Viruses, Spyware and other Nasties RSS Viruses, Spyware and other Nasties RSS

popups persist despite all efforts, load.html in temp folder...

Reply
1 2

Join Date: Jul 2005
Posts: 12
Reputation: SuziQ is an unknown quantity at this point 
Solved Threads: 0
SuziQ SuziQ is offline Offline
Newbie Poster

popups persist despite all efforts, load.html in temp folder...

 
0
  #1
Jul 8th, 2005
Please help. Using the info in these forums and my own diligence I have gone from 2 trojans, various viruses and spyware/malware to only one problem left. I currently have spybot, adaware and spyware doctor showing up as clean, and yet, this small problem persists.

I have run

Spybot
RegSupreme - clean
Ad Aware - clean
Spyware Doctor - clean
cwshredder - files not found
killbox (2 times) - all files not found or killed
No Book
plvx2cleaner
spyware blaster
windows xp prefetch clean and control
avg 6 virus scan
reg supreme

Also did a full keyword scan of regedit for every keyword that I could find in the tech forums.
Did a full keyword scan of windows explorer for every keyword that I could find as well.

In the temp folder
8A56EAB7.tmp
DFC5A2B2.tmp
Perflib_Perfdata_760.dat
Perflib_Perfdata_fec.dat
as soon as I open IE, I get
load.html and GLB1A2B.exe in the temp folder and the popups start
Usually exitexchange popups, occasionally others.

Cannot delete the Perflib files and they do not show up when I'm safe booted.
Can delete the others and do, but they immediately repopulate as soon as I open IE.

Have Hijack This in a permanent folder.

HJT log (with everything closed)

Logfile of HijackThis v1.99.1
Scan saved at 9:54:59 PM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Multimedia\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rakaam.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
D:\Utility\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\notepad.exe
D:\Utility\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://moomessageboard.infopop.cc/eve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Utility\Adobe\Adobe Reader 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Utility\SPYBOT~3\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [\\NEVERLAND\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42 "\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TotalRecorderScheduler] "D:\Multimedia\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [\NEVERLAND\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42 "\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rakaam.exe reg_run
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\Utility\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Files by HiDownload - D:\UTILITY\HIDOWN~2\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - D:\UTILITY\HIDOWN~2\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - D:\UTILITY\HIDOWN~2\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\lfrt.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Reply With Quote Quick reply to this message  
Join Date: Jul 2005
Posts: 12
Reputation: SuziQ is an unknown quantity at this point 
Solved Threads: 0
SuziQ SuziQ is offline Offline
Newbie Poster

Re: popups persist despite all efforts, load.html in temp folder...

 
0
  #2
Jul 8th, 2005
Just as an addition to my information above, I had Ceres, A better internet and pacimedia as well as 2 identified viruses

downloader.small.44.bw

dropper.agent.6.bu
installaps.exe.

I include these cause I've been told that they can appear to be gone only to reappear a week later.

Thanks in advance for any help.
Reply With Quote Quick reply to this message  
Join Date: Jul 2004
Posts: 2,964
Reputation: dlh6213 is on a distinguished road 
Solved Threads: 209
Team Colleague
dlh6213 dlh6213 is offline Offline
Posting Maven

Re: popups persist despite all efforts, load.html in temp folder...

 
0
  #3
Jul 8th, 2005
Hi SuziQ, welcome to DaniWeb

Looks like you've done quite a bit already Hopefully we can help you get the rest.

Scan with HJT and have it fix the following entry:

O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\lfrt.dll

Close any open windows, other then hijackthis, before hitting Fix checked.

Go to C:\WINDOWS\system32 and delete lfrt.dll.

Do a search for winadm.exe and delete any instances found.

Go to C:\WINDOWS\system32 and locate rakaam.exe, right-click on the file and then click on Properties; give us whatever info you can on it in your next post (company, version, etc.)

Follow the instructions in this thread (run at least two of the free online scans):
http://www.daniweb.com/techtalkforums/thread27570.html
Links to help you help yourself :

Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html

Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html

Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
Reply With Quote Quick reply to this message  
Join Date: Jul 2005
Posts: 12
Reputation: SuziQ is an unknown quantity at this point 
Solved Threads: 0
SuziQ SuziQ is offline Offline
Newbie Poster

Re: popups persist despite all efforts, load.html in temp folder...

