0

Please help. Using the info in these forums and my own diligence I have gone from 2 trojans, various viruses and spyware/malware to only one problem left. I currently have spybot, adaware and spyware doctor showing up as clean, and yet, this small problem persists.

I have run

Spybot
RegSupreme - clean
Ad Aware - clean
Spyware Doctor - clean
cwshredder - files not found
killbox (2 times) - all files not found or killed
No Book
plvx2cleaner
spyware blaster
windows xp prefetch clean and control
avg 6 virus scan
reg supreme

Also did a full keyword scan of regedit for every keyword that I could find in the tech forums.
Did a full keyword scan of windows explorer for every keyword that I could find as well.

In the temp folder
8A56EAB7.tmp
DFC5A2B2.tmp
Perflib_Perfdata_760.dat
Perflib_Perfdata_fec.dat
as soon as I open IE, I get
load.html and GLB1A2B.exe in the temp folder and the popups start
Usually exitexchange popups, occasionally others.

Cannot delete the Perflib files and they do not show up when I'm safe booted.
Can delete the others and do, but they immediately repopulate as soon as I open IE.

Have Hijack This in a permanent folder.

HJT log (with everything closed)

Logfile of HijackThis v1.99.1
Scan saved at 9:54:59 PM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Multimedia\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rakaam.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
D:\Utility\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\notepad.exe
D:\Utility\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://moomessageboard.infopop.cc/eve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Utility\Adobe\Adobe Reader 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Utility\SPYBOT~3\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [\\NEVERLAND\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42 "\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TotalRecorderScheduler] "D:\Multimedia\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [\NEVERLAND\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42 "\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rakaam.exe reg_run
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\Utility\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Files by HiDownload - D:\UTILITY\HIDOWN~2\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - D:\UTILITY\HIDOWN~2\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - D:\UTILITY\HIDOWN~2\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\lfrt.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

2
Contributors
18
Replies
19
Views
12 Years
Discussion Span
Last Post by dlh6213
0

Just as an addition to my information above, I had Ceres, A better internet and pacimedia as well as 2 identified viruses

downloader.small.44.bw

dropper.agent.6.bu
installaps.exe.

I include these cause I've been told that they can appear to be gone only to reappear a week later.

Thanks in advance for any help.

0

Hi SuziQ, welcome to DaniWeb :D

Looks like you've done quite a bit already :) Hopefully we can help you get the rest.

Scan with HJT and have it fix the following entry:

O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\lfrt.dll

Close any open windows, other then hijackthis, before hitting Fix checked.

Go to C:\WINDOWS\system32 and delete lfrt.dll.

Do a search for winadm.exe and delete any instances found.

Go to C:\WINDOWS\system32 and locate rakaam.exe, right-click on the file and then click on Properties; give us whatever info you can on it in your next post (company, version, etc.)

Follow the instructions in this thread (run at least two of the free online scans):
http://www.daniweb.com/techtalkforums/thread27570.html

0

Thanks for the welcome and your reply. :-)

Also, just to note, I have pared my prefetch down to the boot, regedit and there's a file there called layout.ini.

I am doing the search - didn't find winadm in explorer, but did find it in the registry in the same place I seem to have found a lot of problems...the Search Assistant/ACMru. Today, despite a search I did yesterday, I found not only winadm, but nail and the other two odd named keys associated with nail as well as a neighboring set of keys with the svcproc file. Is something repopulating this search assistant area that we are somehow missing or is this just from the reinfection? The temptation is to just remove the Search Assistant altogether, but I never do that in RegEdit unless I know darn well what it means to do so. For now, I've just deleted the keys.

(learning user edit...am I correct in realizing that this is just a list of things I've searched for in windows explorer...cause I now think that's the case.)

