i've been hit! please help me get rid of this stupid thing! below is my log file from smitfraud
SmitFraudFix v2.61
Scan done at 23:20:07.92, Sat 06/17/2006
Run from C:\Documents and Settings\Marissa\My Documents\downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{a2cd90b5-e5a2-4aac-a504-c964a6d499df}"="distractible"
[HKEY_CLASSES_ROOT\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
then i ran hijackthis and got this log:
Logfile of HijackThis v1.99.1
Scan saved at 11:23:06 PM, on 6/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTSvcCDA.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\s3hotkey.exe
C:\WINDOWS\system32\S3Tray2.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\lxamsp32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\quickenw\QAGENT.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\A-DATA\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\system32\HotfixQ0306270.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\FilmLoop Player\FilmLoop.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\PROGRA~1\YMANTE~1\nslookup.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {0407E660-52FB-E54C-3C68-5ABC0C1994F8} - C:\WINDOWS\javakn.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9B61C519-7F0E-4A3A-9820-B5A26163B2B8} - C:\WINDOWS\system32\byxxw.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [workflo] D:\install\workflow.exe
O4 - HKLM\..\Run: [ltygbrkz] C:\WINDOWS\aoakmhjk.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [aebzej] C:\WINDOWS\System32\yhkkqzx.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [imdisk] C:\WINDOWS\system\imdisk.exe
O4 - HKLM\..\Run: [*imdisk] C:\WINDOWS\system\imdisk.exe
O4 - HKLM\..\Run: [*dbcom] C:\WINDOWS\system\dbcom.exe
O4 - HKLM\..\Run: [*baswin] C:\WINDOWS\ServicePackFiles\baswin.exe
O4 - HKLM\..\Run: [*docwave] C:\WINDOWS\security\logs\docwave.exe
O4 - HKLM\..\Run: [*svrun] C:\WINDOWS\Config\svrun.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [*nutpc] C:\WINDOWS\ServicePackFiles\nutpc.exe
O4 - HKLM\..\Run: [*svrplay] C:\WINDOWS\java\Packages\svrplay.exe
O4 - HKLM\..\Run: [*dllweb] C:\WINDOWS\Registration\dllweb.exe
O4 - HKLM\..\Run: [*mfcodbc] C:\WINDOWS\msagent\chars\mfcodbc.exe
O4 - HKLM\..\Run: [*javamp3] C:\WINDOWS\Config\javamp3.exe
O4 - HKLM\..\Run: [*kbhard] C:\WINDOWS\system\kbhard.exe
O4 - HKLM\..\Run: [*tcpftp] C:\WINDOWS\msagent\tcpftp.exe
O4 - HKLM\..\Run: [*asdb] C:\WINDOWS\Fonts\asdb.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [QAGENT] C:\quickenw\QAGENT.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ADATA_PLUtil] C:\Program Files\A-DATA\USB Flash Disk Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB002" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R220 Series on YOUR-YB35TU7LQR] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P54 "Auto EPSON Stylus Photo R220 Series on YOUR-YB35TU7LQR" /O26 "\\YOUR-YB35TU7LQR\Printer3" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [FilmLoop] "C:\Program Files\FilmLoop Player\FilmLoop.exe" -hide
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Zho] C:\PROGRA~1\YMANTE~1\nslookup.exe
O4 - HKCU\..\Run: [Uuse] "C:\PROGRA~1\COMMON~1\SSTEM~1\userinit.exe" -vt ndrv
O4 - Startup: 360Share Pro On Startup.lnk = C:\Program Files\360Share Pro\Gui\360Share Pro.exe
O4 - Startup: Epson printer Registration.lnk = D:\Titles\Ereg\EPSONREG.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {00000000-0000-0000-0000-100000000003} - http://code.trasferimento.biz/l/2d97248b2b...4124900f_35.exe
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://refurbdepot.com/CFIDE/classes/CFJava.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} - http://zone.msn.com/bingame/pacz/default/pandaonline.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/...flowActiveX.CAB
O16 - DPF: {9EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/upgrade/qshupgrd.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {D05F33E0-3F75-11D3-A176-006008944486} (Audible Words Codec) - http://download.audible.com/AM36/awrdscdc.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\arpa.dll
O20 - Winlogon Notify: byxxw - C:\WINDOWS\system32\byxxw.dll (file missing)
O20 - Winlogon Notify: winysd32 - C:\WINDOWS\SYSTEM32\winysd32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe (file missing)
i don't know if any of the above makes sense, since it says no files were infected, but i'm still getting the pop ups and the redirected pages. also, my mcafee keeps saying i have trojans that can't be removed or deleted. please help!