 
0
  #4
Jul 8th, 2005
Thanks for the welcome and your reply. :-)

Also, just to note, I have pared my prefetch down to the boot, regedit and there's a file there called layout.ini.

I am doing the search - didn't find winadm in explorer, but did find it in the registry in the same place I seem to have found a lot of problems...the Search Assistant/ACMru. Today, despite a search I did yesterday, I found not only winadm, but nail and the other two odd named keys associated with nail as well as a neighboring set of keys with the svcproc file. Is something repopulating this search assistant area that we are somehow missing or is this just from the reinfection? The temptation is to just remove the Search Assistant altogether, but I never do that in RegEdit unless I know darn well what it means to do so. For now, I've just deleted the keys.

(learning user edit...am I correct in realizing that this is just a list of things I've searched for in windows explorer...cause I now think that's the case.)

As for Rakaam, neither my eyes nor my explorer search puppy can find it and I have enabled all "show hidden files" that I know about. I had earlier gone into my msconfig and clicked off fnonbkcm and rakaam and nada from the startup list. They are still disabled and fnonbkcm appears non-loaded, but nada & rakaam seems to have loaded anyway, and yet I cannot find rakaam. There is also one other item there, ieeser.exe, that I do not recognize.

I found nada.exeCommon Startup in the C:/Windows/pss location. The properties summary was blank. Also in this folder is boot.ini.backup, system.ini.backup and win.ini.backup. I did not delete it.

I found ieeser.exe in the Windows/System32 folder
The properties summary was blank. I did not delete it.

In doing a reg search, I found no instance of rakaam but I did find
fnonbkcm. In the MSConfig file, I found a folder startupreg. In there is a folder for fnonbkcm and in that, it says that there is a command
c:\windows\system32\fnonbkcm.exe
hkey is HKLM
key is software\microsoft\windows\currentversion\run

ieeser.exe
located in registry under
hkey users/software/microsoft/windows\currentversion\run
key is YwwRkf5j
value data is ieeser.exe
again...can't find it any method I know of.

Thoughts?

Right, so now onto the online scans whilst you see if any of the above is a good key to what's wrong.

thanks again...
Reply With Quote Quick reply to this message  
Join Date: Jul 2005
Posts: 12
Reputation: SuziQ is an unknown quantity at this point 
Solved Threads: 0
SuziQ SuziQ is offline Offline
Newbie Poster

Re: popups persist despite all efforts, load.html in temp folder...

 
0
  #5
Jul 8th, 2005
Also to note...I did another hijackthis before the online scans with everything else closed...and redeleted the O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\lfrt.dll

When I was done, I reran the scan..it's back again. Here's that log...

Logfile of HijackThis v1.99.1
Scan saved at 6:56:32 AM, on 7/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Multimedia\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rakaam.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
D:\Utility\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
D:\Utility\Trillian\trillian.exe
C:\WINDOWS\system32\ieeser.exe
C:\WINDOWS\system32\iescap.exe
C:\Program Files\Aprps\CxtPls.exe
D:\Utility\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://moomessageboard.infopop.cc/eve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Utility\Adobe\Adobe Reader 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Utility\SPYBOT~3\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [\\NEVERLAND\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42 "\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TotalRecorderScheduler] "D:\Multimedia\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [\NEVERLAND\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42 "\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rakaam.exe reg_run
O4 - HKLM\..\Run: [p7Fj3qT] iescap.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\Utility\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [YwwtRkf5j] ieeser.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Files by HiDownload - D:\UTILITY\HIDOWN~2\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - D:\UTILITY\HIDOWN~2\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - D:\UTILITY\HIDOWN~2\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\lfrt.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Reply With Quote Quick reply to this message  
Join Date: Jul 2004
Posts: 2,964
Reputation: dlh6213 is on a distinguished road 
Solved Threads: 209
Team Colleague
dlh6213 dlh6213 is offline Offline
Posting Maven

Re: popups persist despite all efforts, load.html in temp folder...

 
0
  #6
Jul 8th, 2005
Originally Posted by SuziQ
...I found not only winadm, but nail and the other two odd named keys associated with nail as well as a neighboring set of keys with the svcproc file...
Nail and svcproc indicate you have, or have had, the Aurora infection. The process of ridding your system of that may take care of the other problems as well so you should start with that.