As for Rakaam, neither my eyes nor my explorer search puppy can find it and I have enabled all "show hidden files" that I know about. I had earlier gone into my msconfig and clicked off fnonbkcm and rakaam and nada from the startup list. They are still disabled and fnonbkcm appears non-loaded, but nada & rakaam seems to have loaded anyway, and yet I cannot find rakaam. There is also one other item there, ieeser.exe, that I do not recognize.

I found nada.exeCommon Startup in the C:/Windows/pss location. The properties summary was blank. Also in this folder is boot.ini.backup, system.ini.backup and win.ini.backup. I did not delete it.

I found ieeser.exe in the Windows/System32 folder
The properties summary was blank. I did not delete it.

In doing a reg search, I found no instance of rakaam but I did find
fnonbkcm. In the MSConfig file, I found a folder startupreg. In there is a folder for fnonbkcm and in that, it says that there is a command
c:\windows\system32\fnonbkcm.exe
hkey is HKLM
key is software\microsoft\windows\currentversion\run

ieeser.exe
located in registry under
hkey users/software/microsoft/windows\currentversion\run
key is YwwRkf5j
value data is ieeser.exe
again...can't find it any method I know of.

Thoughts?

Right, so now onto the online scans whilst you see if any of the above is a good key to what's wrong.

thanks again...

0

Also to note...I did another hijackthis before the online scans with everything else closed...and redeleted the O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\lfrt.dll

When I was done, I reran the scan..it's back again. Here's that log...

Logfile of HijackThis v1.99.1
Scan saved at 6:56:32 AM, on 7/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Multimedia\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rakaam.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
D:\Utility\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
D:\Utility\Trillian\trillian.exe
C:\WINDOWS\system32\ieeser.exe
C:\WINDOWS\system32\iescap.exe
C:\Program Files\Aprps\CxtPls.exe
D:\Utility\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://moomessageboard.infopop.cc/eve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Utility\Adobe\Adobe Reader 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Utility\SPYBOT~3\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [\\NEVERLAND\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42 "\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TotalRecorderScheduler] "D:\Multimedia\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [\NEVERLAND\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42 "\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rakaam.exe reg_run
O4 - HKLM\..\Run: [p7Fj3qT] iescap.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\Utility\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [YwwtRkf5j] ieeser.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Files by HiDownload - D:\UTILITY\HIDOWN~2\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - D:\UTILITY\HIDOWN~2\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - D:\UTILITY\HIDOWN~2\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\lfrt.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

0

...I found not only winadm, but nail and the other two odd named keys associated with nail as well as a neighboring set of keys with the svcproc file...

Nail and svcproc indicate you have, or have had, the Aurora infection. The process of ridding your system of that may take care of the other problems as well so you should start with that.

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop, but don't open it yet.

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install and update it, and then close the program (don't scan yet).

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to your desktop, but do not run it yet.

Disconnect from the net and reboot into Safe Mode.

Double-click on the Nailfix.cmd that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).

Still in Safe Mode, scan with hijackthis and have it fix the following entries (if present):

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\lfrt.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe

Go to the following locations and delete the highlighted files (if found):

C:\WINDOWS\Nail.exe
C:\WINDOWS\system32\lfrt.dll
C:\windows\SvcProc.exe

If any of the files could be located, but not deleted, run the Pocket Killbox and paste the full file path in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot (reboot into normal mode). (Note: the 'file path' will be something like C:\WINDOWS\system32\lfrt.dll).

Allow your system to reboot normally, empty your Recycle Bin, close any open browser windows, scan with HJT, and post a new log along with the Ewido log and the results of any other scans you ran.

0

Hi, I have seldom felt this futile, to be honest. I did the Ewido scan..took forever but found tons wrong and supposedly fixed them. Did everything step by step you said, rebooted and ran hijack this and everything I had deleted is back.

Had to use killbox for C:\WINDOWS\system32\lfrt.dll - obviously that failed as it's back. Incidentally, ran Ewido on that one file...it did not recognize it as a threat.

One thing I did notice in safe mode...there were indexes in the temp folder I could not delete and there were these odd files in the temp internet folders inside the temp folders that I couldn't delete. I couldn't copy the names, so I typed one out by hand as an example. No file extension to be seen.