Full Version: Infected...topsecurity.net...HELP!
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
Get the Vx2cleaner v.2.0 plugin for Adaware here:
http://www.lavasoft.de/software/addons/vx2cleaner.shtml
Follow the directions on that page for cleaning with the plug in. This may take several runs to clean it.
I would also suggest running Adaware full system scan in SAFE MODE if you haven't already done so, and post your Adaware scan log PLUS a fresh Hijackthis log in your next reply
Please can you make sure that you are using
Ad-aware SE Build 106r1
Note: If your version is 6.0 and not the SE, you need to uninstall and get the latest version from the above link.
[if not Uninstall your old Ad-aware first then install SE]
Then use the WebUpDate
to get the latest Definition file
SE1R112 15.06.2006
To do this Open Ad-aware
Click the WebUpDate
button at the top right hand side of the Ad-aware screen (The world globe).
Click "Connect"
Ad-aware will then download the latest Definition file for you.
To make sure it is updated , look at the main
Ad-aware screen, and look under "Initialization Status"
It should say the Latest Definition file.
then scan doing a "Full Scan"
and then post your logfile here by using the Add-Reply Feature .
As Logs are stored in :
C:\Documents and Settings\USERNAME\Application Data\Lavasoft\Ad-aware\Logs\.
An easy way to get there is to
click Start,
click Run
And type in and press ENTER: %appdata%
then click Lavasoft
then Ad-Aware
and then Logs.
scroll down to find the latest one that you have
(by date & time)
and open it right Click select all
copy and then paste the contents of it here.
(Make sure that all of your Logfile has been posted, sometimes it will require two post's to get it all)
I recommend that you use the WebUpDate just before you scan that way you will always be up to date.
(note The Application Data is a hidden folder, so you will need to show hidden files and folders)
Be sure that you reboot your computer between cleanings. Then after the last reboot post your Adaware and fresh HijackThis logs for review.
http://www.lavasoft.de/software/addons/vx2cleaner.shtml
Follow the directions on that page for cleaning with the plug in. This may take several runs to clean it.
I would also suggest running Adaware full system scan in SAFE MODE if you haven't already done so, and post your Adaware scan log PLUS a fresh Hijackthis log in your next reply
Please can you make sure that you are using
Ad-aware SE Build 106r1
Note: If your version is 6.0 and not the SE, you need to uninstall and get the latest version from the above link.
[if not Uninstall your old Ad-aware first then install SE]
Then use the WebUpDate
to get the latest Definition file
SE1R112 15.06.2006
To do this Open Ad-aware
Click the WebUpDate
button at the top right hand side of the Ad-aware screen (The world globe).
Click "Connect"
Ad-aware will then download the latest Definition file for you.
To make sure it is updated , look at the main
Ad-aware screen, and look under "Initialization Status"
It should say the Latest Definition file.
then scan doing a "Full Scan"
and then post your logfile here by using the Add-Reply Feature .
As Logs are stored in :
C:\Documents and Settings\USERNAME\Application Data\Lavasoft\Ad-aware\Logs\.
An easy way to get there is to
click Start,
click Run
And type in and press ENTER: %appdata%
then click Lavasoft
then Ad-Aware
and then Logs.
scroll down to find the latest one that you have
(by date & time)
and open it right Click select all
copy and then paste the contents of it here.
(Make sure that all of your Logfile has been posted, sometimes it will require two post's to get it all)
I recommend that you use the WebUpDate just before you scan that way you will always be up to date.
(note The Application Data is a hidden folder, so you will need to show hidden files and folders)
Be sure that you reboot your computer between cleanings. Then after the last reboot post your Adaware and fresh HijackThis logs for review.
Hello,
You didn't perform the instructions right for smitfraudfix. Because you didn't run it in safe mode.
There's also a lot of other malware present, that's why it is important you follow all my steps in the right order.
You are also dealing with an old vundo variant and some other old pieces of malware, but I guess those are only leftovers in the registry
Go to start > controlpanel > software > add/remove programs and uninstall next if present:
Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin in it.
Reboot afterwards!!!
If not listed, download and run this[/b] uninstaller:
Reboot when done! Really important!
* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:
C:\WINDOWS\SYSTEM32\winysd32.dll
Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.
After reboot,
Please download Ewido anti-malware ; it is a free version of the program.
[url=http://download.ewido.net/ewido-signatures-current.exe]ewido manual updates
Don't run it yet.
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0407E660-52FB-E54C-3C68-5ABC0C1994F8} - C:\WINDOWS\javakn.dll (file missing)
O2 - BHO: (no name) - {9B61C519-7F0E-4A3A-9820-B5A26163B2B8} - C:\WINDOWS\system32\byxxw.dll (file missing)
O4 - HKLM\..\Run: [ltygbrkz] C:\WINDOWS\aoakmhjk.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [aebzej] C:\WINDOWS\System32\yhkkqzx.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [imdisk] C:\WINDOWS\system\imdisk.exe
O4 - HKLM\..\Run: [*imdisk] C:\WINDOWS\system\imdisk.exe
O4 - HKLM\..\Run: [*dbcom] C:\WINDOWS\system\dbcom.exe
O4 - HKLM\..\Run: [*baswin] C:\WINDOWS\ServicePackFiles\baswin.exe
O4 - HKLM\..\Run: [*docwave] C:\WINDOWS\security\logs\docwave.exe
O4 - HKLM\..\Run: [*svrun] C:\WINDOWS\Config\svrun.exe
O4 - HKLM\..\Run: [*nutpc] C:\WINDOWS\ServicePackFiles\nutpc.exe
O4 - HKLM\..\Run: [*svrplay] C:\WINDOWS\java\Packages\svrplay.exe
O4 - HKLM\..\Run: [*dllweb] C:\WINDOWS\Registration\dllweb.exe
O4 - HKLM\..\Run: [*mfcodbc] C:\WINDOWS\msagent\chars\mfcodbc.exe
O4 - HKLM\..\Run: [*javamp3] C:\WINDOWS\Config\javamp3.exe
O4 - HKLM\..\Run: [*kbhard] C:\WINDOWS\system\kbhard.exe
O4 - HKLM\..\Run: [*tcpftp] C:\WINDOWS\msagent\tcpftp.exe
O4 - HKLM\..\Run: [*asdb] C:\WINDOWS\Fonts\asdb.exe
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Zho] C:\PROGRA~1\YMANTE~1\nslookup.exe
O4 - HKCU\..\Run: [Uuse] "C:\PROGRA~1\COMMON~1\SSTEM~1\userinit.exe" -vt ndrv
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {00000000-0000-0000-0000-100000000003} - http://code.trasferimento.biz/l/2d97248b2b...4124900f_35.exe
O16 - DPF: {9EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/upgrade/qshupgrd.exe
O16 - DPF: {D05F33E0-3F75-11D3-A176-006008944486} (Audible Words Codec) - http://download.audible.com/AM36/awrdscdc.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\arpa.dll
O20 - Winlogon Notify: byxxw - C:\WINDOWS\system32\byxxw.dll (file missing)
O20 - Winlogon Notify: winysd32 - C:\WINDOWS\SYSTEM32\winysd32.dll
* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.
* Using Windows Explorer, locate the following files/folders, and delete them if still present:
C:\Program Files\DeskAd Service <== folder
C:\WINDOWS\system32\arpa.dll
* Still in safe mode... * Clean your Cache and Cookies in IE:
Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
Close Ewido
* Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
(Warning : running option #2 on a non infected computer will remove your Desktop background.)
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; Post that log in your next reply together with a new hijackthislog and the log from ewido.
You didn't perform the instructions right for smitfraudfix. Because you didn't run it in safe mode.
There's also a lot of other malware present, that's why it is important you follow all my steps in the right order.
You are also dealing with an old vundo variant and some other old pieces of malware, but I guess those are only leftovers in the registry
Go to start > controlpanel > software > add/remove programs and uninstall next if present:
Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin in it.
Reboot afterwards!!!
If not listed, download and run this[/b] uninstaller:
Reboot when done! Really important!
* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:
C:\WINDOWS\SYSTEM32\winysd32.dll
Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.
After reboot,
Please download Ewido anti-malware ; it is a free version of the program.
- Install ewido security suite
- When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
- Launch ewido by double-clicking on the icon on your desktop.
- The program will now open to the main screen.
- When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
- You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
- The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
[url=http://download.ewido.net/ewido-signatures-current.exe]ewido manual updates
Don't run it yet.
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0407E660-52FB-E54C-3C68-5ABC0C1994F8} - C:\WINDOWS\javakn.dll (file missing)
O2 - BHO: (no name) - {9B61C519-7F0E-4A3A-9820-B5A26163B2B8} - C:\WINDOWS\system32\byxxw.dll (file missing)
O4 - HKLM\..\Run: [ltygbrkz] C:\WINDOWS\aoakmhjk.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [aebzej] C:\WINDOWS\System32\yhkkqzx.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [imdisk] C:\WINDOWS\system\imdisk.exe
O4 - HKLM\..\Run: [*imdisk] C:\WINDOWS\system\imdisk.exe
O4 - HKLM\..\Run: [*dbcom] C:\WINDOWS\system\dbcom.exe
O4 - HKLM\..\Run: [*baswin] C:\WINDOWS\ServicePackFiles\baswin.exe
O4 - HKLM\..\Run: [*docwave] C:\WINDOWS\security\logs\docwave.exe
O4 - HKLM\..\Run: [*svrun] C:\WINDOWS\Config\svrun.exe
O4 - HKLM\..\Run: [*nutpc] C:\WINDOWS\ServicePackFiles\nutpc.exe
O4 - HKLM\..\Run: [*svrplay] C:\WINDOWS\java\Packages\svrplay.exe
O4 - HKLM\..\Run: [*dllweb] C:\WINDOWS\Registration\dllweb.exe
O4 - HKLM\..\Run: [*mfcodbc] C:\WINDOWS\msagent\chars\mfcodbc.exe
O4 - HKLM\..\Run: [*javamp3] C:\WINDOWS\Config\javamp3.exe
O4 - HKLM\..\Run: [*kbhard] C:\WINDOWS\system\kbhard.exe
O4 - HKLM\..\Run: [*tcpftp] C:\WINDOWS\msagent\tcpftp.exe
O4 - HKLM\..\Run: [*asdb] C:\WINDOWS\Fonts\asdb.exe
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Zho] C:\PROGRA~1\YMANTE~1\nslookup.exe
O4 - HKCU\..\Run: [Uuse] "C:\PROGRA~1\COMMON~1\SSTEM~1\userinit.exe" -vt ndrv
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {00000000-0000-0000-0000-100000000003} - http://code.trasferimento.biz/l/2d97248b2b...4124900f_35.exe
O16 - DPF: {9EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/upgrade/qshupgrd.exe
O16 - DPF: {D05F33E0-3F75-11D3-A176-006008944486} (Audible Words Codec) - http://download.audible.com/AM36/awrdscdc.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\arpa.dll
O20 - Winlogon Notify: byxxw - C:\WINDOWS\system32\byxxw.dll (file missing)
O20 - Winlogon Notify: winysd32 - C:\WINDOWS\SYSTEM32\winysd32.dll
* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.
* Using Windows Explorer, locate the following files/folders, and delete them if still present:
C:\Program Files\DeskAd Service <== folder
C:\WINDOWS\system32\arpa.dll
* Still in safe mode... * Clean your Cache and Cookies in IE:
- Close all instances of Outlook Express and Internet Explorer
- Go to Control Panel > Internet Options > General tab
- Click the "Delete Cookies" button
- Next to it, Click the "Delete Files" button
- When prompted, place a check in: "Delete all offline content", click OK
- Go to Tools > Options.
- Click Privacy in the menu on the left side of the Options window.
- Click the Clear button located to the right of each option (History, Cookies, Cache).
- Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.
- Go to start > run and type: cleanmgr and click ok.
- Let it scan your system for files to remove.
- Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
- Press OK to remove them.
Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
Close Ewido
* Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
(Warning : running option #2 on a non infected computer will remove your Desktop background.)
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; Post that log in your next reply together with a new hijackthislog and the log from ewido.
ADAWARE LOG (in response to Calamity Jane's instuctions):
Ad-Aware SE Build 1.06r1
Logfile Created on:Monday, June 19, 2006 6:45:44 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R112 15.06.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):18 total references
Tracking Cookie(TAC index:3):24 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
6-19-2006 6:45:44 PM - Scan started. (Full System Scan)
MRU List Object Recognized!
Location: : C:\Documents and Settings\Marissa\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office
MRU List Object Recognized!
Location: : C:\Documents and Settings\Marissa\recent
Description : list of recently opened documents
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X
MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\office\10.0\common\open find\microsoft powerpoint\settings\insert picture\file name mru
Description : list of recent pictured inserted in microsoft powerpoint
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\office\10.0\common\open find\microsoft powerpoint\settings\save as\file name mru
Description : list of recent documents saved by microsoft powerpoint
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\office\10.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\office\10.0\powerpoint\recent file list
Description : list of recent files used by microsoft powerpoint
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\office\10.0\powerpoint\recent templates
Description : list of recent templates used by microsoft powerpoint
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\office\10.0\powerpoint\recenttemplatelist
Description : list of recent templates used by microsoft powerpoint
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\windows media\wmsdk\general
Description : windows media sdk
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\winrar\dialogedithistory\extrpath
Description : winrar "extract-to" history
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 156
ThreadCreationTime : 6-19-2006 10:43:00 PM
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 204
ThreadCreationTime : 6-19-2006 10:43:15 PM
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 228
ThreadCreationTime : 6-19-2006 10:43:18 PM
BasePriority : High
#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 276
ThreadCreationTime : 6-19-2006 10:43:25 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 288
ThreadCreationTime : 6-19-2006 10:43:26 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 448
ThreadCreationTime : 6-19-2006 10:43:30 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 516
ThreadCreationTime : 6-19-2006 10:43:33 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 580
ThreadCreationTime : 6-19-2006 10:43:35 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 808
ThreadCreationTime : 6-19-2006 10:43:59 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
#:10 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 948
ThreadCreationTime : 6-19-2006 10:44:51 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@clickbank[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:marissa@clickbank.net/
Expires : 12-15-2006 12:33:36 AM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@ads.addynamix[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:marissa@ads.addynamix.com/
Expires : 6-20-2006 12:59:34 PM
LastSync : Hits:5
UseCount : 0
Hits : 5
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@trafficmp[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:139
Value : Cookie:marissa@trafficmp.com/
Expires : 6-16-2007 11:08:38 PM
LastSync : Hits:139
UseCount : 0
Hits : 139
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@revenue[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:10
Value : Cookie:marissa@revenue.net/
Expires : 6-10-2022 1:05:42 AM
LastSync : Hits:10
UseCount : 0
Hits : 10
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@~~local~~[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:243
Value : Cookie:marissa@~~local~~/
Expires : 6-30-2006 8:30:44 PM
LastSync : Hits:243
UseCount : 0
Hits : 243
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@as-us.falkag[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:98
Value : Cookie:marissa@as-us.falkag.net/
Expires : 6-19-2007 5:42:26 PM
LastSync : Hits:98
UseCount : 0
Hits : 98
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@as-eu.falkag[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:7
Value : Cookie:marissa@as-eu.falkag.net/
Expires : 6-19-2007 4:21:24 PM
LastSync : Hits:7
UseCount : 0
Hits : 7
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@tribalfusion[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:18
Value : Cookie:marissa@tribalfusion.com/
Expires : 12-31-2037 8:00:00 PM
LastSync : Hits:18
UseCount : 0
Hits : 18
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@perf.overture[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:marissa@perf.overture.com/
Expires : 6-18-2010 5:42:30 PM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@server.iad.liveperson[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:marissa@server.iad.liveperson.net/
Expires : 6-18-2007 9:58:50 PM
LastSync : Hits:3
UseCount : 0
Hits : 3
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@qksrv[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:marissa@qksrv.net/
Expires : 6-17-2011 12:09:10 AM
LastSync : Hits:2
UseCount : 0
Hits : 2
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@realmedia[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:41
Value : Cookie:marissa@realmedia.com/
Expires : 12-31-2020 8:00:00 PM
LastSync : Hits:41
UseCount : 0
Hits : 41
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@apmebf[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:marissa@apmebf.com/
Expires : 6-17-2011 12:09:08 AM
LastSync : Hits:2
UseCount : 0
Hits : 2
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@tradedoubler[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:marissa@tradedoubler.com/
Expires : 6-13-2026 6:30:04 PM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@statcounter[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:marissa@statcounter.com/
Expires : 6-18-2011 1:51:12 PM
LastSync : Hits:6
UseCount : 0
Hits : 6
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@ads.pointroll[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:18
Value : Cookie:marissa@ads.pointroll.com/
Expires : 12-31-2009 8:00:00 PM
LastSync : Hits:18
UseCount : 0
Hits : 18
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@2o7[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:marissa@2o7.net/
Expires : 6-17-2011 6:32:30 PM
LastSync : Hits:3
UseCount : 0
Hits : 3
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@adtech[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:marissa@adtech.de/
Expires : 6-13-2016 8:32:30 PM
LastSync : Hits:2
UseCount : 0
Hits : 2
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@bluestreak[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:marissa@bluestreak.com/
Expires : 6-16-2016 10:32:10 AM
LastSync : Hits:5
UseCount : 0
Hits : 5
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@questionmarket[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:21
Value : Cookie:marissa@questionmarket.com/
Expires : 8-10-2007 9:52:38 AM
LastSync : Hits:21
UseCount : 0
Hits : 21
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@serving-sys[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:9
Value : Cookie:marissa@serving-sys.com/
Expires : 12-31-2037 6:00:00 PM
LastSync : Hits:9
UseCount : 0
Hits : 9
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@zedo[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:43
Value : Cookie:marissa@zedo.com/
Expires : 6-13-2016 8:49:58 PM
LastSync : Hits:43
UseCount : 0
Hits : 43
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@cgi-bin[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:marissa@imrworldwide.com/cgi-bin
Expires : 6-16-2016 12:59:40 PM
LastSync : Hits:5
UseCount : 0
Hits : 5
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@edge.ru4[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:marissa@edge.ru4.com/
Expires : 6-10-2036 12:46:14 AM
LastSync : Hits:6
UseCount : 0
Hits : 6
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 24
Objects found so far: 42
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 42
Deep scanning and examining files (E:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for E:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 42
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 42
7:17:21 PM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:31:36.296
Objects scanned:251345
Objects identified:24
Objects ignored:0
New critical objects:24
Ad-Aware SE Build 1.06r1
Logfile Created on:Monday, June 19, 2006 6:45:44 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R112 15.06.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):18 total references
Tracking Cookie(TAC index:3):24 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
6-19-2006 6:45:44 PM - Scan started. (Full System Scan)
MRU List Object Recognized!
Location: : C:\Documents and Settings\Marissa\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office
MRU List Object Recognized!
Location: : C:\Documents and Settings\Marissa\recent
Description : list of recently opened documents
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X
MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\office\10.0\common\open find\microsoft powerpoint\settings\insert picture\file name mru
Description : list of recent pictured inserted in microsoft powerpoint
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\office\10.0\common\open find\microsoft powerpoint\settings\save as\file name mru
Description : list of recent documents saved by microsoft powerpoint
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\office\10.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\office\10.0\powerpoint\recent file list
Description : list of recent files used by microsoft powerpoint
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\office\10.0\powerpoint\recent templates
Description : list of recent templates used by microsoft powerpoint
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\office\10.0\powerpoint\recenttemplatelist
Description : list of recent templates used by microsoft powerpoint
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\microsoft\windows media\wmsdk\general
Description : windows media sdk
MRU List Object Recognized!
Location: : S-1-5-21-4025279379-3924064129-568730901-1006\software\winrar\dialogedithistory\extrpath
Description : winrar "extract-to" history
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 156
ThreadCreationTime : 6-19-2006 10:43:00 PM
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 204
ThreadCreationTime : 6-19-2006 10:43:15 PM
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 228
ThreadCreationTime : 6-19-2006 10:43:18 PM
BasePriority : High
#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 276
ThreadCreationTime : 6-19-2006 10:43:25 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 288
ThreadCreationTime : 6-19-2006 10:43:26 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 448
ThreadCreationTime : 6-19-2006 10:43:30 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 516
ThreadCreationTime : 6-19-2006 10:43:33 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 580
ThreadCreationTime : 6-19-2006 10:43:35 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 808
ThreadCreationTime : 6-19-2006 10:43:59 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
#:10 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 948
ThreadCreationTime : 6-19-2006 10:44:51 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@clickbank[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:marissa@clickbank.net/
Expires : 12-15-2006 12:33:36 AM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@ads.addynamix[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:marissa@ads.addynamix.com/
Expires : 6-20-2006 12:59:34 PM
LastSync : Hits:5
UseCount : 0
Hits : 5
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@trafficmp[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:139
Value : Cookie:marissa@trafficmp.com/
Expires : 6-16-2007 11:08:38 PM
LastSync : Hits:139
UseCount : 0
Hits : 139
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@revenue[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:10
Value : Cookie:marissa@revenue.net/
Expires : 6-10-2022 1:05:42 AM
LastSync : Hits:10
UseCount : 0
Hits : 10
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@~~local~~[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:243
Value : Cookie:marissa@~~local~~/
Expires : 6-30-2006 8:30:44 PM
LastSync : Hits:243
UseCount : 0
Hits : 243
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@as-us.falkag[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:98
Value : Cookie:marissa@as-us.falkag.net/
Expires : 6-19-2007 5:42:26 PM
LastSync : Hits:98
UseCount : 0
Hits : 98
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@as-eu.falkag[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:7
Value : Cookie:marissa@as-eu.falkag.net/
Expires : 6-19-2007 4:21:24 PM
LastSync : Hits:7
UseCount : 0
Hits : 7
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@tribalfusion[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:18
Value : Cookie:marissa@tribalfusion.com/
Expires : 12-31-2037 8:00:00 PM
LastSync : Hits:18
UseCount : 0
Hits : 18
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@perf.overture[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:marissa@perf.overture.com/
Expires : 6-18-2010 5:42:30 PM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@server.iad.liveperson[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:marissa@server.iad.liveperson.net/
Expires : 6-18-2007 9:58:50 PM
LastSync : Hits:3
UseCount : 0
Hits : 3
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@qksrv[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:marissa@qksrv.net/
Expires : 6-17-2011 12:09:10 AM
LastSync : Hits:2
UseCount : 0
Hits : 2
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@realmedia[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:41
Value : Cookie:marissa@realmedia.com/
Expires : 12-31-2020 8:00:00 PM
LastSync : Hits:41
UseCount : 0
Hits : 41
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@apmebf[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:marissa@apmebf.com/
Expires : 6-17-2011 12:09:08 AM
LastSync : Hits:2
UseCount : 0
Hits : 2
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@tradedoubler[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:marissa@tradedoubler.com/
Expires : 6-13-2026 6:30:04 PM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@statcounter[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:marissa@statcounter.com/
Expires : 6-18-2011 1:51:12 PM
LastSync : Hits:6
UseCount : 0
Hits : 6
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@ads.pointroll[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:18
Value : Cookie:marissa@ads.pointroll.com/
Expires : 12-31-2009 8:00:00 PM
LastSync : Hits:18
UseCount : 0
Hits : 18
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@2o7[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:marissa@2o7.net/
Expires : 6-17-2011 6:32:30 PM
LastSync : Hits:3
UseCount : 0
Hits : 3
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@adtech[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:marissa@adtech.de/
Expires : 6-13-2016 8:32:30 PM
LastSync : Hits:2
UseCount : 0
Hits : 2
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@bluestreak[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:marissa@bluestreak.com/
Expires : 6-16-2016 10:32:10 AM
LastSync : Hits:5
UseCount : 0
Hits : 5
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@questionmarket[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:21
Value : Cookie:marissa@questionmarket.com/
Expires : 8-10-2007 9:52:38 AM
LastSync : Hits:21
UseCount : 0
Hits : 21
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@serving-sys[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:9
Value : Cookie:marissa@serving-sys.com/
Expires : 12-31-2037 6:00:00 PM
LastSync : Hits:9
UseCount : 0
Hits : 9
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@zedo[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:43
Value : Cookie:marissa@zedo.com/
Expires : 6-13-2016 8:49:58 PM
LastSync : Hits:43
UseCount : 0
Hits : 43
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@cgi-bin[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:marissa@imrworldwide.com/cgi-bin
Expires : 6-16-2016 12:59:40 PM
LastSync : Hits:5
UseCount : 0
Hits : 5
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marissa@edge.ru4[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:marissa@edge.ru4.com/
Expires : 6-10-2036 12:46:14 AM
LastSync : Hits:6
UseCount : 0
Hits : 6
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 24
Objects found so far: 42
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 42
Deep scanning and examining files (E:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for E:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 42
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 42
7:17:21 PM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:31:36.296
Objects scanned:251345
Objects identified:24
Objects ignored:0
New critical objects:24
Thanks, majerdavis!
Please proceed to miekiemoes instructions next
Please proceed to miekiemoes instructions next
edited to add smitfraud log:
SmitFraudFix v2.61
Scan done at 23:31:56.91, Mon 06/19/2006
Run from C:\Documents and Settings\Marissa\My Documents\downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{a2cd90b5-e5a2-4aac-a504-c964a6d499df}"="distractible"
[HKEY_CLASSES_ROOT\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
C:\WINDOWS\system32\yvvdj.dll -> Missing File
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{a2cd90b5-e5a2-4aac-a504-c964a6d499df}"="distractible"
[HKEY_CLASSES_ROOT\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"
»»»»»»»»»»»»»»»»»»»»»»»» End
after running ADAWARE, i followed miekiemoes instructions...but now i can't find the logs for hijackthis or smitfraud...i'm still looking for them. i don't know if this one will be helpful without the others (i'll post the others when i find them), but below is the ewido log:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:29:33 PM 6/19/2006
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{CE425367-668C-A46D-6F50-DC8B2B4033BA} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-4025279379-3924064129-568730901-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0407E660-52FB-E54C-3C68-5ABC0C1994F8} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
C:\WINDOWS\bar.exe -> Adware.IeSearchBar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Documents and Settings\Marissa\Local Settings\Temp\!update.exe -> Downloader.PurityScan.cs : Cleaned with backup (quarantined).
C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream.a : Ignored.
C:\WINDOWS\Downloaded Program Files\imloader.exe -> Not-A-Virus.Downloader.Win32.ImLoader.b : Ignored.
C:\Program Files\Hijackthis\backups\backup-20060619-211114-826.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Ignored.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@coxhsi.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@ostg.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@as.casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@e-2dj6wgmycnajefq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@e-2dj6wgmycndjakq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@e-2dj6wjnycidpabp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@www.res99[1].txt -> TrackingCookie.Res99 : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\system32\winysd32.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
[228] C:\WINDOWS\system32\winysd32.dll -> Trojan.Agent.qt : Error during cleaning.
C:\WINDOWS\Temp\win3C.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win3F.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win40.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win59.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win5A.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup (quarantined).
::Report end
SmitFraudFix v2.61
Scan done at 23:31:56.91, Mon 06/19/2006
Run from C:\Documents and Settings\Marissa\My Documents\downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{a2cd90b5-e5a2-4aac-a504-c964a6d499df}"="distractible"
[HKEY_CLASSES_ROOT\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
C:\WINDOWS\system32\yvvdj.dll -> Missing File
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{a2cd90b5-e5a2-4aac-a504-c964a6d499df}"="distractible"
[HKEY_CLASSES_ROOT\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"
»»»»»»»»»»»»»»»»»»»»»»»» End
after running ADAWARE, i followed miekiemoes instructions...but now i can't find the logs for hijackthis or smitfraud...i'm still looking for them. i don't know if this one will be helpful without the others (i'll post the others when i find them), but below is the ewido log:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:29:33 PM 6/19/2006
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{CE425367-668C-A46D-6F50-DC8B2B4033BA} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-4025279379-3924064129-568730901-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0407E660-52FB-E54C-3C68-5ABC0C1994F8} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
C:\WINDOWS\bar.exe -> Adware.IeSearchBar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\arpa.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Documents and Settings\Marissa\Local Settings\Temp\!update.exe -> Downloader.PurityScan.cs : Cleaned with backup (quarantined).
C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream.a : Ignored.
C:\WINDOWS\Downloaded Program Files\imloader.exe -> Not-A-Virus.Downloader.Win32.ImLoader.b : Ignored.
C:\Program Files\Hijackthis\backups\backup-20060619-211114-826.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Ignored.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@coxhsi.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@ostg.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@as.casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@e-2dj6wgmycnajefq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@e-2dj6wgmycndjakq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@e-2dj6wjnycidpabp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@www.res99[1].txt -> TrackingCookie.Res99 : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\jeron davis\Cookies\jeron davis@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\system32\winysd32.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
[228] C:\WINDOWS\system32\winysd32.dll -> Trojan.Agent.qt : Error during cleaning.
C:\WINDOWS\Temp\win3C.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win3F.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win40.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win59.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win5A.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup (quarantined).
::Report end
Hi majerdavis,
It looks like you missed some of my steps, because the Ewido log lists files I asked you to remove previously.
I also see that you didn't perform this step I asked you:
Can you also post a new hijackthislog please?
It looks like you missed some of my steps, because the Ewido log lists files I asked you to remove previously.
I also see that you didn't perform this step I asked you:
QUOTE
* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:
C:\WINDOWS\SYSTEM32\winysd32.dll
Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:
C:\WINDOWS\SYSTEM32\winysd32.dll
Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.
Can you also post a new hijackthislog please?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.