 |  |  |  |  |  |  |  |
Popup-MediaTicketsInstaller-cash8.exe-HiJackThis Log posted
 |
Getting popup with the url...
http://****you.00freehost.com/index.html
...also noticed in the popup that...
MediaTicketsInstaller
...was being installed.
In past hijackthis logs I've had instances of...
Tric - C:\WINNT\ICROSOFT.NET\nopdb.exe
Startup Entry Nhkchymj
...which I have deleted but just come back.
I also have this file...
cash**.exe (currently cash8.exe, although it has other file names, the cash part is what seems to be consistant)
...on C:\ that keeps returning even though I've booted in safe mode and deleted it.
I had a couple other hijackthis log entries I've deleted that I don't remember, but these are the things that are the most consistant. And since I have deleted all of these, I'm sure something else I DON'T SEE is actually causing all of this.
Here's my current hijackthis log...
Logfile of HijackThis v1.99.1
Scan saved at 7:57:51 AM, on 3/28/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\firefox.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\cash8.exe
C:\WINNT\system32\tp4mon.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\ICROSO~1.NET\nopdb.exe
C:\Documents and Settings\administrator\My Documents\?dobe\d?dplay.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\cash8.exe
C:\Program Files\HiJack This\hijackthis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com...n/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: firefox auto update - Unknown owner - C:\WINNT\firefox.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
...which you can see cash8.exe and some other stuff that I know shouldn't be there running. And if I stay on my pc long enough one or more of the other bad entries will come back, not to mention the popup hasn't gone away.
I'd love for someone to give me a little help with this, as it has gotten really annoying.
Thanks a ton, in advance
http://****you.00freehost.com/index.html
...also noticed in the popup that...
MediaTicketsInstaller
...was being installed.
In past hijackthis logs I've had instances of...
Tric - C:\WINNT\ICROSOFT.NET\nopdb.exe
Startup Entry Nhkchymj
...which I have deleted but just come back.
I also have this file...
cash**.exe (currently cash8.exe, although it has other file names, the cash part is what seems to be consistant)
...on C:\ that keeps returning even though I've booted in safe mode and deleted it.
I had a couple other hijackthis log entries I've deleted that I don't remember, but these are the things that are the most consistant. And since I have deleted all of these, I'm sure something else I DON'T SEE is actually causing all of this.
Here's my current hijackthis log...
Logfile of HijackThis v1.99.1
Scan saved at 7:57:51 AM, on 3/28/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\firefox.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\cash8.exe
C:\WINNT\system32\tp4mon.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\ICROSO~1.NET\nopdb.exe
C:\Documents and Settings\administrator\My Documents\?dobe\d?dplay.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\cash8.exe
C:\Program Files\HiJack This\hijackthis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com...n/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: firefox auto update - Unknown owner - C:\WINNT\firefox.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
...which you can see cash8.exe and some other stuff that I know shouldn't be there running. And if I stay on my pc long enough one or more of the other bad entries will come back, not to mention the popup hasn't gone away.
I'd love for someone to give me a little help with this, as it has gotten really annoying.
Thanks a ton, in advance
•
•
Join Date: Feb 2006
Posts: 244
Reputation: 
Solved Threads: 13
Posting Whiz in Training
Download Spysweeper here
http://www.malwareteks.com/dload.php...load&file_id=5
-Update to the latest definitions and run it
-Please attach the log when returning
Download WinPFind
http://www.bleepingcomputer.com/files/winpfind.php
-Follow step 9 here on how to properly run it:
http://wiki.castlecops.com/Vundo_Roo...oval_Procedure
-Save the log and attach for me
Also include a new HijackThis log and we'll go from there....
Good Luck
http://www.malwareteks.com/dload.php...load&file_id=5
-Update to the latest definitions and run it
-Please attach the log when returning
Download WinPFind
http://www.bleepingcomputer.com/files/winpfind.php
-Follow step 9 here on how to properly run it:
http://wiki.castlecops.com/Vundo_Roo...oval_Procedure
-Save the log and attach for me
Also include a new HijackThis log and we'll go from there....
Good Luck
Proud Member of ASAP (Alliance of Security Analysis Professionals)
Ran into a problem...
and I know this really doesn't have anything to do with you, but I followed the instructions and I COULD NOT GET WINPFIND TO RUN!
I ran it 3 times yesterday allowing it at least 3 hours. My hard drive activity would never stop but nothing else would happen either. The last time I just let it run all night while I was sleep and when I woke up still the same. Each time I ended up having to just end task.
But let me say this, shortly after I clicked the "Start Scan" button I got a message about my virtual memory being low, I clicked OK as the message said it would increase the size of the file so I thought all would be fine.
I don't know if this is a common problem or not. What I am going to try is manually increasing the size of my virtual memory and seeing if that will help the problem.
If I'm doing anything wrong, you have any suggestions, or some other program that will do the job maybe let me know.
And yeah I know it's not your job to be product support for WinPFind, I just hope maybe I'm doing something boneheaded or you've seen this before and can point me in the right direction.
and I know this really doesn't have anything to do with you, but I followed the instructions and I COULD NOT GET WINPFIND TO RUN!
I ran it 3 times yesterday allowing it at least 3 hours. My hard drive activity would never stop but nothing else would happen either. The last time I just let it run all night while I was sleep and when I woke up still the same. Each time I ended up having to just end task.
But let me say this, shortly after I clicked the "Start Scan" button I got a message about my virtual memory being low, I clicked OK as the message said it would increase the size of the file so I thought all would be fine.
I don't know if this is a common problem or not. What I am going to try is manually increasing the size of my virtual memory and seeing if that will help the problem.
If I'm doing anything wrong, you have any suggestions, or some other program that will do the job maybe let me know.
And yeah I know it's not your job to be product support for WinPFind, I just hope maybe I'm doing something boneheaded or you've seen this before and can point me in the right direction.
•
•
Join Date: Feb 2006
Posts: 244
Reputation:
Solved Threads: 13
Posting Whiz in Training
We'll try WinPFind, or some other scans a little later. Just do the Spysweeper scan and remove what it finds, then let me see it and another HijackThis log.
Proud Member of ASAP (Alliance of Security Analysis Professionals)
Got that...
********
2:01 PM: | Start of Session, Tuesday, March 28, 2006 |
2:01 PM: Spy Sweeper started
2:01 PM: Sweep initiated using definitions version 643
2:01 PM: Starting Memory Sweep
2:10 PM: Found Adware: psguard\winhound fakealert
2:10 PM: Detected running threat: C:\WINNT\system32\oleext.dll (ID = 134)
2:11 PM: Found Trojan Horse: trojan downloader matcash
2:11 PM: Detected running threat: C:\Program Files\Common Files\Windows\services32.exe (ID = 184143)
2:12 PM: Found Adware: purityscan
2:12 PM: Detected running threat: C:\WINNT\?icrosoft.NET\nopdb.exe (ID = 230)
2:14 PM: Memory Sweep Complete, Elapsed Time: 00:13:03
2:14 PM: Starting Registry Sweep
2:15 PM: Found Adware: 180search assistant/zango
2:15 PM: HKCR\clientax.requiredcomponent.1\ (3 subtraces) (ID = 135597)
2:15 PM: HKCR\clientax.requiredcomponent\ (5 subtraces) (ID = 135598)
2:15 PM: HKCR\clsid\{0ac49246-419b-4ee0-8917-8818daad6a4e}\ (20 subtraces) (ID = 135599)
2:15 PM: HKCR\clsid\{21b4acc4-8874-4aec-aeac-f567a249b4d4}\ (12 subtraces) (ID = 135601)
2:15 PM: HKCR\ncmyb.sabho.1\ (3 subtraces) (ID = 135611)
2:15 PM: HKCR\ncmyb.sabho\ (5 subtraces) (ID = 135612)
2:15 PM: HKLM\software\classes\clientax.requiredcomponent.1\ (3 subtraces) (ID = 135622)
2:15 PM: HKLM\software\classes\clientax.requiredcomponent\ (5 subtraces) (ID = 135623)
2:15 PM: HKLM\software\classes\clsid\{0ac49246-419b-4ee0-8917-8818daad6a4e}\ (20 subtraces) (ID = 135624)
2:15 PM: HKLM\software\classes\clsid\{21b4acc4-8874-4aec-aeac-f567a249b4d4}\ (12 subtraces) (ID = 135625)
2:15 PM: HKLM\software\classes\ncmyb.sabho.1\ (3 subtraces) (ID = 135632)
2:15 PM: HKLM\software\classes\ncmyb.sabho\ (5 subtraces) (ID = 135633)
2:15 PM: Found Adware: ist powerscan
2:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\power scan\ (2 subtraces) (ID = 136826)
2:15 PM: HKCR\clsid\{9eb320ce-be1d-4304-a081-4b4665414bef}\ (21 subtraces) (ID = 137128)
2:15 PM: HKCR\clsid\{39da2444-065f-47cb-b27c-ccb1a39c06b7}\ (3 subtraces) (ID = 137170)
2:15 PM: HKCR\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 137348)
2:15 PM: HKCR\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 137349)
2:15 PM: HKCR\mediaticketsinstaller.mediaticketsinstallerctrl.1\ (3 subtraces) (ID = 137352)
2:15 PM: HKLM\software\classes\clsid\{9eb320ce-be1d-4304-a081-4b4665414bef}\ (21 subtraces) (ID = 137470)
2:15 PM: HKLM\software\classes\clsid\{39da2444-065f-47cb-b27c-ccb1a39c06b7}\ (3 subtraces) (ID = 137505)
2:15 PM: HKLM\software\classes\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 137678)
2:15 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 137679)
2:15 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\typelib\ (2 subtraces) (ID = 137680)
2:15 PM: HKLM\software\classes\mediaticketsinstaller.mediaticketsinstallerctrl.1\ (3 subtraces) (ID = 137683)
2:15 PM: HKLM\software\classes\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 137687)
2:15 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/mediaticketsinstaller.ocx\ (2 subtraces) (ID = 137987)
2:15 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\winnt\downloaded program files\mediaticketsinstaller.ocx (ID = 139078)
2:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\mediatickets\ (12 subtraces) (ID = 139080)
2:15 PM: HKCR\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 139091)
2:15 PM: Found Adware: ist yoursitebar
2:15 PM: HKLM\software\classes\ysb.ysbobj.1\ (3 subtraces) (ID = 147846)
2:15 PM: HKCR\ysb.ysbobj.1\ (3 subtraces) (ID = 147865)
2:15 PM: HKCR\typelib\{68bf4626-d66b-4383-a6af-62e57e9b6cd4}\ (9 subtraces) (ID = 147926)
2:15 PM: Found Adware: ist surf accuracy
2:15 PM: HKLM\software\sacc\ (4 subtraces) (ID = 203068)
2:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\sacc\ (2 subtraces) (ID = 203070)
2:15 PM: HKLM\software\classes\typelib\{68bf4626-d66b-4383-a6af-62e57e9b6cd4}\ (9 subtraces) (ID = 396447)
2:15 PM: Found Trojan Horse: trojan-backdoor-netpt
2:15 PM: HKLM\system\currentcontrolset\enum\root\legacy_netpt\ (12 subtraces) (ID = 1125342)
2:15 PM: HKLM\system\currentcontrolset\enum\root\legacy_perffont\ (8 subtraces) (ID = 1125354)
2:15 PM: HKLM\system\currentcontrolset\services\netpt\ (11 subtraces) (ID = 1125365)
2:15 PM: HKLM\system\currentcontrolset\services\perffont\ (12 subtraces) (ID = 1128287)
2:15 PM: Found Adware: maxifiles
2:15 PM: HKCR\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156344)
2:15 PM: HKCR\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156348)
2:15 PM: HKCR\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156354)
2:15 PM: HKCR\toolband.xbtb04715\ (5 subtraces) (ID = 1156358)
2:15 PM: HKCR\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156364)
2:15 PM: HKCR\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156368)
2:15 PM: HKCR\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156379)
2:15 PM: HKCR\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156391)
2:15 PM: HKLM\software\classes\toolband.xbtb04715\ (5 subtraces) (ID = 1156475)
2:15 PM: HKLM\software\classes\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156481)
2:15 PM: HKLM\software\classes\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156485)
2:15 PM: HKLM\software\classes\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156496)
2:15 PM: HKLM\software\classes\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156508)
2:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\xbtb04715.xbtb04715toolbar\ (2 subtraces) (ID = 1156519)
2:15 PM: HKLM\software\classes\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156524)
2:15 PM: HKLM\software\classes\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156528)
2:15 PM: HKLM\software\classes\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156534)
2:16 PM: HKU\S-1-5-21-796845957-152049171-1060284298-500\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\180search assistant\ (1 subtraces) (ID = 972193)
2:16 PM: Registry Sweep Complete, Elapsed Time:00:01:24
2:16 PM: Starting Cookie Sweep
2:16 PM: Found Spy Cookie: 247realmedia cookie
2:16 PM: administrator@247realmedia[1].txt (ID = 1953)
2:16 PM: Found Spy Cookie: 2o7.net cookie
2:16 PM: administrator@2o7[2].txt (ID = 1957)
2:16 PM: Found Spy Cookie: yieldmanager cookie
2:16 PM: administrator@ad.yieldmanager[2].txt (ID = 3751)
2:16 PM: Found Spy Cookie: epilot cookie
2:16 PM: administrator@adcenter.epilot[1].txt (ID = 2622)
2:16 PM: Found Spy Cookie: hbmediapro cookie
2:16 PM: administrator@adopt.hbmediapro[2].txt (ID = 2768)
2:16 PM: Found Spy Cookie: adrevolver cookie
2:16 PM: administrator@adrevolver[1].txt (ID = 2088)
2:16 PM: administrator@adrevolver[3].txt (ID = 2088)
2:16 PM: Found Spy Cookie: pointroll cookie
2:16 PM: administrator@ads.pointroll[1].txt (ID = 3148)
2:16 PM: Found Spy Cookie: apmebf cookie
2:16 PM: administrator@apmebf[1].txt (ID = 2229)
2:16 PM: Found Spy Cookie: ask cookie
2:16 PM: administrator@ask[1].txt (ID = 2245)
2:16 PM: Found Spy Cookie: belnk cookie
2:16 PM: administrator@belnk[1].txt (ID = 2292)
2:16 PM: Found Spy Cookie: overture cookie
2:16 PM: administrator@bidtool.overture[1].txt (ID = 3106)
2:16 PM: Found Spy Cookie: bilbo.counted.com cookie
2:16 PM: administrator@bilbo.counted[2].txt (ID = 2306)
2:16 PM: Found Spy Cookie: goclick cookie
2:16 PM: administrator@c.goclick[2].txt (ID = 2733)
2:16 PM: Found Spy Cookie: casalemedia cookie
2:16 PM: administrator@casalemedia[1].txt (ID = 2354)
2:16 PM: administrator@content.overture[1].txt (ID = 3106)
2:16 PM: administrator@dist.belnk[2].txt (ID = 2293)
2:16 PM: Found Spy Cookie: findwhat cookie
2:16 PM: administrator@findwhat[1].txt (ID = 2674)
2:16 PM: Found Spy Cookie: oinadserve cookie
2:16 PM: administrator@oinadserve[2].txt (ID = 3091)
2:16 PM: administrator@overture[1].txt (ID = 3105)
2:16 PM: administrator@perf.overture[1].txt (ID = 3106)
2:16 PM: Found Spy Cookie: qksrv cookie
2:16 PM: administrator@qksrv[1].txt (ID = 3213)
2:16 PM: Found Spy Cookie: questionmarket cookie
2:16 PM: administrator@questionmarket[1].txt (ID = 3217)
2:16 PM: Found Spy Cookie: server.iad.liveperson cookie
2:16 PM: administrator@server.iad.liveperson[2].txt (ID = 3341)
2:16 PM: Found Spy Cookie: serving-sys cookie
2:16 PM: administrator@serving-sys[2].txt (ID = 3343)
2:16 PM: Found Spy Cookie: servlet cookie
2:16 PM: administrator@servlet[1].txt (ID = 3345)
2:16 PM: Found Spy Cookie: statcounter cookie
2:16 PM: administrator@statcounter[2].txt (ID = 3447)
2:16 PM: Found Spy Cookie: tacoda cookie
2:16 PM: administrator@tacoda[2].txt (ID = 6444)
2:16 PM: Found Spy Cookie: tribalfusion cookie
2:16 PM: administrator@tribalfusion[1].txt (ID = 3589)
2:16 PM: Found Spy Cookie: clickxchange adware cookie
2:16 PM: administrator@www.clickxchange[2].txt (ID = 2409)
2:16 PM: administrator@www.epilot[1].txt (ID = 2622)
2:16 PM: Found Spy Cookie: portland.co cookie
2:16 PM: administrator@www.portland.co[1].txt (ID = 3180)
2:16 PM: Found Spy Cookie: adserver cookie
2:16 PM: administrator@z1.adserver[1].txt (ID = 2142)
2:16 PM: Cookie Sweep Complete, Elapsed Time: 00:00:08
2:16 PM: Starting File Sweep
2:16 PM: c:\program files\toolbar888 (9 subtraces) (ID = -2147456311)
2:16 PM: c:\program files\common files\inetget (1 subtraces) (ID = -2147477182)
2:16 PM: Found Adware: winhound
2:16 PM: c:\documents and settings\administrator\application data\winhound.com (11 subtraces) (ID = -2147462035)
2:16 PM: c:\program files\winhound (1 subtraces) (ID = -2147462133)
2:17 PM: mc-110-12-0000344.exe (ID = 246327)
2:18 PM: mc-110-12-0000344.exe (ID = 190798)
2:18 PM: freeprodtb.exe (ID = 244762)
2:18 PM: services32.exe (ID = 184143)
2:25 PM: autoit3.exe (ID = 185254)
2:25 PM: dc12.exe (ID = 258578)
2:25 PM: Found Trojan Horse: sdbot
2:25 PM: rp5[1].exe (ID = 271539)
2:26 PM: mediaticketsinstaller.ocx (ID = 73162)
2:26 PM: basis.xml (ID = 244764)
2:31 PM: backup-20060328-064524-240.inf (ID = 73158)
2:31 PM: launcher[1].exe (ID = 243410)
2:33 PM: netpt.sys (ID = 235796)
2:41 PM: toolbar888.dll (ID = 244763)
2:42 PM: mediaticketsinstaller.inf (ID = 73158)
2:44 PM: win32ssr.exe (ID = 271539)
2:44 PM: tds[2].exe (ID = 258578)
2:50 PM: mediaticketsinstaller.ocx (ID = 73162)
2:50 PM: drdata[1].avi (ID = 190798)
2:53 PM: mc-110-12-0000344.exe (ID = 190798)
2:54 PM: freeprodtb[1].exe (ID = 244762)
2:54 PM: a.exe (ID = 271539)
2:55 PM: tds[1].exe (ID = 258578)
2:56 PM: mediaticketsinstaller.ocx (ID = 73162)
2:58 PM: mediaticketsinstaller.inf (ID = 73158)
2:58 PM: perfont.exe (ID = 258578)
2:58 PM: mediaticketsinstaller.inf (ID = 73158)
2:58 PM: mc-110-12-0000344[1].exe (ID = 246327)
2:59 PM: File Sweep Complete, Elapsed Time: 00:42:38
2:59 PM: Full Sweep has completed. Elapsed time 00:57:23
2:59 PM: Traces Found: 528
3:56 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
3:58 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:00 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:02 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:18 PM: Spy Installation Shield: found: Trojan Horse: trojan downloader matcash, version 1.0.0.0 -- Execution Denied
4:32 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:33 PM: Spy Installation Shield: found: Trojan Horse: trojan downloader matcash, version 1.0.0.0 -- Execution Denied
4:34 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:36 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:37 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:44 PM: Spy Installation Shield: found: Trojan Horse: trojan downloader matcash, version 1.0.0.0 -- Execution Denied
7:26 PM: Removal process initiated
7:26 PM: Quarantining All Traces: 180search assistant/zango
7:26 PM: Quarantining All Traces: psguard\winhound fakealert
7:27 PM: psguard\winhound fakealert is in use. It will be removed on reboot.
7:27 PM: C:\WINNT\system32\oleext.dll is in use. It will be removed on reboot.
7:27 PM: Quarantining All Traces: purityscan
7:27 PM: Quarantining All Traces: sdbot
7:27 PM: Quarantining All Traces: trojan downloader matcash
7:27 PM: trojan downloader matcash is in use. It will be removed on reboot.
7:27 PM: services32.exe is in use. It will be removed on reboot.
7:27 PM: Quarantining All Traces: maxifiles
7:28 PM: maxifiles is in use. It will be removed on reboot.
7:28 PM: mc-110-12-0000344.exe is in use. It will be removed on reboot.
7:28 PM: Quarantining All Traces: trojan-backdoor-netpt
7:28 PM: Quarantining All Traces: ist powerscan
7:28 PM: Quarantining All Traces: ist surf accuracy
7:28 PM: Quarantining All Traces: ist yoursitebar
7:28 PM: Quarantining All Traces: winhound
7:28 PM: Quarantining All Traces: 247realmedia cookie
7:28 PM: Quarantining All Traces: 2o7.net cookie
7:28 PM: Quarantining All Traces: adrevolver cookie
7:28 PM: Quarantining All Traces: adserver cookie
7:28 PM: Quarantining All Traces: apmebf cookie
7:28 PM: Quarantining All Traces: ask cookie
7:28 PM: Quarantining All Traces: belnk cookie
7:28 PM: Quarantining All Traces: bilbo.counted.com cookie
7:28 PM: Quarantining All Traces: casalemedia cookie
7:28 PM: Quarantining All Traces: clickxchange adware cookie
7:28 PM: Quarantining All Traces: epilot cookie
7:28 PM: Quarantining All Traces: findwhat cookie
7:28 PM: Quarantining All Traces: goclick cookie
7:28 PM: Quarantining All Traces: hbmediapro cookie
7:28 PM: Quarantining All Traces: oinadserve cookie
7:28 PM: Quarantining All Traces: overture cookie
7:28 PM: Quarantining All Traces: pointroll cookie
7:28 PM: Quarantining All Traces: portland.co cookie
7:28 PM: Quarantining All Traces: qksrv cookie
7:28 PM: Quarantining All Traces: questionmarket cookie
7:28 PM: Quarantining All Traces: server.iad.liveperson cookie
7:28 PM: Quarantining All Traces: serving-sys cookie
7:28 PM: Quarantining All Traces: servlet cookie
7:28 PM: Quarantining All Traces: statcounter cookie
7:28 PM: Quarantining All Traces: tacoda cookie
7:28 PM: Quarantining All Traces: tribalfusion cookie
7:28 PM: Quarantining All Traces: yieldmanager cookie
7:29 PM: Removal process completed. Elapsed time 00:02:46
********
1:56 PM: | Start of Session, Tuesday, March 28, 2006 |
1:56 PM: Spy Sweeper started
1:58 PM: Updating spyware definitions
2:01 PM: Your spyware definitions have been updated.
2:01 PM: | End of Session, Tuesday, March 28, 2006 |
Logfile of HijackThis v1.99.1
Scan saved at 10:00:53 AM, on 3/29/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\cash17.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\tp4mon.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\FNTS~1\notepad.exe
C:\Documents and Settings\Default User\Application Data\a?sembly\??chost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJack This\hijackthis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com...n/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTick...cab?refid=5172
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: firefox auto update - Unknown owner - C:\WINNT\firefox.exe
O23 - Service: Internet Explorer Web Browser (Internet Explorer) - Unknown owner - C:\WINNT\iexplore.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
********
2:01 PM: | Start of Session, Tuesday, March 28, 2006 |
2:01 PM: Spy Sweeper started
2:01 PM: Sweep initiated using definitions version 643
2:01 PM: Starting Memory Sweep
2:10 PM: Found Adware: psguard\winhound fakealert
2:10 PM: Detected running threat: C:\WINNT\system32\oleext.dll (ID = 134)
2:11 PM: Found Trojan Horse: trojan downloader matcash
2:11 PM: Detected running threat: C:\Program Files\Common Files\Windows\services32.exe (ID = 184143)
2:12 PM: Found Adware: purityscan
2:12 PM: Detected running threat: C:\WINNT\?icrosoft.NET\nopdb.exe (ID = 230)
2:14 PM: Memory Sweep Complete, Elapsed Time: 00:13:03
2:14 PM: Starting Registry Sweep
2:15 PM: Found Adware: 180search assistant/zango
2:15 PM: HKCR\clientax.requiredcomponent.1\ (3 subtraces) (ID = 135597)
2:15 PM: HKCR\clientax.requiredcomponent\ (5 subtraces) (ID = 135598)
2:15 PM: HKCR\clsid\{0ac49246-419b-4ee0-8917-8818daad6a4e}\ (20 subtraces) (ID = 135599)
2:15 PM: HKCR\clsid\{21b4acc4-8874-4aec-aeac-f567a249b4d4}\ (12 subtraces) (ID = 135601)
2:15 PM: HKCR\ncmyb.sabho.1\ (3 subtraces) (ID = 135611)
2:15 PM: HKCR\ncmyb.sabho\ (5 subtraces) (ID = 135612)
2:15 PM: HKLM\software\classes\clientax.requiredcomponent.1\ (3 subtraces) (ID = 135622)
2:15 PM: HKLM\software\classes\clientax.requiredcomponent\ (5 subtraces) (ID = 135623)
2:15 PM: HKLM\software\classes\clsid\{0ac49246-419b-4ee0-8917-8818daad6a4e}\ (20 subtraces) (ID = 135624)
2:15 PM: HKLM\software\classes\clsid\{21b4acc4-8874-4aec-aeac-f567a249b4d4}\ (12 subtraces) (ID = 135625)
2:15 PM: HKLM\software\classes\ncmyb.sabho.1\ (3 subtraces) (ID = 135632)
2:15 PM: HKLM\software\classes\ncmyb.sabho\ (5 subtraces) (ID = 135633)
2:15 PM: Found Adware: ist powerscan
2:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\power scan\ (2 subtraces) (ID = 136826)
2:15 PM: HKCR\clsid\{9eb320ce-be1d-4304-a081-4b4665414bef}\ (21 subtraces) (ID = 137128)
2:15 PM: HKCR\clsid\{39da2444-065f-47cb-b27c-ccb1a39c06b7}\ (3 subtraces) (ID = 137170)
2:15 PM: HKCR\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 137348)
2:15 PM: HKCR\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 137349)
2:15 PM: HKCR\mediaticketsinstaller.mediaticketsinstallerctrl.1\ (3 subtraces) (ID = 137352)
2:15 PM: HKLM\software\classes\clsid\{9eb320ce-be1d-4304-a081-4b4665414bef}\ (21 subtraces) (ID = 137470)
2:15 PM: HKLM\software\classes\clsid\{39da2444-065f-47cb-b27c-ccb1a39c06b7}\ (3 subtraces) (ID = 137505)
2:15 PM: HKLM\software\classes\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 137678)
2:15 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 137679)
2:15 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\typelib\ (2 subtraces) (ID = 137680)
2:15 PM: HKLM\software\classes\mediaticketsinstaller.mediaticketsinstallerctrl.1\ (3 subtraces) (ID = 137683)
2:15 PM: HKLM\software\classes\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 137687)
2:15 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/mediaticketsinstaller.ocx\ (2 subtraces) (ID = 137987)
2:15 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\winnt\downloaded program files\mediaticketsinstaller.ocx (ID = 139078)
2:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\mediatickets\ (12 subtraces) (ID = 139080)
2:15 PM: HKCR\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 139091)
2:15 PM: Found Adware: ist yoursitebar
2:15 PM: HKLM\software\classes\ysb.ysbobj.1\ (3 subtraces) (ID = 147846)
2:15 PM: HKCR\ysb.ysbobj.1\ (3 subtraces) (ID = 147865)
2:15 PM: HKCR\typelib\{68bf4626-d66b-4383-a6af-62e57e9b6cd4}\ (9 subtraces) (ID = 147926)
2:15 PM: Found Adware: ist surf accuracy
2:15 PM: HKLM\software\sacc\ (4 subtraces) (ID = 203068)
2:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\sacc\ (2 subtraces) (ID = 203070)
2:15 PM: HKLM\software\classes\typelib\{68bf4626-d66b-4383-a6af-62e57e9b6cd4}\ (9 subtraces) (ID = 396447)
2:15 PM: Found Trojan Horse: trojan-backdoor-netpt
2:15 PM: HKLM\system\currentcontrolset\enum\root\legacy_netpt\ (12 subtraces) (ID = 1125342)
2:15 PM: HKLM\system\currentcontrolset\enum\root\legacy_perffont\ (8 subtraces) (ID = 1125354)
2:15 PM: HKLM\system\currentcontrolset\services\netpt\ (11 subtraces) (ID = 1125365)
2:15 PM: HKLM\system\currentcontrolset\services\perffont\ (12 subtraces) (ID = 1128287)
2:15 PM: Found Adware: maxifiles
2:15 PM: HKCR\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156344)
2:15 PM: HKCR\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156348)
2:15 PM: HKCR\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156354)
2:15 PM: HKCR\toolband.xbtb04715\ (5 subtraces) (ID = 1156358)
2:15 PM: HKCR\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156364)
2:15 PM: HKCR\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156368)
2:15 PM: HKCR\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156379)
2:15 PM: HKCR\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156391)
2:15 PM: HKLM\software\classes\toolband.xbtb04715\ (5 subtraces) (ID = 1156475)
2:15 PM: HKLM\software\classes\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156481)
2:15 PM: HKLM\software\classes\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156485)
2:15 PM: HKLM\software\classes\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156496)
2:15 PM: HKLM\software\classes\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156508)
2:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\xbtb04715.xbtb04715toolbar\ (2 subtraces) (ID = 1156519)
2:15 PM: HKLM\software\classes\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156524)
2:15 PM: HKLM\software\classes\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156528)
2:15 PM: HKLM\software\classes\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156534)
2:16 PM: HKU\S-1-5-21-796845957-152049171-1060284298-500\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\180search assistant\ (1 subtraces) (ID = 972193)
2:16 PM: Registry Sweep Complete, Elapsed Time:00:01:24
2:16 PM: Starting Cookie Sweep
2:16 PM: Found Spy Cookie: 247realmedia cookie
2:16 PM: administrator@247realmedia[1].txt (ID = 1953)
2:16 PM: Found Spy Cookie: 2o7.net cookie
2:16 PM: administrator@2o7[2].txt (ID = 1957)
2:16 PM: Found Spy Cookie: yieldmanager cookie
2:16 PM: administrator@ad.yieldmanager[2].txt (ID = 3751)
2:16 PM: Found Spy Cookie: epilot cookie
2:16 PM: administrator@adcenter.epilot[1].txt (ID = 2622)
2:16 PM: Found Spy Cookie: hbmediapro cookie
2:16 PM: administrator@adopt.hbmediapro[2].txt (ID = 2768)
2:16 PM: Found Spy Cookie: adrevolver cookie
2:16 PM: administrator@adrevolver[1].txt (ID = 2088)
2:16 PM: administrator@adrevolver[3].txt (ID = 2088)
2:16 PM: Found Spy Cookie: pointroll cookie
2:16 PM: administrator@ads.pointroll[1].txt (ID = 3148)
2:16 PM: Found Spy Cookie: apmebf cookie
2:16 PM: administrator@apmebf[1].txt (ID = 2229)
2:16 PM: Found Spy Cookie: ask cookie
2:16 PM: administrator@ask[1].txt (ID = 2245)
2:16 PM: Found Spy Cookie: belnk cookie
2:16 PM: administrator@belnk[1].txt (ID = 2292)
2:16 PM: Found Spy Cookie: overture cookie
2:16 PM: administrator@bidtool.overture[1].txt (ID = 3106)
2:16 PM: Found Spy Cookie: bilbo.counted.com cookie
2:16 PM: administrator@bilbo.counted[2].txt (ID = 2306)
2:16 PM: Found Spy Cookie: goclick cookie
2:16 PM: administrator@c.goclick[2].txt (ID = 2733)
2:16 PM: Found Spy Cookie: casalemedia cookie
2:16 PM: administrator@casalemedia[1].txt (ID = 2354)
2:16 PM: administrator@content.overture[1].txt (ID = 3106)
2:16 PM: administrator@dist.belnk[2].txt (ID = 2293)
2:16 PM: Found Spy Cookie: findwhat cookie
2:16 PM: administrator@findwhat[1].txt (ID = 2674)
2:16 PM: Found Spy Cookie: oinadserve cookie
2:16 PM: administrator@oinadserve[2].txt (ID = 3091)
2:16 PM: administrator@overture[1].txt (ID = 3105)
2:16 PM: administrator@perf.overture[1].txt (ID = 3106)
2:16 PM: Found Spy Cookie: qksrv cookie
2:16 PM: administrator@qksrv[1].txt (ID = 3213)
2:16 PM: Found Spy Cookie: questionmarket cookie
2:16 PM: administrator@questionmarket[1].txt (ID = 3217)
2:16 PM: Found Spy Cookie: server.iad.liveperson cookie
2:16 PM: administrator@server.iad.liveperson[2].txt (ID = 3341)
2:16 PM: Found Spy Cookie: serving-sys cookie
2:16 PM: administrator@serving-sys[2].txt (ID = 3343)
2:16 PM: Found Spy Cookie: servlet cookie
2:16 PM: administrator@servlet[1].txt (ID = 3345)
2:16 PM: Found Spy Cookie: statcounter cookie
2:16 PM: administrator@statcounter[2].txt (ID = 3447)
2:16 PM: Found Spy Cookie: tacoda cookie
2:16 PM: administrator@tacoda[2].txt (ID = 6444)
2:16 PM: Found Spy Cookie: tribalfusion cookie
2:16 PM: administrator@tribalfusion[1].txt (ID = 3589)
2:16 PM: Found Spy Cookie: clickxchange adware cookie
2:16 PM: administrator@www.clickxchange[2].txt (ID = 2409)
2:16 PM: administrator@www.epilot[1].txt (ID = 2622)
2:16 PM: Found Spy Cookie: portland.co cookie
2:16 PM: administrator@www.portland.co[1].txt (ID = 3180)
2:16 PM: Found Spy Cookie: adserver cookie
2:16 PM: administrator@z1.adserver[1].txt (ID = 2142)
2:16 PM: Cookie Sweep Complete, Elapsed Time: 00:00:08
2:16 PM: Starting File Sweep
2:16 PM: c:\program files\toolbar888 (9 subtraces) (ID = -2147456311)
2:16 PM: c:\program files\common files\inetget (1 subtraces) (ID = -2147477182)
2:16 PM: Found Adware: winhound
2:16 PM: c:\documents and settings\administrator\application data\winhound.com (11 subtraces) (ID = -2147462035)
2:16 PM: c:\program files\winhound (1 subtraces) (ID = -2147462133)
2:17 PM: mc-110-12-0000344.exe (ID = 246327)
2:18 PM: mc-110-12-0000344.exe (ID = 190798)
2:18 PM: freeprodtb.exe (ID = 244762)
2:18 PM: services32.exe (ID = 184143)
2:25 PM: autoit3.exe (ID = 185254)
2:25 PM: dc12.exe (ID = 258578)
2:25 PM: Found Trojan Horse: sdbot
2:25 PM: rp5[1].exe (ID = 271539)
2:26 PM: mediaticketsinstaller.ocx (ID = 73162)
2:26 PM: basis.xml (ID = 244764)
2:31 PM: backup-20060328-064524-240.inf (ID = 73158)
2:31 PM: launcher[1].exe (ID = 243410)
2:33 PM: netpt.sys (ID = 235796)
2:41 PM: toolbar888.dll (ID = 244763)
2:42 PM: mediaticketsinstaller.inf (ID = 73158)
2:44 PM: win32ssr.exe (ID = 271539)
2:44 PM: tds[2].exe (ID = 258578)
2:50 PM: mediaticketsinstaller.ocx (ID = 73162)
2:50 PM: drdata[1].avi (ID = 190798)
2:53 PM: mc-110-12-0000344.exe (ID = 190798)
2:54 PM: freeprodtb[1].exe (ID = 244762)
2:54 PM: a.exe (ID = 271539)
2:55 PM: tds[1].exe (ID = 258578)
2:56 PM: mediaticketsinstaller.ocx (ID = 73162)
2:58 PM: mediaticketsinstaller.inf (ID = 73158)
2:58 PM: perfont.exe (ID = 258578)
2:58 PM: mediaticketsinstaller.inf (ID = 73158)
2:58 PM: mc-110-12-0000344[1].exe (ID = 246327)
2:59 PM: File Sweep Complete, Elapsed Time: 00:42:38
2:59 PM: Full Sweep has completed. Elapsed time 00:57:23
2:59 PM: Traces Found: 528
3:56 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
3:58 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:00 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:02 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:18 PM: Spy Installation Shield: found: Trojan Horse: trojan downloader matcash, version 1.0.0.0 -- Execution Denied
4:32 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:33 PM: Spy Installation Shield: found: Trojan Horse: trojan downloader matcash, version 1.0.0.0 -- Execution Denied
4:34 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:36 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:37 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:44 PM: Spy Installation Shield: found: Trojan Horse: trojan downloader matcash, version 1.0.0.0 -- Execution Denied
7:26 PM: Removal process initiated
7:26 PM: Quarantining All Traces: 180search assistant/zango
7:26 PM: Quarantining All Traces: psguard\winhound fakealert
7:27 PM: psguard\winhound fakealert is in use. It will be removed on reboot.
7:27 PM: C:\WINNT\system32\oleext.dll is in use. It will be removed on reboot.
7:27 PM: Quarantining All Traces: purityscan
7:27 PM: Quarantining All Traces: sdbot
7:27 PM: Quarantining All Traces: trojan downloader matcash
7:27 PM: trojan downloader matcash is in use. It will be removed on reboot.
7:27 PM: services32.exe is in use. It will be removed on reboot.
7:27 PM: Quarantining All Traces: maxifiles
7:28 PM: maxifiles is in use. It will be removed on reboot.
7:28 PM: mc-110-12-0000344.exe is in use. It will be removed on reboot.
7:28 PM: Quarantining All Traces: trojan-backdoor-netpt
7:28 PM: Quarantining All Traces: ist powerscan
7:28 PM: Quarantining All Traces: ist surf accuracy
7:28 PM: Quarantining All Traces: ist yoursitebar
7:28 PM: Quarantining All Traces: winhound
7:28 PM: Quarantining All Traces: 247realmedia cookie
7:28 PM: Quarantining All Traces: 2o7.net cookie
7:28 PM: Quarantining All Traces: adrevolver cookie
7:28 PM: Quarantining All Traces: adserver cookie
7:28 PM: Quarantining All Traces: apmebf cookie
7:28 PM: Quarantining All Traces: ask cookie
7:28 PM: Quarantining All Traces: belnk cookie
7:28 PM: Quarantining All Traces: bilbo.counted.com cookie
7:28 PM: Quarantining All Traces: casalemedia cookie
7:28 PM: Quarantining All Traces: clickxchange adware cookie
7:28 PM: Quarantining All Traces: epilot cookie
7:28 PM: Quarantining All Traces: findwhat cookie
7:28 PM: Quarantining All Traces: goclick cookie
7:28 PM: Quarantining All Traces: hbmediapro cookie
7:28 PM: Quarantining All Traces: oinadserve cookie
7:28 PM: Quarantining All Traces: overture cookie
7:28 PM: Quarantining All Traces: pointroll cookie
7:28 PM: Quarantining All Traces: portland.co cookie
7:28 PM: Quarantining All Traces: qksrv cookie
7:28 PM: Quarantining All Traces: questionmarket cookie
7:28 PM: Quarantining All Traces: server.iad.liveperson cookie
7:28 PM: Quarantining All Traces: serving-sys cookie
7:28 PM: Quarantining All Traces: servlet cookie
7:28 PM: Quarantining All Traces: statcounter cookie
7:28 PM: Quarantining All Traces: tacoda cookie
7:28 PM: Quarantining All Traces: tribalfusion cookie
7:28 PM: Quarantining All Traces: yieldmanager cookie
7:29 PM: Removal process completed. Elapsed time 00:02:46
********
1:56 PM: | Start of Session, Tuesday, March 28, 2006 |
1:56 PM: Spy Sweeper started
1:58 PM: Updating spyware definitions
2:01 PM: Your spyware definitions have been updated.
2:01 PM: | End of Session, Tuesday, March 28, 2006 |
Logfile of HijackThis v1.99.1
Scan saved at 10:00:53 AM, on 3/29/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\cash17.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\tp4mon.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\FNTS~1\notepad.exe
C:\Documents and Settings\Default User\Application Data\a?sembly\??chost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJack This\hijackthis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com...n/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTick...cab?refid=5172
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: firefox auto update - Unknown owner - C:\WINNT\firefox.exe
O23 - Service: Internet Explorer Web Browser (Internet Explorer) - Unknown owner - C:\WINNT\iexplore.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
•
•
Join Date: Feb 2006
Posts: 244
Reputation:
Solved Threads: 13
Posting Whiz in Training
Ok - still a little more to do
Since Spysweeper detected PSGuard, let's make sure we remove it all.
Download smitRem.exe -Save it to your Desktop.
-DoubleClick it to extract the contents to a new smitRem Folder.
-Just leave it for now.
Please Boot to Safe Mode.
Go to Start>Run type Services.msc
-Locate the following two services
-Right click and choose Stop if not greyed out
-Choose Properties
-Change Startup Type to disabled
Open HijackThis
-Choose Open Misc Tools
-Choose Delete an NT Service
-Copy and paste the following one at a time and delete them
Now scan with HijackThis and check the following if they exist
Now close ALL Browsers and choose Fix Checked
Continuing in Safe Mode....
-Open the smitRem Folder
-DoubleClick the RunThis.bat file to run the tool.
-Follow the prompts on screen
-Allow the tool to complete its run and finish the Disk Cleanup.
-Reboot to Normal Mode
-There should be a log at C:\smitfiles.txt.
-Please submit that and one more HijackThis log
Let me know if you are still having any problems..
Since Spysweeper detected PSGuard, let's make sure we remove it all.
Download smitRem.exe -Save it to your Desktop.
-DoubleClick it to extract the contents to a new smitRem Folder.
-Just leave it for now.
Please Boot to Safe Mode.
Go to Start>Run type Services.msc
-Locate the following two services
•
•
•
•
firefox auto update
Internet Explorer Web Browser
-Choose Properties
-Change Startup Type to disabled
Open HijackThis
-Choose Open Misc Tools
-Choose Delete an NT Service
-Copy and paste the following one at a time and delete them
•
•
•
•
firefox auto update
Internet Explorer Web Browser
•
•
•
•
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTic....cab?refid=5172
O23 - Service: firefox auto update - Unknown owner - C:\WINNT\firefox.exe
O23 - Service: Internet Explorer Web Browser (Internet Explorer) - Unknown owner - C:\WINNT\iexplore.exe
Continuing in Safe Mode....
-Open the smitRem Folder
-DoubleClick the RunThis.bat file to run the tool.
-Follow the prompts on screen
-Allow the tool to complete its run and finish the Disk Cleanup.
-Reboot to Normal Mode
-There should be a log at C:\smitfiles.txt.
-Please submit that and one more HijackThis log
Let me know if you are still having any problems..
Proud Member of ASAP (Alliance of Security Analysis Professionals)
Things seem better now...
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows 2000 [Version 5.00.2195]
The current date is: Wed 03/29/2006
The current time is: 10:40:21.22
Running from
C:\Documents and Settings\administrator\Desktop\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key present!
Running WinHound.com fix!
WinHound.com key was successfully removed!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 552 'explorer.exe'
Killing PID 552 'explorer.exe'
Error 0x5 : Access is denied.
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
wininet.dll INFECTED!!
Starting replacement procedure.
~~~~ Looking for C:\WINNT\system32\dllcache\wininet.dll ~~~~
~~~~ C:\WINNT\system32\dllcache\wininet.dll Present! ~~~~
~~~~ Checking dllcache\wininet.dll for infection ~~~~
~~~~ dllcache\wininet.dll Clean! ~~~~
~~~ Replaced wininet.dll from dllcache ~~~
~~~ Upon reboot ~~~
wininet.old present!
oleadm.dll not present!
oleext.dll not present!
~~~ Upon completion ~~~
wininet.old not present!
oleadm.dll not present!
oleext.dll not present!
~~~~ Rechecking C:\WINNT\system32\wininet.dll for infection ~~~~
~~~~ C:\WINNT\system32\wininet.dll Clean! ~~~~
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows 2000 [Version 5.00.2195]
The current date is: Wed 03/29/2006
The current time is: 10:40:21.22
Running from
C:\Documents and Settings\administrator\Desktop\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key present!
Running WinHound.com fix!
WinHound.com key was successfully removed!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 552 'explorer.exe'
Killing PID 552 'explorer.exe'
Error 0x5 : Access is denied.
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
wininet.dll INFECTED!!
Starting replacement procedure.~~~~ Looking for C:\WINNT\system32\dllcache\wininet.dll ~~~~
~~~~ C:\WINNT\system32\dllcache\wininet.dll Present! ~~~~
~~~~ Checking dllcache\wininet.dll for infection ~~~~
~~~~ dllcache\wininet.dll Clean! ~~~~
~~~ Replaced wininet.dll from dllcache ~~~
~~~ Upon reboot ~~~
wininet.old present!
oleadm.dll not present!
oleext.dll not present!
~~~ Upon completion ~~~
wininet.old not present!
oleadm.dll not present!
oleext.dll not present!
~~~~ Rechecking C:\WINNT\system32\wininet.dll for infection ~~~~
~~~~ C:\WINNT\system32\wininet.dll Clean!
~~~~ •
•
Join Date: Feb 2006
Posts: 244
Reputation:
Solved Threads: 13
Posting Whiz in Training
Great! Smitrem cleaned your WinHound infection - so good thing we ran it
How about the new HijackThis log?
How about the new HijackThis log?
Proud Member of ASAP (Alliance of Security Analysis Professionals)
Sorry got it right here...
Logfile of HijackThis v1.99.1
Scan saved at 11:00:36 AM, on 3/29/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJack This\hijackthis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com...n/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
Logfile of HijackThis v1.99.1
Scan saved at 11:00:36 AM, on 3/29/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJack This\hijackthis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com...n/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
•
•
Join Date: Feb 2006
Posts: 244
Reputation:
Solved Threads: 13
Posting Whiz in Training
Well your HijackThis log looks fine, other than I see NO Antivirus whatsoever?
You really need to take a look here and install one of these Antiviruses & Firewalls
http://www.daniweb.com/techtalkforums/thread27519.html
Also unless you plan on purchasing Spysweeper you can uninstall it now.
You really need to take a look here and install one of these Antiviruses & Firewalls
http://www.daniweb.com/techtalkforums/thread27519.html
Also unless you plan on purchasing Spysweeper you can uninstall it now.
Proud Member of ASAP (Alliance of Security Analysis Professionals)
|
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Prosearching.com >:(
- Next Thread: My computer is s..l..o..w
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare domains e-mafia education email europe exam facebook fancheckvirus gaming gtaiv halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses war warning windows worm yahoo zeroday