C:\Documents and Settings\SuziQ\Local Settings\Temp\Temporary Internet Files\Content.IE5\01KLM5OP\lor_bg=FFFFFF&color_text=000000&color_link=0000FF&color_url=0080000&color_border=336699&ad_type=text_image&u_h=1024&u_w=1280&u_ah=996&u_aw=1280&u_cd=32&u_tz=-420&u_his=98&u_java=true

Now then, Ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           11:10:07 PM, 7/8/2005
+ Report-Checksum:      4B953B76


+ Scan result:


HKLM\SOFTWARE\AutoLoader -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\AproposClient -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\p0w11WOVcJPU -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\p0wN1WOVcJPU -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo\AutoUpdate -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo\AutoUpdate\State -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AproposClient -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1177238915-1085031214-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nada.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
:mozilla.6:C:\Documents and Settings\SuziQ\Application Data\Mozilla\Profiles\default\5n3cr88q.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\SuziQ\Cookies\suziq@122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Aprps\CxtPls.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\WINDOWS\pss\nada.exeCommon Startup -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\WINDOWS\system32\cKbinet.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\CldLineExt03.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ieeser.exe -> TrojanDownloader.Agent.ed : Cleaned with backup
C:\WINDOWS\system32\iescap.exe -> TrojanDownloader.Apropo.ac : Cleaned with backup
C:\WINDOWS\system32\ihetcfg.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\LDPCD11N.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\LJLMA11N.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mhexch35.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mvmefilt.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ngevent.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\puquu.dat -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\WINDOWS\system32\rakaam.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\WINDOWS\system32\redit.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\rkekkue.dll -> TrojanDownloader.Qoologic.s : Cleaned with backup
C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\ukrkk.dll -> TrojanDownloader.Qoologic.t : Cleaned with backup
C:\WINDOWS\Temp\AutoUpdate0\auto_update_uninstall.exe -> Spyware.AproposMedia : Cleaned with backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IGH3DB3G\AutoUpdaterInstaller[1].exe -> TrojanDownloader.Apropo.g : Cleaned with backup
C:\WINDOWS\zhwpvels.exe -> Spyware.BookedSpace : Cleaned with backup
D:\C drive backup\Program Files\Messenger Plus! 2\Setup.dat/sponsor.exe -> TrojanDownloader.Swizzor.ag : Cleaned with backup

Edited by pritaeas: Fixed formatting

0

:mozilla.11:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.19:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.29:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
:mozilla.30:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.31:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.55:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.63:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.69:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.78:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.79:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.80:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.97:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.118:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.123:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.124:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.127:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Specificpop : Cleaned with backup
:mozilla.128:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Specificpop : Cleaned with backup
:mozilla.141:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.145:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.146:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
:mozilla.147:D:\C drive backup\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
:mozilla.15:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.16:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.17:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.18:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.19:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.42:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.43:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.44:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.45:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.46:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.47:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.48:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.49:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.50:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.51:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.52:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.53:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.162:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
:mozilla.163:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
:mozilla.164:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
:mozilla.328:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.329:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.330:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.331:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.332:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.336:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.337:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.338:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.339:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.340:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.341:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.342:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.343:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.344:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.345:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.346:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.347:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.348:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.349:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.350:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.351:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.366:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.367:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.368:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.369:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.370:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.384:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.385:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.494:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.495:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.564:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.565:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.591:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.629:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.631:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.657:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
:mozilla.658:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
:mozilla.666:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.700:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.760:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.795:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.796:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.813:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.847:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Gator : Cleaned with backup
:mozilla.848:D:\C drive backup\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Gator : Cleaned with backup
D:\C drive backup\Cookies\elves@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\C drive backup\Cookies\elves@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
D:\C drive backup\Cookies\elves@ivwbox[2].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
D:\C drive backup\Cookies\elves@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
D:\C drive backup\Cookies\elves@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
D:\Utility\Netscape\Netscape\Plugins\npwthost.dll -> Spyware.WildTangent : Cleaned with backup
G:\~to be sorted\My Download Files\download files\Matt's Server\CAKEWALK8.0\deleteme\DXMEDIA.EXE/actmovie.exe -> Worm.Finaldo.a : Cleaned with backup
:mozilla.10:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.18:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.28:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
:mozilla.29:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.30:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.53:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.61:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.67:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.76:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.77:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.78:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.95:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.116:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.121:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.122:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.125:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Specificpop : Cleaned with backup
:mozilla.126:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Specificpop : Cleaned with backup
:mozilla.139:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.143:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.144:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
:mozilla.145:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Profiles\Melodia\uv1gzdnh.slt\cookies.txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
:mozilla.17:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.18:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.19:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.21:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.22:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.26:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.27:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.29:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.30:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.31:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.34:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.35:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.36:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.37:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.38:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.39:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.40:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.41:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.42:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.43:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.44:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.45:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.46:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.48:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.54:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.63:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.64:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.65:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.66:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.67:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.68:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.69:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.70:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.71:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.72:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.73:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.74:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.75:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.76:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.78:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.79:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.80:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.82:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.83:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.84:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.85:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.119:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.120:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.121:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.128:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.129:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.130:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.131:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.132:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.133:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.136:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.137:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.138:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.152:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.158:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.160:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.161:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.277:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
:mozilla.278:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
:mozilla.279:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
:mozilla.422:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.423:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.424:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.425:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.426:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.430:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.431:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.432:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.433:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.434:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.435:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.436:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.437:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.438:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.439:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.440:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.441:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.442:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.443:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.444:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.445:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.471:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.472:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.563:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.564:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.630:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.631:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.656:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.716:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
:mozilla.717:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
:mozilla.725:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.753:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.813:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.844:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.845:G:\~to be sorted\desktop backup 4_21_05\Application Data\Mozilla\Firefox\Profiles\ym952cmz.default\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
G:\~to be sorted\My Documents old\Fan Fiction\our stories\bits in progress\figwit_fan.tripod[1].txt -> Trojan.WindowBomb.a : Cleaned with backup
G:\~to be sorted\My Documents old\my c drive backup\A Beginner's Guide to Firefox_files\Cookies\elves@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
G:\~to be sorted\My Documents old\my c drive backup\Cookies\elves@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
G:\~to be sorted\My Documents old\my c drive backup\Cookies\elves@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
G:\~to be sorted\My Documents old\my c drive backup\Cookies\elves@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
G:\~to be sorted\My Documents old\my c drive backup\Cookies\elves@ivwbox[2].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
G:\~to be sorted\My Documents old\my c drive backup\Cookies\elves@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup


::Report End

0

after Ewido and before HJT cleans

Logfile of HijackThis v1.99.1
Scan saved at 11:12:13 PM, on 7/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
D:\Utility\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://moomessageboard.infopop.cc/eve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Utility\Adobe\Adobe Reader 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Utility\SPYBOT~3\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [\\NEVERLAND\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42 "\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TotalRecorderScheduler] "D:\Multimedia\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [\NEVERLAND\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42 "\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rakaam.exe reg_run
O4 - HKLM\..\Run: [p7Fj3qT] iescap.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\Utility\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [YwwtRkf5j] ieeser.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Files by HiDownload - D:\UTILITY\HIDOWN~2\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - D:\UTILITY\HIDOWN~2\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - D:\UTILITY\HIDOWN~2\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\lfrt.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Utility\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Utility\ewido\security suite\ewidoguard.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)


after safe mode cleaning and normal reboot...

Logfile of HijackThis v1.99.1
Scan saved at 12:37:18 AM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Multimedia\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Utility\ewido\security suite\ewidoctrl.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
D:\Utility\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
D:\Utility\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
D:\Utility\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://moomessageboard.infopop.cc/eve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Utility\Adobe\Adobe Reader 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Utility\SPYBOT~3\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [\\NEVERLAND\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42 "\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TotalRecorderScheduler] "D:\Multimedia\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [\NEVERLAND\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42 "\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [p7Fj3qT] iescap.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\Utility\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Files by HiDownload - D:\UTILITY\HIDOWN~2\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - D:\UTILITY\HIDOWN~2\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - D:\UTILITY\HIDOWN~2\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\lfrt.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Utility\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Utility\ewido\security suite\ewidoguard.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

I am at a loss, I sure hope this seems more like progress to you than it does to me.

Am going to start one of hte online scans and go to sleep. Thanks for all your efforts.

Suzi

0

Ewido does take awhile to scan (3 hrs on my system; luckily it hasn't found anything on mine yet). It looks like a lot of what it found on your system was infected backups.

That text in your temp folder is some programming language, but since I'm not a programmer, I don't know what it is, why it's in your temp folder, or why you can't delete it, but you can try using the Killbox on it. The indexes are okay, they're supposed to be there.

Download, install, update, and run about:Buster -- http://www.majorgeeks.com/download4289.html

Download, install, and update CWShredder 2.15 --http://www.intermute.com/products/cwshredder.html. Run it, and press Fix (not scan). Close any open windows, other then CWS, before hitting the Fix button.

Then see if C:\WINDOWS\system32\lfrt.dll, still exists. If it does, right-click on it, go to Properties, and give us whatever info you can on it. Then have it scanned here:

http://virusscan.jotti.org/

A SilentRunners log may help also --

Download and run Silent Runners.vbs -- http://www.silentrunners.org/.

Post the information from the log it generates in your next reply along with a fresh HJT log and the results of the file scan.

0

Hi....ok here's where we are now. I appreciate all your time. The reason the files were backed up like they were is that this is a new hard drive...am beginning to wonder if I should have just reformatted instead of spending a solid week on this clean. Dunno how you folks do this day after day, it's so frustrating.

Results - Trend Micro Scan:

We have detected 0 infected file(s) with 0 virus(es) on your computer:
- 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 0 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:

We have detected 0 Trojan horse program(s) and worm(s) on your computer:
- 0 worm(s)/Trojan(s) passed, 0 worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:

We have detected 0 spyware(s) on your computer:
- 0 spyware(s) passed, 0 spyware(s) no action available
- 0 spyware(s) removed, 0 spyware(s) unremovable

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:

We have detected 0 vulnerability/vulnerabilities on your computer.

I ran ravantivirus scan after this one, but spyware doctor decided the report was malicious and I lost it. Should I turn spyware doctor off and try again?

Ran about:Buster according to instructions. It found some things...I rebooted and reran and it was clean.

Ran CWShredder - said my system was completely clean

Resuts of the jotti scan on the lfrt.dll
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:
---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATI Launchpad" = ""C:\Program Files\ATI Multimedia\main\launchpd.exe"" ["ATI Technologies Inc."]
"ATI Remote Control" = "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" ["ATI Technologies Inc."]
"PopUpStopperFreeEdition" = ""D:\Utility\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"" ["Panicware, Inc."]
"Spyware Doctor" = ""C:\Program Files\Spyware Doctor\swdoctor.exe" /Q" ["PCTools"]"Rtda" = "C:\Program Files\ruoc\eooh.exe" [null data]
"Hfdcv" = (value not set)


