Help - Search - Members - Calendar
Full Version: bravesentry malware (smitfraud hijacker variant)
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
King_Jenga
Jun 26 2006, 01:23 AM
Here is the HijackThis log for the Bravesentry malware that I got stuck with. Thanks in advance for all your help.
Peter Eberle


Logfile of HijackThis v1.99.1
Scan saved at 5:16:23 PM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\testtestt.exe
C:\WINDOWS\system32\spoolsvv.exe
C:\Program Files\Messenger\msmsgs.exe
G:\RoboForm\RoboTaskBarIcon.exe
G:\Program Files\Traynote\traynote.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Windows\xpupdate.exe
C:\WINDOWS\system32\taskdir.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\HPGS2WNF.EXE
D:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.terafinder.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.terafinder.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wapp.verizon.net/bookmarks/bmredir....ie&bm=yh_search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir....1_ie&bm=yh_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.terafinder.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.terafinder.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.terafinder.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.terafinder.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ent>
O1 - Hosts: Feb. 26 - 9:41 pm
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - G:\RoboForm\RoboForm.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - G:\RoboForm\RoboForm.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [DirectX] ddhelp32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] "d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\testtestt.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [ÿ_zskdenikqfryog`vgpv50inkrwksz_] c:\windows\system32\_zskwrkni05vpgv`goyrfqkined.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\testtestt.exe
O4 - HKLM\..\RunServices: [ÿ_zskdenikqfryog`vgpv50inkrwksz_] c:\windows\system32\_zskwrkni05vpgv`goyrfqkined.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [RoboForm] "G:\RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [DirectX] ddhelp32.exe
O4 - HKCU\..\Run: [traynote] G:\Program Files\Traynote\traynote.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - HKCU\..\Run: [ÿ_zskdenikqfryog`vgpv50inkrwksz_] c:\windows\system32\_zskwrkni05vpgv`goyrfqkined.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = H:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Help and Support.lnk = C:\Program Files\Verizon Online\Help Support\bin\matcli.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Customize Menu &4 - file://G:\RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://G:\RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://G:\RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://G:\RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://G:\RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://G:\RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://G:\RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://G:\RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://G:\RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O13 - WWW. Prefix: http://
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstal...MetaStream3.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010620...meInstaller.exe
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/verizonyahoo/Tru...erizonYahoo.exe
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: artm_newreg - C:\WINDOWS\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
LS CalamityJane
Jun 26 2006, 02:40 AM
This is really a mess sad.gif Your computer is loaded with trojans and malware of all kinds! ohmy.gif The following steps may not clean all of it, but should be a good start.

1. Print out or save to notepad these instructions as we will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from)

2. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

How to extract (decompress) zipped or compressed files
http://www.lvsonline.com/compresstut/index.shtml

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.



3 Download, install, and update Ewido AntiSpyware(get the free trial version)
http://www.ewido.net/en/download/

a. Install Ewido AntiSpyware

b. Launch Ewido, there should be a Orange Ewido icon on your desktop, double-click it.

c. The program will prompt you to update click the OK button

d. The program will now go to the main screen

e. At the top of the main screen click on *Update*

f. Click on Start. The update will start and a progress bar will show the updates being installed.

g. Do not scan yet. We'll do that later in SAFE MODE. After updating close Ewido and any open programs.

*Note: Ewido is a free trial product for 14 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended).
You will still be able to manually update Ewido using the *update* button smile.gif

4. Reboot into Safe Mode
You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam


5. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

6. Next, start Ewido AntiMalware

a. Click on scanner

b. Click on *complete system scan*

c. Let the program scan the machine.

d. When the scan is done you will see a list of infected objects (if any found) At the bottom of the list, Please click on "recommended action"/and choose to Set all Elements to quarantine and check the box "Perform action with all infections".
If you get a warning about a file being in an archive, please choose *yes* to quarantine the entire archive


When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

........................

8. Get a free online AV scan at eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
(if prompted, please *allow* Active X and the install of software - this is needed to scan your system)
It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system. SAVE the report at the end to copy back here please.

(This scan to make sure your Wininet.dll is fixed if infected)

(Don't forget to *save report* at the end. We need you to post a copy with your topic reply)

9. Now please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

Logs needed in your next post are:

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

Ewido Scan report

eTrust online AV report

Fresh HijackThis log
King_Jenga
Jun 27 2006, 08:31 AM
I've taken all of the steps you told me to and below are the logs you requested:

First the rapport.txt

SmitFraudFix v2.65

Scan done at 21:18:16.74, Mon 06/26/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\desktop.html Deleted
C:\WINDOWS\system32\dlh9jkdq?.exe Deleted
C:\WINDOWS\system32\kernels8.exe Deleted
C:\WINDOWS\system32\migicons.exe Deleted
C:\WINDOWS\system32\taskdir.exe Deleted
C:\WINDOWS\system32\taskdir~.exe Deleted
C:\WINDOWS\system32\TheMatrixHasYou.exe Deleted
C:\WINDOWS\system32\vxgame?.exe Deleted
C:\WINDOWS\system32\vxgamet?.exe Deleted
C:\WINDOWS\system32\zlbw.dll Deleted
C:\Documents and Settings\Owner\Application Data\Install.dat Deleted
C:\Program Files\BraveSentry\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Then Ewido scan report

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:09:34 PM 6/26/2006

+ Scan result:



C:\Program Files\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
C:\WINDOWS\System32\testtestt.exe -> Downloader.Small.cyb : Cleaned with backup (quarantined).
C:\WINDOWS\System32\spoolsvv.exe -> Downloader.Small.dbx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9D20CAB3-4A6F-4DD9-A386-D4C7AC523CD4}\RP717\A0293380.exe -> Hijacker.Spywad.o : Cleaned with backup (quarantined).
C:\WINDOWS\System32\_zskwrkni05VPGV`GOYRFQKINED.exe -> Proxy.Agent.km : Cleaned with backup (quarantined).
C:\WINDOWS\System32\ipod.raw.exe -> Proxy.Lager.az : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@aia.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@clubmom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@cratebarrel.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ford.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@microsofteup.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[3].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@reciperewards.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@adorigin[1].txt -> TrackingCookie.Adorigin : Cleaned with backup (quarantined).
C:\Documents and Settings\login\Cookies\login@adorigin[1].txt -> TrackingCookie.Adorigin : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
C:\Documents and Settings\login\Cookies\login@servedby.advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\login\Cookies\login@servedby.advertising[3].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@bestoffersnetworks[2].txt -> TrackingCookie.Bestoffersnetworks : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[3].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[4].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[6].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@burstnet[3].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@burstnet[4].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\login\Cookies\login@click2net[1].txt -> TrackingCookie.Click2net : Cleaned with backup (quarantined).
C:\Documents and Settings\login\Cookies\login@ads.clickagents[1].txt -> TrackingCookie.Clickagents : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ad1.clickhype[2].txt -> TrackingCookie.Clickhype : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@cliks[2].txt -> TrackingCookie.Cliks : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@att.com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@com[2].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@com[3].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@com[4].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@com[5].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\login\Cookies\login@.doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\login\Cookies\login@.doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfk4smajigp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkiapdpwgo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkicpdjehp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkiqidpoho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkoakc5ahp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkoogc5wgq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkoojdpkcp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkosgajeco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkowgajeeq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkyenajiho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkykndzgcp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfl4kpd5gbo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfl4uhdziko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wflieocpacq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfliskdpkco.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wflocgajeko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfloclcjwfo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfloklc5akp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wflyalc5wdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wflysgcjslp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfmiohc5sao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfmyend5wgq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wgkicldjchq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wgkigidzsfo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wgkocod5sdo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wgkowndpslp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wgkyuidzklo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wgl4okc5aep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjk4ciczadp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjk4ehcpafp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjk4gmdzceq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjk4knazekp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjk4ogc5wcq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjk4ogcpsbp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjk4sicjwlp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjk4sndjsdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkooicjgco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkoqgdzsgp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkoslc5ccp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkosncjglp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkowkcjako.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkycgdzacp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkyemdpelo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkygncpofo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkykpajcbp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjl4cjdpmko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjl4cpd5gbq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjl4epdpiko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjl4giajahq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjl4qjczcdq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjl4widpmgp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlicgdpmlo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjliklcpwkp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlioiajsbq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjliojajckq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjliqkdpkdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlisocjibp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjloalczeco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjloegd5ocq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlookdpido.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlowidpmep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlyajdpilp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlyegazwhp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlykiazegq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlykldjoco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlysic5gfp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlyuic5ohq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjmicicpoeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjmighdpmbo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjmisgajmgp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjmishcjceo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjmysmdzkep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjny-1jcpkf.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnyahd5mbq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnyajdzoaq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnyeoc5oko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnyqodzwhp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnyshdzklp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnysndzwkp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyumdzafpwudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ads.euniverseads[1].txt -> TrackingCookie.Euniverseads : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@hypertracker[2].txt -> TrackingCookie.Hypertracker : Cleaned with backup (quarantined).
C:\Documents and Settings\login\Cookies\login@ads.link4ads[1].txt -> TrackingCookie.Link4ads : Cleaned with backup (quarantined).
C:\Documents and Settings\login\Cookies\login@ads.link4ads[3].txt -> TrackingCookie.Link4ads : Cleaned with backup (quarantined).
C:\Documents and Settings\login\Cookies\login@ads.link4ads[4].txt -> TrackingCookie.Link4ads : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@sales.liveperson[3].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\Documents and Settings\login\Cookies\login@www.popuptraffic[1].txt -> TrackingCookie.Popuptraffic : Cleaned with backup (quarantined).
C:\Documents and Settings\login\Cookies\login@www.popuptraffic[3].txt -> TrackingCookie.Popuptraffic : Cleaned with backup (quarantined).
C:\Documents and Settings\login\Cookies\login@.preferences[2].txt -> TrackingCookie.Preferences : Cleaned with backup (quarantined).
C:\Documents and Settings\login\Cookies\login@gm.preferences[1].txt -> TrackingCookie.Preferences : Cleaned with backup (quarantined).
C:\Documents and Settings\login\Cookies\login@gm.preferences[2].txt -> TrackingCookie.Preferences : Cleaned with backup (quarantined).
C:\Documents and Settings\login\Cookies\login@preferences[1].txt -> TrackingCookie.Preferences : Cleaned with backup (quarantined).
C:\Documents and Settings\login\Cookies\login@preferences[2].txt -> TrackingCookie.Preferences : Cleaned with backup (quarantined).
C:\Documents and Settings\login\Cookies\login@preferences[3].txt -> TrackingCookie.Preferences : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[3].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[4].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@specificpop[1].txt -> TrackingCookie.Specificpop : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@tacoda[3].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\login\Cookies\login@track-star[1].txt -> TrackingCookie.Track-star : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@login.tracking101[1].txt -> TrackingCookie.Tracking101 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ads.trafficvenue[1].txt -> TrackingCookie.Trafficvenue : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@a.tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@server3.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@webstat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
C:\Documents and Settings\login\Cookies\login@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).


::Report end


The eTrust online AV report did not find any infections:

Scan Results: Scan Completed. 154839 files scanned. No viruses found.


Lastly the fresh HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 12:20:04 AM, on 6/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
d:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
G:\RoboForm\RoboTaskBarIcon.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
G:\Program Files\Traynote\traynote.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\HPGS2WNF.EXE
D:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =

http://www.terafinder.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

http://www.terafinder.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) =

http://www.terafinder.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) =

http://www.terafinder.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft

Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no

file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ent>
O1 - Hosts: Feb. 26 - 9:41 pm
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} -

C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}

- C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} -

G:\RoboForm\RoboForm.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} -

G:\RoboForm\RoboForm.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program

Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe

/IMGSTART
O4 - HKLM\..\Run: [DirectX] ddhelp32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program

Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Motive SmartBridge]

C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] "d:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic

Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software

Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program

Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program

Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [!ewido] "D:\Program Files\ewido anti-spyware

4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [MOSearch]

C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE"

-quiet
O4 - HKCU\..\Run: [RoboForm] "G:\RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [DirectX] ddhelp32.exe
O4 - HKCU\..\Run: [traynote] G:\Program Files\Traynote\traynote.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program

Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = H:\Program

Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Help and Support.lnk = C:\Program Files\Verizon

Online\Help Support\bin\matcli.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Customize Menu &4 -

file://G:\RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] -

file://G:\RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ -

file://G:\RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program

Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program

Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -

file://G:\RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] -

{320AF880-6646-11D3-ABEE-C5DBF3571F46} -

file://G:\RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} -

file://G:\RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ -

{320AF880-6646-11D3-ABEE-C5DBF3571F49} -

file://G:\RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} -

file://G:\RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 -

{724d43aa-0d85-11d4-9908-00400523e39a} -

file://G:\RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}

- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program

Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - (no

file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O13 - WWW. Prefix: http://
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) -

http://components.metastream.com/MTSInstal...MetaStream3.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a224.g.akamai.net/7/224/52/20010620...e.com/qt502/us/

win/QuickTimeInstaller.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -

http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} -

http://www.trueswitch.com/verizonyahoo/Tru...erizonYahoo.exe
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: artm_newreg - C:\WINDOWS\All

Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -

D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil

Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil

Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil

Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. -

d:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation -

C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC

Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega

Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe




Thanks for the help. It has helped alot already. I expec there's more to do so I await instructions. Thanks again.
Peter Eberle
LS CalamityJane
Jun 27 2006, 05:20 PM
Hi Peter,

You did real well! smile.gif

I can't read the HijackThis log as it's all chopped up. To fix this, please open Notepad and at the top choose *Format*. Make sure wordwrap is unchecked. Then scan again with Hijackthis and post a fresh log please smile.gif
King_Jenga
Jun 27 2006, 10:31 PM
I'll do that once I get home. One thing I did notice last night was that now once booted up the mouse icon is always the hourglass (well almost always) and everything is hard to get at or click. Is that something that we will still be fixing or is that related to something else? Thanks.

Peter
LS CalamityJane
Jun 27 2006, 11:41 PM
QUOTE(King_Jenga @ Jun 27 2006, 05:31 PM) *
I'll do that once I get home. One thing I did notice last night was that now once booted up the mouse icon is always the hourglass (well almost always) and everything is hard to get at or click. Is that something that we will still be fixing or is that related to something else? Thanks.

Peter
Hi Peter,

Haven't had a reports of a mouse problem with infections. It's usually just a mouse problem.
King_Jenga
Jun 28 2006, 12:55 AM
I don't think it's a mouse problem actually, haven't had any of those with this mouse before now. It's as if the computer is busy but there's no reason for it to be busy as I don't have the computer doing anything. I let it sit for around 10 minutes last night and it was still behaving that way, showing a 'working' icon for the mouse and not responding well to any clicks, but the hard drive wasn't being hit or anything. I guess I could have used the Task Manager to see if the CPU and/or memory were being used.

Peter
King_Jenga
Jun 28 2006, 04:14 AM
The busy thing isn't happening anymore so...? But here is the un-wordwrapped HijackThis log. Thanks in advance again.

Logfile of HijackThis v1.99.1
Scan saved at 8:10:46 PM, on 6/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
d:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
D:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Messenger\msmsgs.exe
G:\RoboForm\RoboTaskBarIcon.exe
G:\Program Files\Traynote\traynote.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\TEMP\art195E.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\HPGS2WNF.EXE
D:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.terafinder.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.terafinder.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.terafinder.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.terafinder.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ent>
O1 - Hosts: Feb. 26 - 9:41 pm
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - G:\RoboForm\RoboForm.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - G:\RoboForm\RoboForm.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [DirectX] ddhelp32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] "d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [!ewido] "D:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [RoboForm] "G:\RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [DirectX] ddhelp32.exe
O4 - HKCU\..\Run: [traynote] G:\Program Files\Traynote\traynote.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = H:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Help and Support.lnk = C:\Program Files\Verizon Online\Help Support\bin\matcli.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Customize Menu &4 - file://G:\RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://G:\RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://G:\RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://G:\RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://G:\RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://G:\RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://G:\RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://G:\RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://G:\RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O13 - WWW. Prefix: http://
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstal...MetaStream3.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010620...meInstaller.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/verizonyahoo/Tru...erizonYahoo.exe
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: artm_newreg - C:\WINDOWS\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - d:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
LS CalamityJane
Jun 29 2006, 12:48 AM
Go to your Control Panel and look in Add/Remove programs. If the following is listed, click on it to highlight it and press *remove*