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop, but don't open it yet.

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail...e/1098736486/1

Install and update it, and then close the program (don't scan yet).

Download Nailfix from here:
http://www.noidea.us/easyfile/file.p...50515010747824
Unzip it to your desktop, but do not run it yet.

Disconnect from the net and reboot into Safe Mode.

Double-click on the Nailfix.cmd that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).

Still in Safe Mode, scan with hijackthis and have it fix the following entries (if present):

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\lfrt.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe

Go to the following locations and delete the highlighted files (if found):

C:\WINDOWS\Nail.exe
C:\WINDOWS\system32\lfrt.dll
C:\windows\SvcProc.exe

If any of the files could be located, but not deleted, run the Pocket Killbox and paste the full file path in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot (reboot into normal mode). (Note: the 'file path' will be something like C:\WINDOWS\system32\lfrt.dll).

Allow your system to reboot normally, empty your Recycle Bin, close any open browser windows, scan with HJT, and post a new log along with the Ewido log and the results of any other scans you ran.
Reply With Quote Quick reply to this message  
Join Date: Jul 2005
Posts: 12
Reputation: SuziQ is an unknown quantity at this point 
Solved Threads: 0
SuziQ SuziQ is offline Offline
Newbie Poster

Re: popups persist despite all efforts, load.html in temp folder...

 
0
  #7
Jul 9th, 2005
Hi, I have seldom felt this futile, to be honest. I did the Ewido scan..took forever but found tons wrong and supposedly fixed them. Did everything step by step you said, rebooted and ran hijack this and everything I had deleted is back.

Had to use killbox for C:\WINDOWS\system32\lfrt.dll - obviously that failed as it's back. Incidentally, ran Ewido on that one file...it did not recognize it as a threat.

One thing I did notice in safe mode...there were indexes in the temp folder I could not delete and there were these odd files in the temp internet folders inside the temp folders that I couldn't delete. I couldn't copy the names, so I typed one out by hand as an example. No file extension to be seen.

C:\Documents and Settings\SuziQ\Local Settings\Temp\Temporary Internet Files\Content.IE5\01KLM5OP\lor_bg=FFFFFF&color_text=000000&color_link=0000FF&color_url=0080000&color_border=336699&ad_type=text_image&u_h=1024&u_w=1280&u_ah=996&u_aw=1280&u_cd=32&u_tz=-420&u_his=98&u_java=true

Now then, Ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:10:07 PM, 7/8/2005
+ Report-Checksum: 4B953B76

+ Scan result:

HKLM\SOFTWARE\AutoLoader -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\AproposClient -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\p0w11WOVcJPU -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\p0wN1WOVcJPU -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo\AutoUpdate -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo\AutoUpdate\State -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AproposClient -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1177238915-1085031214-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nada.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
:mozilla.6:C:\Documents and Settings\SuziQ\Application Data\Mozilla\Profiles\default\5n3cr88q.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\SuziQ\Cookies\suziq@122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Aprps\CxtPls.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\WINDOWS\pss\nada.exeCommon Startup -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\WINDOWS\system32\cKbinet.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\CldLineExt03.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ieeser.exe -> TrojanDownloader.Agent.ed : Cleaned with backup
C:\WINDOWS\system32\iescap.exe -> TrojanDownloader.Apropo.ac : Cleaned with backup
C:\WINDOWS\system32\ihetcfg.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\LDPCD11N.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\LJLMA11N.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mhexch35.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mvmefilt.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ngevent.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\puquu.dat -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\WINDOWS\system32\rakaam.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\WINDOWS\system32\redit.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\rkekkue.dll -> TrojanDownloader.Qoologic.s : Cleaned with backup
C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\ukrkk.dll -> TrojanDownloader.Qoologic.t : Cleaned with backup
C:\WINDOWS\Temp\AutoUpdate0\auto_update_uninstall.exe -> Spyware.AproposMedia : Cleaned with backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IGH3DB3G\AutoUpdaterInstaller[1].exe -> TrojanDownloader.Apropo.g : Cleaned with backup
C:\WINDOWS\zhwpvels.exe -> Spyware.BookedSpace : Cleaned with backup
D:\C drive backup\Program Files\Messenger Plus! 2\Setup.dat/sponsor.exe -> TrojanDownloader.Swizzor.ag : Cleaned with backup
Reply With Quote Quick reply to this message  
Join Date: Jul 2005
Posts: 12
Reputation: SuziQ is an unknown quantity at this point 
Solved Threads: 0
SuziQ SuziQ is offline Offline
Newbie Poster

Re: popups persist despite all efforts, load.html in temp folder...

