 Smart Wizard-Wireless Assistance
InternalName : Wg111.exe
LegalCopyright : 2004, Netgear, Inc. All Rights Reserved
OriginalFilename : Wg111.exe

#:32 [aoltray.exe]
FilePath : C:\Program Files\AOL 8.0\
ProcessID : 492
ThreadCreationTime : 6-18-2006 1:14:31 PM
BasePriority : Normal

#:33 [iexplore.exe]
FilePath : c:\progra~1\intern~1\
ProcessID : 612
ThreadCreationTime : 6-18-2006 1:14:32 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:34 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 736
ThreadCreationTime : 6-18-2006 1:14:32 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:35 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 1652
ThreadCreationTime : 6-18-2006 1:14:37 PM
BasePriority : Normal
FileVersion : 4.7.1.30
ProductVersion : 4.7.1.30
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe

#:36 [wscntfy.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2096
ThreadCreationTime : 6-18-2006 1:14:38 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Security Center Notification App
InternalName : wscntfy.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wscntfy.exe

#:37 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2440
ThreadCreationTime : 6-18-2006 1:14:41 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:38 [wuauclt.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3512
ThreadCreationTime : 6-18-2006 1:15:17 PM
BasePriority : Normal
FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)
ProductVersion : 5.8.0.2469
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:39 [wmiprvse.exe]
FilePath : C:\WINDOWS\System32\wbem\
ProcessID : 3476
ThreadCreationTime : 6-18-2006 1:15:51 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI
InternalName : Wmiprvse.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : Wmiprvse.exe

#:40 [ad-aware.exe]
FilePath : C:\PROGRA~1\LAVASOFT\AD-AWA~1\
ProcessID : 3440
ThreadCreationTime : 6-18-2006 1:16:16 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:41 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 2400
ThreadCreationTime : 6-18-2006 1:19:43 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

Lop Object Recognized!
Type : Process
Data : CoalWma.exe
TAC Rating : 7
Category : Malware
Comment : 4531951840.dll
Object : C:\DOCUME~1\HEATHE~1\APPLIC~1\MIXBOO~1\

Warning! Lop Object found in memory(C:\DOCUME~1\HEATHE~1\APPLIC~1\MIXBOO~1\CoalWma.exe)

"C:\DOCUME~1\HEATHE~1\APPLIC~1\MIXBOO~1\CoalWma.exe"Process terminated successfully

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 38

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WhenU Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : wuse.1

WhenU.WeatherCast Object Recognized!
Type : Regkey
Data :
TAC Rating : 2
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : wusn.1

WhenU Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\whenusavemsg

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 41

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 41

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : heather forrest@ads.pointroll[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:heather forrest@ads.pointroll.com/
Expires : 1-1-2010 1:00:00 AM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : heather forrest@doubleclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:10
Value : Cookie:heather forrest@doubleclick.net/
Expires : 6-17-2009 12:53:12 AM
LastSync : Hits:10
UseCount : 0
Hits : 10

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : heather forrest@adrevolver[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:heather forrest@adrevolver.com/
Expires : 6-17-2007 7:24:52 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : heather forrest@valueclick[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:heather forrest@valueclick.com/
Expires : 6-12-2031 2:28:36 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : heather forrest@atdmt[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:12
Value : Cookie:heather forrest@atdmt.com/
Expires : 6-16-2011 1:00:00 AM
LastSync : Hits:12
UseCount : 0
Hits : 12

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : heather forrest@adrevolver[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:heather forrest@media.adrevolver.com/adrevolver/
Expires : 3-12-2009 7:04:36 AM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : heather forrest@casalemedia[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:heather forrest@casalemedia.com/
Expires : 6-8-2007 10:20:00 PM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : heather forrest@questionmarket[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:17
Value : Cookie:heather forrest@questionmarket.com/
Expires : 8-9-2007 6:19:58 AM
LastSync : Hits:17
UseCount : 0
Hits : 17

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : heather forrest@revenue[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:7
Value : Cookie:heather forrest@revenue.net/
Expires : 6-10-2022 6:05:42 AM
LastSync : Hits:7
UseCount : 0
Hits : 7

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : heather forrest@as-eu.falkag[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:heather forrest@as-eu.falkag.net/
Expires : 6-18-2007 1:58:50 PM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : heather forrest@partners.webmasterplan[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:heather forrest@partners.webmasterplan.com/
Expires : 6-16-2016 11:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : heather forrest@tribalfusion[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:heather forrest@tribalfusion.com/
Expires : 1-1-2038 1:00:00 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : heather forrest@fastclick[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:17
Value : Cookie:heather forrest@fastclick.net/
Expires : 6-17-2008 2:20:24 AM
LastSync : Hits:17
UseCount : 0
Hits : 17

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : heather forrest@adtech[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:heather forrest@adtech.de/
Expires : 6-14-2016 8:53:18 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : heather forrest@advertising[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:31
Value : Cookie:heather forrest@advertising.com/
Expires : 6-17-2011 2:32:26 AM
LastSync : Hits:31
UseCount : 0
Hits : 31

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : heather forrest@zedo[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:heather forrest@zedo.com/
Expires : 7-17-2006 7:44:00 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : heather forrest@bluestreak[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:heather forrest@bluestreak.com/
Expires : 6-14-2016 10:22:02 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : heather forrest@mediaplex[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:7
Value : Cookie:heather forrest@mediaplex.com/
Expires : 6-22-2009 1:00:00 AM
LastSync : Hits:7
UseCount : 0
Hits : 7

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : heather forrest@perf.overture[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:heather forrest@perf.overture.com/
Expires : 6-17-2010 12:34:50 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 19
Objects found so far: 60

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

0 Possible New Malware 0 Object Recognized!
Type : File
Data : CoalWma.exe
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Heather Forrest\Application Data\MixBookDale\

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 61

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 61

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Lop Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\downloadmanager

Lop Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Search Bar

Lop Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\toolbar\shellbrowser
Value : {0E5CBF21-D15F-11D0-8301-00AA005B4383}

Lop Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : AutoSearch

Lop Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Custom Search URL

WhenU Object Recognized!
Type : Folder
TAC Rating : 3
Category : Misc
Comment : WhenU
Object : C:\Program Files\Save

WhenU Object Recognized!
Type : File
Data : SaveUninst.exe
TAC Rating : 3
Category : Misc
Comment :
Object : C:\Program Files\save\
FileVersion : 4, 0, 0, 8
ProductVersion : 4, 0, 0, 8
ProductName : WhenU Save
CompanyName : WhenU.com, Inc.
FileDescription : WhenU Save Uninstall
InternalName : SaveUninst
LegalCopyright : Copyright 2001-2006
OriginalFilename : SaveUninst.exe

WhenU Object Recognized!
Type : File
Data : extra.exe
TAC Rating : 3
Category : Misc
Comment :
Object : C:\Program Files\save\
FileVersion : 1, 0, 1, 3
ProductVersion : 1, 0, 1, 3
ProductName : Universal Installer
CompanyName : WhenU.com, Inc
FileDescription : UInstall Application
InternalName : UInstall
LegalCopyright : Copyright © 2006
OriginalFilename : UInstall.exe

WhenU Object Recognized!
Type : File
Data : ACM.dll
TAC Rating : 3
Category : Misc
Comment :
Object : C:\Program Files\save\
FileVersion : 1.0.2.9
ProductVersion : 1, 0, 2, 9
CompanyName : WhenU, Inc.
FileDescription : WhenU
InternalName : ACM.dll
LegalCopyright : Copyright 2005
OriginalFilename : ACM.dll

WhenU Object Recognized!
Type : File
Data : Save.exe
TAC Rating : 3
Category : Misc
Comment :
Object : C:\Program Files\save\
FileVersion : 3, 8, 0, 6
ProductVersion : 3, 8, 0, 6
ProductName : WhenU Save
CompanyName : WhenU.com, Inc.
FileDescription : WhenU Save
LegalCopyright : Copyright 2001-2006
OriginalFilename : Save.exe

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 10
Objects found so far: 71

2:28:58 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:07:33.16
Objects scanned:125811
Objects identified:35
Objects ignored:0
New critical objects:35

Kaoscontrol

Jun 18 2006, 02:51 PM

and the hijackthis report is as followed

Logfile of HijackThis v1.99.1
Scan saved at 2:49:47 PM, on 6/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vsnpmi03.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\AOL 8.0\aoltray.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Heather Forrest\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/Default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3BBD0214-0C5B-B5B3-284D-259D7CF770A5} - C:\DOCUME~1\HEATHE~1\APPLIC~1\MIXBOO~1\errormapi.exe (file missing)
O2 - BHO: (no name) - {607EF7B2-9185-B1EB-7E74-3E7BB822E869} - C:\DOCUME~1\HEATHE~1\APPLIC~1\MIXBOO~1\CoalWma.exe (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SNPMI03] C:\WINDOWS\vsnpmi03.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Ping skip vga bike] C:\Documents and Settings\All Users\Application Data\Frag Test Ping Skip\Data Jump.exe
O4 - HKLM\..\Run: [Defaultdashfastplay] C:\Documents and Settings\All Users\Application Data\bat free default dash\Enc Clock.exe
O4 - HKCU\..\Run: [thunk store] C:\DOCUME~1\HEATHE~1\APPLIC~1\WAITRO~1\FlagKnob.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/036f5753947cbd...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150135091450
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150135072184
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Kaoscontrol

Jun 18 2006, 02:57 PM

also i would like to ask what would your expertease of anti virus/malware experience sugjest for future downloads for checking malwares and best recommended anti virus?

i ask this mainly due to my panda anti virus 2005 having rather large issues with my wireless net gear connection...it for some reason doesnt like my wireless lol. and insists on not letting it have a connection.

and also i ask if spyware doctor is acctualy a recommended program? seen as i've had discussions with IT admins where i work, and they agree on most free downloaded malware/anti virus removers and detectors are normaly companys that acctualy produce these mal wares and viruses and add more when you download.

so if you could just give me your best opinions on each and best recommended for download and purchase to stop little menaces like this one entering again

LS CalamityJane

Jun 18 2006, 04:22 PM

This is a very difficult pest to remove! (I hate this pest!!) You got this LOP infection from installing MessengerPlus and choosing the "sponsor". That "sponsor" is the LOP parasite. If I were you I would stay away from MessengerPlus to avoid future infections. It's not worth the headaches.

I see the offending files that are "watching" the others to reinstall. I need for you to get me copies so I can submit them to the AntiMalware companies like Ad-Aware and others for detection to protect everyone from this pest.

1. Right–click on this folder:
C:\Documents and Settings\All Users\Application Data\Frag Test Ping Skip

2. Point to Send To

3. Then click Compressed (zipped) Folder

This will make a compressed folder, identified by a zipper icon, which displays the same name as the file you compressed (Frag Test Ping Skip.zip)

Do the same for these other three folders:

C:\DOCUMENTS AND SETTINGS\HEATHE~1\APPLICATION DATA\MIXBOO (Folder name is longer and may contain spaces, for example: Mix Boo .....)

C:\Documents and Settings\All Users\Application Data\bat free default dash

C:\DOCUMENTS AND SETTINGS\HEATHE~1\APPLICATION DATA\WAITRO... (Folder name is longer and may contain spaces, for example: Wait Ro...)

Go here to upload the zip files created as attachments
http://www.thespykiller.co.uk/forum/index.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from Kaoscontrol at LS ),
fill in a short message & then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press the *Post* button to upload the files
I can collect them from there.

Files to upload:

C:\DOCUMENTS AND SETTINGS\HEATHE~1\APPLICATION DATA\MIXBOO....zip
C:\Documents and Settings\All Users\Application Data\Frag Test Ping Skip.zip
C:\Documents and Settings\All Users\Application Data\bat free default dash.zip
C:\DOCUMENTS AND SETTINGS\HEATHE~1\APPLICATION DATA\WAITRO...zip

(Do not post HJT logs there as they will not get dealt with)

You DO NOT need to be a member to upload, anybody can upload the files

You will not see the files that have been uploaded as they only show to the authorized users who can download them
............................................
Once you have uploaded the files, come back here and I will post a reply with the next steps to take for removal.

LS CalamityJane

Jun 18 2006, 04:43 PM

After uploading the files I need, please follow these steps to remove the LOP infection.

1. Make a copy of these instructions to have handy as these steps will need to be done in SAFE MODE with all browser closed (so you won't be able to see this board online)

2. Reboot into Safe Mode
You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

3. Open HijackThis and do a *scan only*. Checkmark these entries in the list (if found) and then press the *fix checked* button

O2 - BHO: (no name) - {3BBD0214-0C5B-B5B3-284D-259D7CF770A5} - C:\DOCUME~1\HEATHE~1\APPLIC~1\MIXBOO~1\errormapi.exe (file missing)

O2 - BHO: (no name) - {607EF7B2-9185-B1EB-7E74-3E7BB822E869} - C:\DOCUME~1\HEATHE~1\APPLIC~1\MIXBOO~1\CoalWma.exe (file missing)

O4 - HKLM\..\Run: [Ping skip vga bike] C:\Documents and Settings\All Users\Application Data\Frag Test Ping Skip\Data Jump.exe

O4 - HKLM\..\Run: [Defaultdashfastplay] C:\Documents and Settings\All Users\Application Data\bat free default dash\Enc Clock.exe

O4 - HKCU\..\Run: [thunk store] C:\DOCUME~1\HEATHE~1\APPLIC~1\WAITRO~1\FlagKnob.exe

Stay in safe mode and delete these files and/or folders:

C:\DOCUMENTS AND SETTINGS\HEATHE~1\APPLICATION DATA\MIXBOO (folder name is longer than this and may contain spaces, for example: Mix Boo ......

C:\Documents and Settings\All Users\Application Data\Frag Test Ping Skip\Data Jump.exe

C:\Documents and Settings\All Users\Application Data\bat free default dash

C:\DOCUMENTS AND SETTINGS\HEATHE~1\APPLICATION DATA\WAITRO (Folder name is longer and may contain spaces, for example: Wait Ro...)

Plus delete the zip files you created to upload to me.

Close HijackThis, stay in safe mode. Start Adaware and do a full system scan while in safe mode and when finished, let it remove any critical obects found.

Reboot back into normal mode.

Please scan once more with HijackThis and post a fresh log please.

Kaoscontrol

Jun 18 2006, 06:42 PM

the Mixedboo1 their was no point in sending as it had absaloutly NOTHING....i think this is due to adware zapping it. it does say in the logs it was removed. And also the 'Wait Roam Bore' file would normaly have more things in it.. but once again ad-aware got to these...other than that those files have been submitted....just about to do the safemode jobby and i'll get a hijack this report up and let you know of the results

Kaoscontrol

Jun 18 2006, 07:09 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:05:10 PM, on 6/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vsnpmi03.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Heather Forrest\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/Default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SNPMI03] C:\WINDOWS\vsnpmi03.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/036f5753947cbd...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150135091450
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150135072184
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

thats my latest result

Kaoscontrol

Jun 18 2006, 07:14 PM

well only 3 of the programms you said appeared in HJT, but the ones that did were removed and everything SEEMS to be back to normal...i'm yet to see the 404 page seen as all my links work fine...no more extra Iexplorers have appeared on task manager making the CPU low

, the favorites have gone annnd all the folders have vanished

.

And with the files i sent i hope it helps the cause against these morons who think its really big to fill peoples computers with crap.

Thanks alot CJ you've helped alot

computing defender god that walks among mear mortals

if i've got anymore problems in the future i'll give you the first look

Kaoscontrol

Jun 18 2006, 07:18 PM

oh and please can you answer my question on which programms are best to be downloaded now incase of future use and also which is the best antivirus you would recommend?

these questions are all due to the fact i dont want this to happen again,my panda anti virus is having confliction problems with my wireless connection and also their is much speculation towards these 'Free' anti viruses and programs that offer all this elimination technology, when the company is probably one of these acctualy creating the viruses and malware.

just a simple list of the best anti viruses and anti malware products for me to buy/download to keep this here laptop safe.

thanks once more CJ

LS CalamityJane

Jun 18 2006, 09:15 PM

Hooray! I think you got them

You should only have one of the following types of products running realtime. Anything else should be turned off and used as a backup scanner only. Otherwise you'll have slowdowns and conflicts.
Firewall
Antivirus
AntiSpyware
AntiTrojan (optional)

The best antivirus if you are going to buy is Kaspersky Antivirus 6.0.
http://www.kaspersky.com/
I don't recommend their suite as the firewall that comes with it tends to cause some problems and slowdowns for some folks. If you want a good free software firewall that's easy to understand, get Zone Labs ZoneAlarm free personal edition or use the Windows firewall that comes with XP
Download link: http://www.zonelabs.com/store/content/comp...eeDownload2.jsp

There are even some very good free antivirus programs (free for personal use)
Recommended Free Antivirus Programs:

AVG by Grisoft:
http://free.grisoft.com/freeweb.php/doc/2/

Avast 4 Home Edition
http://www.avast.com/eng/avast_4_home.html

AntiVir PersonalEdition Classic
http://www.free-av.com/

Ewido is a very good Anti-Trojan program. You can get the free 14 day trial here:
http://www.ewido.net/en/download/
Ewido is a free trial Anti-Trojan product for 14 days. After that you can purchase it for full features OR you can also keep the free version after the trial is over to use as an on-demand scanner (recommended).
You will still be able to manually update Ewido using the *update* button

My recommendation for Antispyware is, of course, Adaware SE. They offer a Plus Version that offers realtime protection that I do think is very good to have for prevention of spyware/adware infections:
http://www.lavasoft.de/purchase/home/

And for two very good free Antispyware programs you can have as backup would be
Spybot Search and Destroy:
http://www.safer-networking.org/

and Microsoft's Windows Defender (Beta2)
http://www.microsoft.com/athome/security/s...re/default.mspx

Anything more than that is overkill.

I'll give you some more prevention ideas in a link to my prevention recommendations page
Next, some final cleanup and then on to prevention tips.

Some final cleanup and prevention recomendations follow.

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files.

Quit Internet Explorer and quit any instances of Windows Explorer.
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Put a Checkmark in the box next to "Turn off System Restore".
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Remove the checkmark next to "Turn off System Restore".
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405

Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help

.
How do I prevent Browser Hijacks and Spyware?
http://www.dslreports.com/faq/13620

I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE
Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!
Windows Update
http://update.microsoft.com/microsoftupdate/

And see this link for instructions on how to configure the enhanced security features in SP2:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.