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"ATI DeviceDetect" = "C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" ["ATI Technologies Inc."]
"\\NEVERLAND\EPSON Stylus Photo R300 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42 "\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"" ["SEIKO EPSON CORPORATION"]
"type32" = ""C:\Program Files\Microsoft IntelliType Pro\type32.exe"" [MS]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}" = "C:\Program Files\Google\Gmail Notifier\gnotify.exe" ["Google Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" ["Sun Microsystems, Inc."]
"YBrowser" = "C:\Program Files\Yahoo!\browser\ybrwicon.exe" ["Yahoo!, Inc."]
"IPInSightMonitor 01" = ""C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"" ["Visual Networks"]
"2wSysTray" = "C:\Program Files\2Wire\2PortalMon.exe" ["2Wire, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"TotalRecorderScheduler" = ""D:\Multimedia\HighCriteria\TotalRecorder\TotRecSched.exe"" ["High Criteria inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot" ["RealNetworks, Inc."]
"\NEVERLAND\EPSON Stylus Photo R300 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42 "\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"" ["SEIKO EPSON CORPORATION"]
"p7Fj3qT" = "iescap.exe" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Utility\Adobe\Adobe Reader 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{5127C3C2-0E7E-64B4-0FBE-7932D71DB198}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\xaikvofc.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "D:\Utility\SPYBOT~3\SDHelper.dll" ["Safer Networking Limited"]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = "PCTools Site Guard" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" ["PC Tools"]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = "PCTools Browser Monitor" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\msaccrt\Access 97\soa800.dll" [MS]
"{97FA8AA2-EE77-4FF2-9449-424D8924EF21}" = "IntelliType Pro Zooming Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplzm.dll"" [MS]
"{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}" = "IntelliType Pro Scrolling Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplwhl.dll"" [MS]
"{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}" = "IntelliType Pro Key Settings Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplkey.dll"" [MS]
"{A2569D1F-4E06-43EC-9825-0088B471BE47}" = "IntelliType Pro Wireless Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplwir.dll"" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\Utility\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\Utility\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\Utility\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Office\Qualcomm\Eudora\EuShlExt.dll" ["Qualcomm Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{79B50402-4A4F-417D-9ED3-6153BA101BA9}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\CldLineExt03.dll" [file not found]
"{59F1C900-A729-420C-9BE2-770E814864F3}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\cKbinet.dll" [file not found]
"{C51CA3D3-EDF2-4AC3-8DE6-EB0566ADCF9A}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\kvrberos.dll" [null data]
"{623CCCEE-297B-4AC0-962C-CECDDF9C205B}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ngevent.dll" [file not found]
"{5C4A2AA9-2FEB-4CC7-A5F6-06AF15B12D55}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\mhexch35.dll" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Office\Qualcomm\Eudora\EuShlExt.dll" ["Qualcomm Inc."]
INFECTION WARNING! "{93994DE8-8239-4655-B1D1-5F4E91300429}" = "DVDIdleShell Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Multimedia\DVD Region Free\DVD Region-Free\DVDShell.dll" ["Fengtao Software"]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "D:\Utility\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! WindowsUpdate\DLLName = "C:\WINDOWS\system32\lfrt.dll" [null data]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "D:\Utility\ewido\security suite\context.dll" ["ewido networks"]
fygyyqgk\(Default) = "{9f3316bc-1521-4d5c-9876-3f0a341910da}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ukrkk.dll" [file not found]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "D:\Utility\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "D:\Utility\ewido\security suite\context.dll" ["ewido networks"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "D:\Utility\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
Library\(Default) = "{54F51408-DD44-4a12-82EF-519AD2A80DE9}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ATI Multimedia\mlibrary\MLShell.dll" ["ATI Technologies Inc."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "D:\Utility\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]



Active Desktop and Wallpaper:
-----------------------------


Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\SuziQ\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"



Startup items in "SuziQ" & "All Users" startup folders:
-------------------------------------------------------


C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]



Enabled Scheduled Tasks:
------------------------


"RUTASK" -> launches: "C:\WINDOWS\ru.exe" [null data]



Winsock2 Service Provider DLLs:
-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:
------------------------------------


Explorer Bars


HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll" ["Sun Microsystems, Inc."]


{2499216C-4BA5-11D5-BD9C-000103C116D5}\
"ButtonText" = "Yahoo! Login"
"MenuText" = "Yahoo! Login"
"CLSIDExtension" = "{2499216C-4BA5-11D5-BD9C-000103C116D5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ylogin.dll" ["Yahoo! Inc."]


{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]


{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]


{F4FBA929-A891-492C-A0F6-5C79CC4F1742}\
"ButtonText" = "HiDownload"
"Exec" = "D:\UTILITY\HIDOWN~2\hidownload.exe" ["HiDownload Software"]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------


Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "D:\Utility\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "D:\Utility\ewido\security suite\ewidoguard.exe" ["ewido networks"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 149 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 17 seconds.
---------- (total run time: 196 seconds)



The piece I bolded up there hangs up everytime I try and reboot and has to be turned off by hand.  The error reads
TRd ww:C:\Program Files\ruoc\eooh.exe has an error.


then there are end program now buttons and cancel buttons.


Logfile of HijackThis v1.99.1 (after running silent runners)
Scan saved at 10:19:37 AM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Utility\ewido\security suite\ewidoctrl.exe
D:\Utility\ewido\security suite\ewidoguard.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Multimedia\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
D:\Utility\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ruoc\eooh.exe
C:\WINDOWS\system32\l?ass.exe
D:\Utility\hijackthis\HijackThis.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://moomessageboard.infopop.cc/eve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Utility\Adobe\Adobe Reader 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5127C3C2-0E7E-64B4-0FBE-7932D71DB198} - C:\WINDOWS\system32\xaikvofc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Utility\SPYBOT~3\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [\\NEVERLAND\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42


"\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TotalRecorderScheduler] "D:\Multimedia\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [\NEVERLAND\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42


"\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [p7Fj3qT] iescap.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\Utility\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Rtda] C:\Program Files\ruoc\eooh.exe
O4 - HKCU\..\Run: [Hfdcv] C:\WINDOWS\system32\l?ass.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Files by HiDownload - D:\UTILITY\HIDOWN~2\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - D:\UTILITY\HIDOWN~2\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - D:\UTILITY\HIDOWN~2\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\lfrt.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Utility\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Utility\ewido\security suite\ewidoguard.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f


"%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Edited by Nick Evan: Fixed formatting

0

The reason the files were backed up like they were is that this is a new hard drive...am beginning to wonder if I should have just reformatted instead of spending a solid week on this clean. Dunno how you folks do this day after day, it's so frustrating.

Formatting definitely would have been a reasonable option in this situation ;) I dunno how (or why) we do it either -- it does get quite frustrating at times.

Open NotePad (or WordPad), copy the contents of the "Code" below and paste it into NotePad:

cd System32
attrib -s -r -h lfrt.dll
del lfrt.dll

Go to File, Save As and type the filename as Remove.bat, save it to your Desktop, and then close NotePad.

Go to Add/Remove Programs in your Control Panel and remove ruoc, if present.

Download and run the PurityScan uninstaller -- http://www.purityscan.com/uninstall.html

Reboot into Safe Mode.

Scan with Hijackthis and have it fix the following entries:

O4 - HKLM\..\Run: [p7Fj3qT] iescap.exe
O4 - HKCU\..\Run: [Rtda] C:\Program Files\ruoc\eooh.exe
O4 - HKCU\..\Run: [Hfdcv] C:\WINDOWS\system32\l?ass.exe
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\lfrt.dll

Close any open windows and hit Fix checked.

Double-click on the file Remove.bat, and a DOS-type window should open and close quickly, this is normal. (If the window does not close by itslef, you can close it after few seconds.)

Go to the following locations and delete the highlighted files and folder (if present):

C:\WINDOWS\system32\l?ass.exe
C:\WINDOWS\system32\lfrt.dll

C:\Program Files\ruoc\eooh.exe

Do a search for iescap.exe and delete any instances found.

Empty your Recycle Bin and reboot normally.

Close any open browser windows, scan with HJT, and post a new log please.

0

just in case you are still round whilst I do the other instructions...

In add/remove programs, did not find that one, but did find one I don't know.

OIN - clicked on info and it tried to take me to a webpage for Outer Info Network. Spyware Doctor blocked and warned and I clicked no. Tried to use remove button, took me back to that website to a questionaire page, which SWD also blocked. Cannot remove that way without dealing with the question page. thoughts?

0

The PurityScan uninstaller should clean that up.

And I made a (minor) error in my last post, reomve this folder, not just the file (if it's still there after the PurityScan)-- C:\Program Files\ruoc\eooh.exe

0

it didn't...I had to hunt down the registry folder and delete it for it to go away.

I saw the ruoc folder and deleted the whole thing.

I ran every scan I have in safe mode. I scanned explorer and registry for every keyword that we've mentioned.

I did killbox on the dll file that refuses to die. It's still there.

I found the C:\WINDOWS\system32\l?ass.exe file...task manager said it's a critical process and refused to shut it down.

Here are my logs...but honestly I think I'm done, unless you have some insight that we've not tried yet....I've spent 8 days on this and even with your thorough and expert help, I've been unable to deal with this effectively. Sometimes you just need to know when to quit, I think.

I did all this in safe mode...all scans came up clean, then I logged in regular and the first thing I got was Ewido telling me it found a file of Look2Me or something like that. This adware/spyware/malware crap ought to be illegal.

new hijack log

Logfile of HijackThis v1.99.1
Scan saved at 10:13:01 AM, on 7/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Utility\ewido\security suite\ewidoctrl.exe
D:\Utility\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Multimedia\HighCriteria\TotalRecorder\TotRecSched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
D:\Utility\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\rundll32.exe
D:\Utility\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://moomessageboard.infopop.cc/eve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Utility\Adobe\Adobe Reader 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Utility\SPYBOT~3\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [\\NEVERLAND\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42 "\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TotalRecorderScheduler] "D:\Multimedia\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [\NEVERLAND\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P42 "\\NEVERLAND\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\Utility\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Files by HiDownload - D:\Utility\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - D:\Utility\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - D:\Utility\HiDownload\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\lfrt.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Utility\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Utility\ewido\security suite\ewidoguard.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

0

an update. I've been online for about 3 hours now with no popups. I'm still holding my breath, but we'll see.

0

You should have a look at this thread to make sure your system is adequately protected, you seem to keep getting new nasties:
http://www.daniweb.com/techtalkforums/thread27519.html

After that, run Ewido again, it should clean up Look2Me.

Did you try the Remove.bat I posted before to get rid of that lfrt.dll file (post #12)?

Lsass.exe is a critical file, l?ass.exe is adware from PurityScan, the uninstaller should have cleaned that one up too.

0

Yes, I have everything enabled, the firewall on, all my updates done...I have no clue why I keep getting reinfected. I guess it's possible that I had hidden stuff that's being turned on as I try and remove it. No clue.

It's all a moot point now. After being pop up free for about 8 hours last night, my whole system just threw up. Ethernet card disabled, networking shut down, system locking up. I finally had enough. I backed up essential data, what little there was, deleted all the system backups from before, scanned my backups and then reformatted the c drive. I just couldn't face dealing with it anymore. Before I ever connected to the internet I had my spyware/virus/adware stuff running..then I immediately did the windows updates before I ever surfed anything. I'm also buying Panda Virus protection and hopefully this'll fix most things before they happen. Needless to say, I learned a lot and now know a lot of what not to do and what to watch for than I did before.

You've been a gem and it's been a total education doing this and I so appreciate your time and energy.

Blessings,

Suzi

0

If you haven't already purchased Panda, I would recommend Nod32 instead; you can do a search for it here on DaniWeb for some discussions regarding it as well as other AV programs, or you can search the net to see how it compares to the others.

I would also like to suggest you have a look at this thread -- it may be helpful since you've just reformatted:
http://www.daniweb.com/techtalkforums/thread16365-christmas.html

Good luck to you :)

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.