 
0
  #8
Jul 9th, 2005
:mozilla.11:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.19:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.29:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
:mozilla.30:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.31:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.55:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.63:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.69:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.78:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.79:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.80:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.97:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.118:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.123:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.124:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.127:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Specificpop : Cleaned with backup
:mozilla.128:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Specificpop : Cleaned with backup
:mozilla.141:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.145:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.146:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
:mozilla.147:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
:mozilla.15:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.16:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.17:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.18:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.19:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.42:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.43:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.44:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.45:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.46:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.47:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.48:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.49:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.50:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.51:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.52:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.53:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.162:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
:mozilla.163:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
:mozilla.164:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
:mozilla.328:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.329:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.330:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.331:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.332:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.336:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.337:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.338:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.339:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.340:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.341:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.342:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.343:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.344:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.345:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.346:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.347:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.348:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.349:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.350:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.351:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.366:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.367:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.368:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.369:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.370:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.384:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.385:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.494:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.495:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.564:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.565:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.591:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.629:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.631:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.657:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
:mozilla.658:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
:mozilla.666:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.700:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.760:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.795:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.796:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.813:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.847:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Gator : Cleaned with backup
:mozilla.848:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Gator : Cleaned with backup
D:\C drive backup\Cookies\elves@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\C drive backup\Cookies\elves@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
D:\C drive backup\Cookies\elves@ivwbox[2].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
D:\C drive backup\Cookies\elves@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
D:\C drive backup\Cookies\elves@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
D:\Utility\Netscape\Netscape\Plugins\npwthost.dll -> Spyware.WildTangent : Cleaned with backup
G:\~to be sorted\My Download Files\download files\Matt's Server\CAKEWALK8.0\deleteme\DXMEDIA.EXE/actmovie.exe -> Worm.Finaldo.a : Cleaned with backup
:mozilla.10:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.18:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.28:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
:mozilla.29:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.30:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.53:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.61:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.67:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.76:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.77:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.78:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.95:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.116:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.121:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.122:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.125:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Specificpop : Cleaned with backup
:mozilla.126:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Specificpop : Cleaned with backup
:mozilla.139:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.143:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.144:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
:mozilla.145:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
:mozilla.17:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.18:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.19:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.21:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.22:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.26:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.27:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.29:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.30:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.31:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.34:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.35:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.36:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.37:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.38:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.39:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.40:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.41:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.42:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.43:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.44:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.45:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.46:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.48:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.54:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.63:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.64:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.65:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.66:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.67:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.68:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.69:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.70:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.71:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.72:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.73:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.74:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.75:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.76:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.78:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.79:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.80:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.82:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.83:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.84:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.85:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.119:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.120:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.121:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.128:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.129:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.130:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.131:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.132:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.133:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.136:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.137:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.138:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.152:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.158:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.160:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.161:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.277:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
:mozilla.278:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
:mozilla.279:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
:mozilla.422:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.423:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.424:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.425:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.426:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.430:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.431:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.432:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.433:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.434:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.435:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.436:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.437:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.438:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.439:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.440:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.441:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.442:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.443:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.444:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.445:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.471:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.472:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.563:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.564:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.630:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.631:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.656:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.716:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
:mozilla.717:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
:mozilla.725:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.753:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.813:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.844:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.845:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
G:\~to be sorted\My Documents old\Fan Fiction\our stories\bits in progress\figwit_fan.tripod[1].txt -> Trojan.WindowBomb.a : Cleaned with backup
G:\~to be sorted\My Documents old\my c drive backup\A Beginner's Guide to Firefox_files\Cookies\elves@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
G:\~to be sorted\My Documents old\my c drive backup\Cookies\elves@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
G:\~to be sorted\My Documents old\my c drive backup\Cookies\elves@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
G:\~to be sorted\My Documents old\my c drive backup\Cookies\elves@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
G:\~to be sorted\My Documents old\my c drive backup\Cookies\elves@ivwbox[2].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
G:\~to be sorted\My Documents old\my c drive backup\Cookies\elves@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup


::Report End
Reply With Quote Quick reply to this message  
Join Date: Jul 2005
Posts: 12
Reputation: SuziQ is an unknown quantity at this point 
Solved Threads: 0
SuziQ SuziQ is offline Offline
Newbie Poster

Re: popups persist despite all efforts, load.html in temp folder...