RXToolBar
.................
Open HijackThis and do a *scan only*
Checkmark these items in the list and then press the *fix checked* button

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.terafinder.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.terafinder.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.terafinder.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.terafinder.com/

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O1 - Hosts: ent>

O1 - Hosts: Feb. 26 - 9:41 pm

O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)

O4 - HKLM\..\Run: [DirectX] ddhelp32.exe

O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe

O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe

O4 - HKCU\..\Run: [DirectX] ddhelp32.exe

O13 - WWW. Prefix: http://

O18 - Filter: text/html - (no CLSID) - (no file)

O20 - Winlogon Notify: artm_newreg - C:\WINDOWS\All Users\Documents\Settings\artm_new.dll

After pressing the *fix checked* button close HijackThis and delete these files (if found)

ddhelp32.exe
C:\WINDOWS\system32\spoolsvv.exe
C:\Program Files\RXToolBar (folder)
C:\WINDOWS\All Users\Documents\Settings\artm_new.dll

Reboot your computer. Scan once more with HijackThis and post a fresh log please smile.gif
King_Jenga
Jun 30 2006, 04:45 AM
Step by step.
1. No RXToolbar in program files.

2. The next two lines weren't fixable instead I got this error (I didn't e-mail them to the address yet).

O1 - Hosts: ent>

O1 - Hosts: Feb. 26 - 9:41 pm

[i]An unexpected error has occurred at procedure: modMain_FixOther1Item(sItem=O1 - Hosts: ent>)
Error #75 - Path/File access error

Please email me at , reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan...


An unexpected error has occurred at procedure: modMain_FixOther1Item(sItem=O1 - Hosts: Feb. 26 - 9:41 pm)
Error #75 - Path/File access error

Please email me at merijn@spywareinfoforum.info, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.[i/]

3. Deleting files:

Couldn't find these two:

ddhelp32.exe
C:\Program Files\RXToolBar (folder)

And wouldn't let me delete this one as 'a program or file running is using it'
C:\WINDOWS\All Users\Documents\Settings\artm_new.dll

4. Below is my fresh HijackTHis log

Logfile of HijackThis v1.99.1
Scan saved at 8:38:24 PM, on 6/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
d:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
D:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
G:\RoboForm\RoboTaskBarIcon.exe
G:\Program Files\Traynote\traynote.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ent>
O1 - Hosts: Feb. 26 - 9:41 pm
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - G:\RoboForm\RoboForm.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - G:\RoboForm\RoboForm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] "d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [!ewido] "D:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [RoboForm] "G:\RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [traynote] G:\Program Files\Traynote\traynote.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = H:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Help and Support.lnk = C:\Program Files\Verizon Online\Help Support\bin\matcli.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Customize Menu &4 - file://G:\RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://G:\RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://G:\RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://G:\RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://G:\RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://G:\RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://G:\RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://G:\RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://G:\RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstal...MetaStream3.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010620...meInstaller.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/verizonyahoo/Tru...erizonYahoo.exe
O20 - Winlogon Notify: artm_newreg - C:\WINDOWS\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - d:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe



Okay, now what next? Thanks again.
Peter Eberle
LS CalamityJane
Jun 30 2006, 11:31 PM
Please download the Killbox by Option^Explicit.
http://www.downloads.subratam.org/KillBox.zip

Unzip/Extract the contents to your desktop
How to extract (decompress) zipped or compressed files
http://www.lvsonline.com/compresstut/index.shtml

1. Print out or save to notepad these instructions as we will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from)

2. Reboot into Safe Mode
You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

3. Once in Safe Mode, Open HijackThis and checkmark this item then press the *fix checked* button

O20 - Winlogon Notify: artm_newreg - C:\WINDOWS\All Users\Documents\Settings\artm_new.dll

4. Open Killbox by clicking on Killbox.exe

5. Select *Delete on Reboot* in the first column

6. In the white box that says "Full Path of File delete", copy & paste in the following:

C:\WINDOWS\All Users\Documents\Settings\artm_new.dll

7. Press the red button with the white x in it. And when prompted about rebooting choose *Yes*

Note: Backups will be stored in the following directory created on the Hard-drive (usually C):
C:\!KillBox

8. Reboot back into normal mode.

9. Navigate to the Killbox backup folder:
C:\!KillBox

a. Right–click the file or folder

b. Point to Send To

c. Then click Compressed (zipped) Folder

This will make a compressed folder, identified by a zipper icon, which displays the same name as the file you compressed.
C:\!KillBox.zip

10. Go here to upload the file as an attachments
http://www.thespykiller.co.uk/forum/index.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from ),
fill in a short message & then press the browse button and then navigate to & select this file on your computer, then press the *Post* button to upload the file

Files to upload:

C:\!KillBox.zip

You DO NOT need to be a member to upload, anybody can upload the files.

You will not see the files that have been uploaded as they only show to the authorized users who can download them. I can collect it from there to submit for detection. I will reply to you back here in THIS thread.

11. Scan once more and post a fresh Hijackthis log back into this thread
King_Jenga
Jul 1 2006, 04:00 PM
Followed your instructions and here is the fresh HijackTHis Log. Thanks again. Peter

Logfile of HijackThis v1.99.1
Scan saved at 7:55:30 AM, on 7/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
d:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Iomega\AutoDisk\ADService.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
G:\RoboForm\RoboTaskBarIcon.exe
G:\Program Files\Traynote\traynote.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ent>
O1 - Hosts: Feb. 26 - 9:41 pm
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - G:\RoboForm\RoboForm.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - G:\RoboForm\RoboForm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] "d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [RoboForm] "G:\RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [traynote] G:\Program Files\Traynote\traynote.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = H:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Help and Support.lnk = C:\Program Files\Verizon Online\Help Support\bin\matcli.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Customize Menu &4 - file://G:\RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://G:\RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://G:\RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://G:\RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://G:\RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://G:\RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://G:\RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://G:\RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://G:\RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstal...MetaStream3.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010620...meInstaller.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/verizonyahoo/Tru...erizonYahoo.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - d:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
LS CalamityJane
Jul 1 2006, 04:18 PM
That went well, your HijackThis log looks good. I'll have you use another tool to fix your corrupted Hosts file.

However, you could please follow through on uploading the Killbox file so I can submit it for detection?

9. Navigate to the Killbox backup folder:
C:\!KillBox

a. Right–click the file or folder

b. Point to Send To

c. Then click Compressed (zipped) Folder

This will make a compressed folder, identified by a zipper icon, which displays the same name as the file you compressed.
C:\!KillBox.zip

10. Go here to upload the file as an attachments
http://www.thespykiller.co.uk/forum/index.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from ),
fill in a short message & then press the browse button and then navigate to & select this file on your computer, then press the *Post* button to upload the file

Files to upload:

C:\!KillBox.zip

You DO NOT need to be a member to upload, anybody can upload the files.

You will not see the files that have been uploaded as they only show to the authorized users who can download them. I can collect it from there to submit for detection. I will reply to you back here in THIS thread.
..........................................
To fix the Hosts file (setting it back to the default by microsoft)

Download the Hoster from here: http://www.funkytoad.com/download/hoster.zip

Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself
(If you don't know what a Hosts file is...you didn't have a custom one smile.gif )
King_Jenga
Jul 2 2006, 11:10 PM
Jane,

Posted the killbox file as requested in the other forum. Downloaded the hoster zip and tried to restore the Host file but I get an error when I do.

'Cannot create file C:\Windows\system32\DRIVERS\ETC\hosts'

and then the program closes.

Do I need to do this in safe mode?

Thanks,

Peter
LS CalamityJane
Jul 2 2006, 11:33 PM
Hmmm, well, it may not be located on your C: drive (you have stuff installed all over the place ohmy.gif )

Do a search on your system for HOSTS - we are looking for the one with NO extension.

You can right click and open it with Notepad. Copy the contents back here please. I just want to check that there is nothing bad in there.
King_Jenga
Jul 7 2006, 05:54 AM
QUOTE(CalamityJane @ Jul 2 2006, 03:33 PM) *
Hmmm, well, it may not be located on your C: drive (you have stuff installed all over the place ohmy.gif )

Do a search on your system for HOSTS - we are looking for the one with NO extension.

You can right click and open it with Notepad. Copy the contents back here please. I just want to check that there is nothing bad in there.


Jane,

I went looking and found the hosts file right where it was supposed be. There are actually two hosts files. One with no extension and one with a .new extension. Below is contents of the extensionless version.



ent>

Feb. 26 - 9:41 pm


127.0.0.1 AdSubtract # Added by AdSubtract for auto-dial.




Now here is the one with the .new extension.



ent>



127.0.0.1 AdSubtract # Added by AdSubtract for auto-dial.



Do I need to do anything with them?

Also, several programs don't seem to work properly anymore. From what I can tell they are all ones that access the internet in one way or another (auto-updaters and online-play). My guess is that the EWIDO spyware quarantined some of the files they need to work properly. I haven't re-opened that to try and fix the problem since I wanted to ask you first. Any suggestions. Thanks,

Peter
LS CalamityJane
Jul 7 2006, 01:24 PM
There are no bad entries in your HOSTS file anyway. Something just mucked up the usual text that appears in there on the default hosts file.

I'm sure it wasn't the files Ewido removed causing problems...these are the only files it removed (besides cookies):

C:\Program Files\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
C:\WINDOWS\System32\testtestt.exe -> Downloader.Small.cyb : Cleaned with backup (quarantined).
C:\WINDOWS\System32\spoolsvv.exe -> Downloader.Small.dbx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9D20CAB3-4A6F-4DD9-A386-D4C7AC523CD4}\RP717\A0293380.exe -> Hijacker.Spywad.o : Cleaned with backup (quarantined).
C:\WINDOWS\System32\_zskwrkni05VPGV`GOYRFQKINED.exe -> Proxy.Agent.km : Cleaned with backup (quarantined).
C:\WINDOWS\System32\ipod.raw.exe -> Proxy.Lager.az : Cleaned with backup (quarantined).

And that is all malware files.

I suspect the amount of malware on your system has done some damage. As I stated early on you had quite a lot of malware and trojans. If any programs aren't working properly I would recommend you uninstall/reinstall those. Is your AVAST AV up to date? It should have caught some of these and prevented some of this.

Have you run Adaware with the latest updates on this PC?

Also visit this Free Online Scanner from Microsoft for PC Health and Safety
http://safety.live.com/site/en-US/default.htm
King_Jenga
Jul 8 2006, 05:30 AM
Both Avast and Ad-aware are up to date and not showing anything now. I think that my wife installed a game that may have had some of the things in it and somehow that got around Avast. I'll re-install all of the things that aren't working. Thanks for your help.
LS CalamityJane
Jul 8 2006, 05:10 PM
Yes, that would be a good idea to uninstall/reinstall your security programs like your AV

Some final cleanup and prevention recomendations follow.

Do a disk cleanup. Go to Start > Run and type in the box: Cleanmgr
Wait while Windows scans your system for files to delete.
Make sure these 3 are checkmarked and press *ok* to delete them.

Temporary Files
Temporary Internet Files
Recycle Bin

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Put a Checkmark in the box next to "Turn off System Restore".
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Remove the checkmark next to "Turn off System Restore".
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405

Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help smile.gif.
How do I prevent Browser Hijacks and Spyware?
http://www.dslreports.com/faq/13620

I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE
Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!
Windows Update
http://update.microsoft.com/microsoftupdate/

And see this link for instructions on how to configure the enhanced security features in SP2:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

Also visit this Free Online Scanner from Microsoft for PC Health and Safety
http://safety.live.com/site/en-US/default.htm
and Microsoft Security At Home
http://www.microsoft.com/athome/security/default.mspx
for tips to Protect your Pc, Protect yourself and Protect your Family.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.