0

so i've read about 10000000 ways to get rid of surf sidekick 3 and i swear i followed them each to a t with no luck.... so in hopes of regaining my sanity, here's my hijack this log....
thanks for any ideas you can offer..

justin

Logfile of HijackThis v1.99.1
Scan saved at 3:20:04 AM, on 3/28/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\services.exe
C:\WINNT\winevent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\mmhqi.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,winusmx.exe
O1 - Hosts: 216.87.210.71 search.kazaa.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINNT\system32\w9seq.dll
O20 - Winlogon Notify: MediaContentIndex - C:\WINNT\system32\g8joli1318.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINNT\services.exe
O23 - Service: Windows Event (WinEvent) - Unknown owner - C:\WINNT\winevent.exe


unlike other ones i read about, i don't have the VCClient.exe or any of that business...

2
Contributors
14
Replies
15
Views
11 Years
Discussion Span
Last Post by D3m3nt3d
0

First place I need you to start is download the following tools for me

CCleaner
http://www.filehippo.com/download/51b30b1401c95091feb32bb89cfe8bbe/download.html

Ad-Aware SE Personal
http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=lst-0-2

Spybot Search and Destroy
http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10401314.html?tag=lst-0-1

Ewido
http://www.download.com/Ewido-Security-Suite/3000-8022_4-10326287.html?tag=lst-0-1

Spysweeper
http://www.malwareteks.com/dload.php?action=download&file_id=5

Pocket Killbox
http://www.bleepingcomputer.com/files/spyware/KillBox.zip
-Unzip to its own folder

Now since you have Windows XP - I want us to start in Safe Mode with Networking
-Restart your PC
-Repeatedly tap F8 before the "Loading Windows" screen appears
-Choose Safe Mode with Networking
-You will see the screen scroll down - this is normal

Now on to the cleaning...

Open up CCleaner first
-run ONLY the default scan (Windows Tab). Do Not “Scan For Issues unless specifically asked to do so!
-Simply open it and choose Run Cleaner

Open Ad-Aware
-Allow it to update to the latest definitions
-Run it and remove everything it finds

Open Spybot
-Allow it to update
-Run it and fix what it finds

Open Ewido
-Click Update>Start Update
-Run it and remove everything it finds
-Save the report at the end and attach it for me when you return

Now Reboot back into Normal Mode

Open Spysweeper
-Allow it to update then run a Sweep
-Let it remove everything it finds
-Please save this log for me and attach it

Now run Kaspersky Online Scanner
http://www.kaspersky.com/scanforvirus.html

Save the log and attach it for me as well.

If you can not get these logs in one post that is fine, use as many posts as necessary.

I need the following

  • Ewido Scan Report
  • Spysweepers log
  • Kaspersky's log
  • New HijackThis log

If you run into trouble with a particular step, just skip it and move on. Let me know when you return any problems you may have encountered

Good Luck :)

0

okay so i ran everything and it seemed like there were still unreachable/undeletable files & registry entries because even in safe mode they were loaded... anyhow, here's my spysweeper log:


The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

To ensure proper removal of spyware, adware and other unwanted items, be sure to close any programs that are open.
Your Sweep Options indicate the following will be swept:
Drives: C:
Also sweeping: Memory, Cookies, Registry
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
Adware found: clkoptimizer
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
Adware found: findthewebsiteyouneed hijack
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
Adware found: dollarrevenue
Adware found: command
Trojan Horse found: sdbot
Adware found: quicklink search toolbar
Adware found: targetsaver
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
Adware found: surfsidekick
Adware found: look2me
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
Adware found: great net downloadware
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
Adware found: zenosearchassistant
Full Sweep has completed. Elapsed time 00:15:05
Traces Found: 145


next up, my ewido log.

0
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------


+ Created on:           3:06:48 AM, 3/29/2006
+ Report-Checksum:      5D9F546D


+ Scan result:


HKLM\SOFTWARE\Classes\CLSID\{00000000-0000-0000-0000-000000000010} -> Adware.Generic : Cleaned with backup
HKU\.DEFAULT\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\.DEFAULT\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
[1060] C:\WINNT\system32\lseei.dll -> Adware.Look2Me : Error during cleaning
[1224] C:\WINNT\system32\lseei.dll -> Adware.Look2Me : Error during cleaning
[1564] C:\WINNT\system32\ckpnypj.dll -> Downloader.Qoologic.bj : Error during cleaning
[1568] C:\WINNT\system32\ckpnypj.dll -> Downloader.Qoologic.bj : Error during cleaning
[1108] C:\WINNT\system32\ckpnypj.dll -> Downloader.Qoologic.bj : Error during cleaning
[1596] C:\WINNT\system32\ckpnypj.dll -> Downloader.Qoologic.bj : Error during cleaning
C:\315502.exe -> Trojan.Small : Cleaned with backup
C:\comscore.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\Default User\Application Data\dobe\ntvdm.exe -> Downloader.PurityScan.w : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\238W0H1R\drsmartload[1].exe -> Downloader.Adload.ah : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9CPW0WEK\315502[1].exe -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9CPW0WEK\aohell[1].exe -> Worm.Small.d : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9CPW0WEK\installerwnus[1].exe -> Downloader.Qoologic.at : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9CPW0WEK\izgyxwa[1].cab/slk8x2peu.exe -> Adware.Suggestor : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9CPW0WEK\izgyxwa[1].cab/faotvpap7.exe -> Trojan.Runner.h : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9CPW0WEK\keyboard6[1].exe -> Downloader.VB.zo : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9CPW0WEK\mousepad5[1].exe -> Hijacker.VB.ly : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9CPW0WEK\newname6[1].exe -> Downloader.Adload.ae : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9CPW0WEK\ZICORN001[1].exe -> Adware.ZenoSearch : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\R9G34SX8\aohell[1].exe -> Worm.Small.d : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\R9G34SX8\comscore[1].exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\R9G34SX8\d72[1].exe -> Downloader.Adload.af : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\R9G34SX8\drsmartload46a[1].exe -> Downloader.Adload.af : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\R9G34SX8\error[1].htm -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\R9G34SX8\keyboard5[1].exe -> Downloader.VB.zl : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\R9G34SX8\mousepad6[1].exe -> Hijacker.VB.ly : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\R9G34SX8\newname5[1].exe -> Downloader.Adload.ae : Cleaned with backup
C:\Documents and Settings\Justin Goellner\Local Settings\Temp\Temporary Internet Files\Content.IE5\6HCZ0B3V\all_launch_reg[1].htm -> Trojan.NoClose.e : Cleaned with backup
C:\drsmartload1.exe -> Downloader.Adload.ah : Cleaned with backup
C:\drsmartload46a.exe -> Downloader.Adload.af : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\windows\keyboard5.exe -> Downloader.VB.zl : Cleaned with backup
C:\windows\keyboard6.exe -> Downloader.VB.zo : Cleaned with backup
C:\windows\mousepad5.exe -> Hijacker.VB.ly : Cleaned with backup
C:\windows\mousepad6.exe -> Hijacker.VB.ly : Cleaned with backup
C:\windows\newname5.exe -> Downloader.Adload.ae : Cleaned with backup
C:\windows\newname6.exe -> Downloader.Adload.ae : Cleaned with backup
C:\WINNT\system32\2.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINNT\system32\AZYCFILT.DLL -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\AрpPatch\wυauboot.exe -> Adware.PurityScan : Cleaned with backup
C:\WINNT\system32\bbfqt.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINNT\system32\cerpol.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup
C:\WINNT\system32\faotvpap7.exe -> Trojan.Runner.h : Cleaned with backup
C:\WINNT\system32\mwinnag.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINNT\system32\myl_qic.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\paytime.exe -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
C:\WINNT\system32\pre1.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINNT\system32\slk8x2peu.exe -> Adware.Suggestor : Cleaned with backup
C:\WINNT\system32\vmdex.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\w9seq.dll -> Adware.Suggestor : Cleaned with backup
C:\WINNT\system32\winspy.exe -> Downloader.Small.ckq : Cleaned with backup
C:\WINNT\system32\__delete_on_reboot__ckpnypj.dll -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINNT\uniq -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
C:\WINNT\winevent.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\xdos.exe -> Downloader.Adload.af : Cleaned with backup
C:\ZICORN001.exe -> Adware.ZenoSearch : Cleaned with backup



::Report End

also kaspersky isn't loading so i can't show you that log....

i guess i'm okay then? it's hard for me to tell.

how do you get this crap and how do you avoid it properly? i run spybot s&d, adaware and protowall already and if i had all of these problems with them running.... i mean, is there something better i could be doing?

thanks- let me know if you think i'm cleaned up.

justin

Edited by happygeek: fixed formatting

0

oop.s and finally my new hijack this log...

Logfile of HijackThis v1.99.1
Scan saved at 4:01:21 AM, on 3/29/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\services.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\mmhqi.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,winusmx.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: MediaContentIndex - C:\WINNT\system32\g6220gfoe62c0.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINNT\services.exe (file missing)
O23 - Service: Windows Event (WinEvent) - Unknown owner - C:\WINNT\winevent.exe (file missing)


also ewido keeps finding

c:\winnt\__delete_on_reboot__services.exe
everytime i scan... it's the only thing left?

0

It doesnt appear you let Spysweeper remove what it found? It would say Quarantining if you did. Did you get the option, or have you already used the trial of it before? If you did not let it remove, please re-run it.

First Disable Spybots TeaTimer..you should be able to right click it in the System Tray and choose Exit

Go to Start>Run type Services.msc and press Enter.
-Locate the following two services one at a time

Windows Event
Microsoft Windows Update Service

-Right click and choose Stop if it's not greyed out
-Next choose Properties
-Change Startup Type to Disabled

Now Open HijackThis
-Choose Open Misc Tools
-Choose Delete an NT Service
-Copy the following two one at a time in the box and delete them.

Windows Event
Microsoft Windows Update Service

Please download Look2Me-Destroyer.exe to your desktop.
--Close all windows before continuing.
--Double-click Look2Me-Destroyer.exe to run it.
--Put a check next to Run this program as a task.
--You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
--When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
--Once it's done scanning, click the Remove L2M button.
--You will receive a Done Scanning message, click OK.
--When completed, you will receive this message: Done removing infected files! --Look2Me-Destroyer will now shutdown your computer, click OK.
--Your computer will then shutdown.
--Turn your computer back on.
--Please post the contents of C:\Look2Me-Destroyer.txt when you return

Now scan with HijackThis and place a check next to the following

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\mmhqi.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,winusmx.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O20 - Winlogon Notify: MediaContentIndex - C:\WINNT\system32\g6220gfoe62c0.dll (file missing)
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINNT\services.exe (file missing)
O23 - Service: Windows Event (WinEvent) - Unknown owner - C:\WINNT\winevent.exe (file missing)

Now with All Browsers closed, choose Fix Checked

Now reboot to Safe Mode and delete the following

C:\WINNT\system32\mmhqi.exe
C:\WINNT\system32\winusmx.exe

The F2 lines may come back - if they do there is another way to get them...

Reboot back to Normal Mode and attach the following logs

Look2Me Destroyer
New HijackThis
Spysweeper (after removal)

0

"It doesnt appear you let Spysweeper remove what it found? It would say Quarantining if you did. Did you get the option, or have you already used the trial of it before? If you did not let it remove, please re-run it."


yeah maybe i didn't post the right log (i just cut and paste what it said in the window as it was scanning) but there were like 10 things quarantined


"Now reboot to Safe Mode and delete the following"

those files were already gone by the point i went back to delete them...

here's my new hijack this. i'm a total jackass and deleted the look2me detroyer log by accidnet (i saw the .txt file and figured it was a 'readme' kind of thing not thinking 'oh thats the log') so i can't post that...

here's the hjt and i'll post the spysweeper when iget done running it...

thanks for helping. i feel pretty dumb. i also now have 3 quick launches on my toolbar?? who knows...

justin

Logfile of HijackThis v1.99.1
Scan saved at 2:51:25 AM, on 3/30/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

0

Your last log looks good, you can uninstall SpySweeper if you are not going to purchase it now if you are sure you quarantined what was found.

As for the Quick launch....unusual. Can you delete two of them?

0

if i delete anything from it, it gets deleted from all three... really it's so strange and only started happening when istarted messing around with the virus stuff.... maybe i went too crazy on my registry key?

also last but not least, one thing keeps being found...


C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\R9G34SX8\sane[1].exe -> Backdoor.SdBot.xd : Cleaned with backup


everything says it's leaning it but it's always there... should i bother? should i reboot in safe mode and manually delete it?

and if i were to purchase one of these fine programs that saved my poor computer, would it be ewido or spysweeper?

0

Have you actually messed with your registry keys? Can you get me a screenshot of this?

For that file - just do as you said and reboot to Safe Mode and delete it.

Ewido and SS are both solid so the vote would go either way if you asked 100 different people. I am a SS kind of guy myself :)

0

Let's do this also - seems Look2Me can cause this...which SS said it removed, and you said you ran Look2Me Destroyer...but lets try one more tool.

Download L2MFix Tool

Next DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.

Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please also attach this log to your next message.

0

i will totally add the screenshot.. get this though: i just did kaspersky and it's bad!!

here it is:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, March 30, 2006 2:46:45 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 30/03/2006
Kaspersky Anti-Virus database records: 173905
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 50185
Number of viruses found: 12
Number of infected objects: 39
Number of suspicious objects: 0
Duration of the scan process: 00:33:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01480000.VBN Infected: IM-Worm.Win32.Small.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01480002.VBN Infected: IM-Worm.Win32.Small.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04240000.VBN Infected: Backdoor.Win32.SdBot.aad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04240001.VBN Infected: Backdoor.Win32.SdBot.aad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04240002.VBN Infected: Backdoor.Win32.IRCBot.es skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04240003.VBN Infected: Backdoor.Win32.IRCBot.ex skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04240004.VBN Infected: Backdoor.Win32.SdBot.aad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04240005.VBN Infected: Backdoor.Win32.SdBot.aad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04300000.VBN Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04300004.VBN Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04300005.VBN Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04300006.VBN Infected: Trojan-Downloader.Win32.VB.nw skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04A40000.VBN Infected: Backdoor.Win32.SdBot.aad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04A40001.VBN Infected: Backdoor.Win32.SdBot.aad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04F00000.VBN Infected: Backdoor.Win32.SdBot.aad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\051C0000.VBN Infected: Trojan-Downloader.Win32.Agent.agy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\051C0001.VBN/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\051C0001.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\051C0001.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\051C0002.VBN Infected: Trojan-Downloader.Win32.Agent.agy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05280000.VBN Infected: Backdoor.Win32.SdBot.aad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05640000.VBN Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06000000.VBN Infected: IM-Worm.Win32.Opanki.ao skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06000001.VBN Infected: IM-Worm.Win32.Opanki.ao skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\18740000.VBN Infected: IM-Worm.Win32.Small.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\18740002.VBN Infected: IM-Worm.Win32.Small.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\18740004.VBN Infected: IM-Worm.Win32.Small.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\18740006.VBN Infected: Backdoor.Win32.SdBot.aad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\18740008.VBN Infected: IM-Worm.Win32.Small.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1874000A.VBN Infected: IM-Worm.Win32.Small.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1874000C.VBN Infected: IM-Worm.Win32.Small.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1874000E.VBN Infected: Backdoor.Win32.SdBot.aad skipped
C:\Veracruz.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Veracruz.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Veracruz.exe NSIS: infected - 2 skipped
C:\WINNT\system32\FT_SilentSudokuInstaller.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\WINNT\system32\FT_SilentSudokuInstaller.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\WINNT\system32\FT_SilentSudokuInstaller.exe NSIS: infected - 2 skipped
C:\WINNT\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped

Scan process completed.

so i mean 80% of that is quarantined by symantec, but what good is that?

0

here's the l2mfix log:

L2mfix 032106
Creating Account.
The command completed successfully.



Adding Administrative privleges.
The command completed successfully.


Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX   ... successful


Running From:
C:\WINNT\system32


Killing Processes!


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 148 'smss.exe'


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 172 'winlogon.exe'
Killing PID 172 'winlogon.exe'
Error 0x5 : Access is denied.



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1008 'explorer.exe'
Killing PID 1008 'explorer.exe'
Error 0x5 : Access is denied.



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators   ... successful


Scanning First Pass. Please Wait!


First Pass Completed


Second Pass Scanning


Second pass Completed!


Restoring Windows Update Certificates.:


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINNT\\system32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000



The following are the files found:
****************************************************************************


Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00


[HKEY_CLASSES_ROOT\CLSID\{C6590895-AC9F-404A-8F9E-20496A652F44}]
@=""
"IDEx"="ADDR"


[HKEY_CLASSES_ROOT\CLSID\{C6590895-AC9F-404A-8F9E-20496A652F44}\Implemented Categories]
@=""


[HKEY_CLASSES_ROOT\CLSID\{C6590895-AC9F-404A-8F9E-20496A652F44}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{C6590895-AC9F-404A-8F9E-20496A652F44}\InprocServer32]
@="C:\\WINNT\\system32\\ipfgnt5.dll"
"ThreadingModel"="Apartment"


REGEDIT4


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{C6590895-AC9F-404A-8F9E-20496A652F44}"=-
"{A6506D48-C1B2-44D6-8C7E-A1DF38D5517A}"=-
[-HKEY_CLASSES_ROOT\CLSID\{C6590895-AC9F-404A-8F9E-20496A652F44}]
[-HKEY_CLASSES_ROOT\CLSID\{A6506D48-C1B2-44D6-8C7E-A1DF38D5517A}]
REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*


zip error: Nothing to do! (backup.zip)
adding: backregs/C6590895-AC9F-404A-8F9E-20496A652F44.reg (164 bytes security) (deflated 69%)
adding: backregs/notibac.reg (152 bytes security) (deflated 86%)
adding: backregs/shell.reg (152 bytes security) (deflated 74%)

Edited by pritaeas: Fixed formatting

0

The quick launch has got me baffled friend.

For the Kaspersky - I would just delete everything out of Symantecs Quarantine and then delete the remaining files in Safe Mode.

C:\Veracruz.exe/data0002/data0006
C:\Veracruz.exe/data0002
C:\Veracruz.exe NSIS
C:\WINNT\system32\FT_SilentSudokuInstaller.exe/data0002/data0006
C:\WINNT\system32\FT_SilentSudokuInstaller.exe/data0002
C:\WINNT\system32\FT_SilentSudokuInstaller.exe
C:\WINNT\system32\i

If you can, you may be able to cut corners by simply deleting the whole .exe

C:\Veracruz.exe
C:\WINNT\system32\FT_SilentSudokuInstaller.exe

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.