 
0
  #9
Jul 9th, 2005
after Ewido and before HJT cleans

Logfile of HijackThis v1.99.1
Scan saved at 11:12:13 PM, on 7/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
D:\Utility\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://moomessageboard.infopop.cc/eve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Utility\Adobe\Adobe Reader 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Utility\SPYBOT~3\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [\\NEVERLAND\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42 "\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TotalRecorderScheduler] "D:\Multimedia\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [\NEVERLAND\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42 "\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rakaam.exe reg_run
O4 - HKLM\..\Run: [p7Fj3qT] iescap.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\Utility\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [YwwtRkf5j] ieeser.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Files by HiDownload - D:\UTILITY\HIDOWN~2\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - D:\UTILITY\HIDOWN~2\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - D:\UTILITY\HIDOWN~2\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\lfrt.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Utility\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Utility\ewido\security suite\ewidoguard.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)


after safe mode cleaning and normal reboot...

Logfile of HijackThis v1.99.1
Scan saved at 12:37:18 AM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Multimedia\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Utility\ewido\security suite\ewidoctrl.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
D:\Utility\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
D:\Utility\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
D:\Utility\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://moomessageboard.infopop.cc/eve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Utility\Adobe\Adobe Reader 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Utility\SPYBOT~3\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [\\NEVERLAND\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42 "\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TotalRecorderScheduler] "D:\Multimedia\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [\NEVERLAND\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42 "\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [p7Fj3qT] iescap.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\Utility\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Files by HiDownload - D:\UTILITY\HIDOWN~2\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - D:\UTILITY\HIDOWN~2\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - D:\UTILITY\HIDOWN~2\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\lfrt.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Utility\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Utility\ewido\security suite\ewidoguard.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)



I am at a loss, I sure hope this seems more like progress to you than it does to me.

Am going to start one of hte online scans and go to sleep. Thanks for all your efforts.

Suzi
Reply With Quote Quick reply to this message  
Join Date: Jul 2004
Posts: 2,964
Reputation: dlh6213 is on a distinguished road 
Solved Threads: 209
Team Colleague
dlh6213 dlh6213 is offline Offline
Posting Maven

Re: popups persist despite all efforts, load.html in temp folder...

 
0
  #10
Jul 9th, 2005
Ewido does take awhile to scan (3 hrs on my system; luckily it hasn't found anything on mine yet). It looks like a lot of what it found on your system was infected backups.

That text in your temp folder is some programming language, but since I'm not a programmer, I don't know what it is, why it's in your temp folder, or why you can't delete it, but you can try using the Killbox on it. The indexes are okay, they're supposed to be there.

Download, install, update, and run about:Buster -- http://www.majorgeeks.com/download4289.html

Download, install, and update CWShredder 2.15 --http://www.intermute.com/products/cwshredder.html. Run it, and press Fix (not scan). Close any open windows, other then CWS, before hitting the Fix button.

Then see if C:\WINDOWS\system32\lfrt.dll, still exists. If it does, right-click on it, go to Properties, and give us whatever info you can on it. Then have it scanned here:

http://virusscan.jotti.org/

A SilentRunners log may help also --

Download and run Silent Runners.vbs -- http://www.silentrunners.org/.

Post the information from the log it generates in your next reply along with a fresh HJT log and the results of the file scan.
Reply With Quote Quick reply to this message  
Reply
1 2

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Other Threads in the Viruses, Spyware and other Nasties Forum
Thread Tools Search this Thread



adware anti-malware antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email exam exploit facebook fancheckvirus gaming gtaiv gumblar halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update virus viruses vista war warning windows worm yahoo zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC