TheTechGuide Forum

General Category => Tech Clinic => Topic started by: FriscoMikey on November 07, 2005, 09:46:29 PM

Title: Spyware Problem
Post by: FriscoMikey on November 07, 2005, 09:46:29 PM: I have FireFox set as my default browser. Recently it began opening up randomly. All windows that pop-up have the checker flag symbol next to the site in the address bar, if that helps at all. I have run Ad-aware, SpyBot, a^2, pcpitstop.com...nothing seems to work. Scans showed CWS and CoolWWWSearch registry entries, which I have removed, and they have not come back yet. Browser still randomly opens, though.

Here's the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:38:04 PM, on 11/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Michael Auskings\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com (http://\"http://www.toshiba.com\")
O1 - Hosts: here.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128566035106 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128566035106\")
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab (http://\"http://www.windowsecurity.com/trojanscan/axscan.cab\")
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab (http://\"http://pcpitstop.com/antivirus/PitPav.cab\")
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\enlql1351.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thanks in advance for your help!
Title: Spyware Problem
Post by: jaycomc on November 07, 2005, 10:03:26 PM: I am certainly not an expert at all this but I will tell you what has worked for me.

If you download Ewido Suite at http://www.ewido.net/en/download/ (http://\"http://www.ewido.net/en/download/\") and install. After installing be sure to click the update button.

It looks like you have Ad-Aware all ready.

Reboot your computer in safe mode by pressing the F8 key after your computer beeps when first starting to boot. After you have successfully rebooted in safe mode run Ewido and do a complete scan. Don't forget to save a log file.

Then reboot and update and run Ad-aware and save log file.

After all this which will take some time. Then post a HijackThis log back for the AWASOME MODS to take a look at.

Hope this helps in someway.

/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Title: Spyware Problem
Post by: FriscoMikey on November 07, 2005, 10:09:33 PM: I'll give it a shot. Thanks.
Title: Spyware Problem
Post by: guestolo on November 07, 2005, 10:13:27 PM: After you post the Ewido report
Can you
Download L2mfix from here

http://www.atribune.org/downloads/l2mfix.exe (http://\"http://www.atribune.org/downloads/l2mfix.exe\")

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/color]
Title: Spyware Problem
Post by: FriscoMikey on November 08, 2005, 12:52:08 AM: Okay, guys...here are the results of the ewido, ad-aware, and l2mfix scans...looks like ewido found a bunch of trojans, but the browser is still opening randomly...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         11:24:12 PM, 11/7/2005
+ Report-Checksum:      716E7274

+ Scan result:

   HKU\S-1-5-21-3306207928-2317988759-2504321181-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
   [656] C:\WINDOWS\system32\iyetpp.dll -> Spyware.Look2Me : Error during cleaning
   [788] C:\WINDOWS\system32\iyetpp.dll -> Spyware.Look2Me : Error during cleaning
   :mozilla.6:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.7:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.8:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   :mozilla.9:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.10:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.11:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.12:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.13:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.14:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.15:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.16:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.17:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.18:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.19:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.20:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.21:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.22:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.23:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.24:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.25:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.26:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.27:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
   :mozilla.28:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.29:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.30:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.31:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.32:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.41:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.42:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.43:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.44:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.45:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
   :mozilla.46:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.47:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.48:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
   :mozilla.49:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.50:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.51:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.52:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.57:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
   :mozilla.58:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
   :mozilla.59:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
   :mozilla.70:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
   :mozilla.71:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
   :mozilla.72:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
   :mozilla.73:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
   :mozilla.74:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
   :mozilla.75:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
   :mozilla.76:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
   :mozilla.77:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.78:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
   :mozilla.79:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
   :mozilla.80:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   :mozilla.81:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   :mozilla.82:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   :mozilla.83:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   :mozilla.84:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   :mozilla.86:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.87:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.88:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.89:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.90:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.104:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.105:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.106:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.107:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.108:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.117:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.118:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.119:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.120:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.121:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.122:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.123:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.124:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
   :mozilla.126:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
   :mozilla.127:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
   :mozilla.150:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.151:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.152:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.153:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.154:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.155:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.156:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.157:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.158:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.159:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.160:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.161:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.162:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.163:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.164:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.165:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.166:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.167:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.168:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.169:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.170:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.171:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.172:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.173:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.174:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.175:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
   :mozilla.176:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
   :mozilla.177:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
   :mozilla.178:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
   :mozilla.179:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
   :mozilla.180:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
   :mozilla.181:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
   :mozilla.200:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
   :mozilla.206:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
   :mozilla.208:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   :mozilla.209:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   :mozilla.228:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.229:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.230:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.231:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.252:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Cookies\michael [email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Cookies\michael auskings@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael auskings@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael auskings@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael [email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael auskings@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael auskings@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael auskings@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael auskings@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Temporary Internet Files\Content.IE5\D0S1HLF4\prompt[1].htm -> TrojanDownloader.IstBar.j : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Temporary Internet Files\Content.IE5\LRCXR26Y\prompt[1].htm -> TrojanDownloader.IstBar.j : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temporary Internet Files\Content.IE5\6TDARYX4\installer[1].exe -> Spyware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temporary Internet Files\Content.IE5\7QKVRLGH\ysb_prompt[1].htm -> TrojanDownloader.IstBar.j : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temporary Internet Files\Content.IE5\FLFVOWPI\contextplus[1].exe -> Trojan.Crypt.t : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temporary Internet Files\Content.IE5\OJHZYMND\mte3ndi6odoxng[1].exe -> TrojanDownloader.Small.buy : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temporary Internet Files\Content.IE5\OJHZYMND\sp2update00[1].exe -> TrojanDownloader.VB.nh : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temporary Internet Files\Content.IE5\XGZI12LM\drsmartload[1].exe -> Spyware.SmartLoad : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temporary Internet Files\Content.IE5\XGZI12LM\mm[2].js -> Spyware.Chitika : Cleaned with backup
   C:\WINDOWS\system32\acifil32.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\lv8o09l3e.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\mmls2.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\wdsdmoe.dll -> Spyware.Look2Me : Cleaned with backup

::Report End
==================================

Lavasoft Ad-Aware Professional Build 1.03
Logfile created on:Monday, November 07, 2005 11:28:58 PM
Using definitions file:SE1R73 03.11.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):11 total references
Tracking Cookie(TAC index:3):5 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Ignore spanned files when scanning cab archives
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Block pop-ups aggressively
Set : Automatically select problematic objects in results lists
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Show splash screen
Set : Backup current definitions file before updating
Set : Play sound at scan completion if scan locates critical objects

11-7-2005 11:28:58 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\Michael Auskings\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-3306207928-2317988759-2504321181-1005\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-3306207928-2317988759-2504321181-1005\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-3306207928-2317988759-2504321181-1005\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint

MRU List Object Recognized!
Location: : S-1-5-21-3306207928-2317988759-2504321181-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-3306207928-2317988759-2504321181-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-3306207928-2317988759-2504321181-1005\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : S-1-5-21-3306207928-2317988759-2504321181-1005\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 488
ThreadCreationTime : 11-8-2005 5:28:08 AM
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 568
ThreadCreationTime : 11-8-2005 5:28:11 AM
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 612
ThreadCreationTime : 11-8-2005 5:28:12 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 624
ThreadCreationTime : 11-8-2005 5:28:12 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 772
ThreadCreationTime : 11-8-2005 5:28:14 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 872
ThreadCreationTime : 11-8-2005 5:28:15 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [acs.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 948
ThreadCreationTime : 11-8-2005 5:28:15 AM
BasePriority : Normal

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1392
ThreadCreationTime : 11-8-2005 5:28:18 AM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:9 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1492
ThreadCreationTime : 11-8-2005 5:28:18 AM
BasePriority : Normal
FileVersion : 2.2.0.577
ProductVersion : 2.2.0.577
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:10 [ctsvccda.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1512
ThreadCreationTime : 11-8-2005 5:28:19 AM
BasePriority : Normal
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
ProductName : Creative Service for CDROM Access
CompanyName : Creative Technology Ltd
FileDescription : Creative Service for CDROM Access
InternalName : CTsvcCDAEXE
LegalCopyright : Copyright © Creative Technology Ltd., 1999. All rights reserved.
OriginalFilename : CTsvcCDA.EXE

#:11 [defwatch.exe]
FilePath : C:\Program Files\Symantec AntiVirus\
ProcessID : 1528
ThreadCreationTime : 11-8-2005 5:28:19 AM
BasePriority : Normal
FileVersion : 9.0.0.338
ProductVersion : 9.0.0.338
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
LegalCopyright : Copyright 1998 - 2004 Symantec Corporation. All rights reserved.
OriginalFilename : DefWatch.exe

#:12 [dvdramsv.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1552
ThreadCreationTime : 11-8-2005 5:28:19 AM
BasePriority : Normal
FileVersion : 2, 0, 5, 0
ProductVersion : 2, 0, 5, 0
CompanyName : Matsu[censored]a Electric Industrial Co., Ltd.
FileDescription : Service of RAMAsst for Windows XP
LegalCopyright : Copyright © Matsu[censored]a Electric Industrial Co., Ltd. 2002
OriginalFilename : DVDRAMSV.EXE

#:13 [ewidoctrl.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 1584
ThreadCreationTime : 11-8-2005 5:28:19 AM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:14 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1612
ThreadCreationTime : 11-8-2005 5:28:19 AM
BasePriority : Normal
FileVersion : 6.13.10.3240
ProductVersion : 6.13.10.3240
ProductName : NVIDIA Driver Helper Service, Version 32.40
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 32.40
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:15 [rtvscan.exe]
FilePath : C:\Program Files\Symantec AntiVirus\
ProcessID : 1708
ThreadCreationTime : 11-8-2005 5:28:20 AM
BasePriority : Normal
FileVersion : 9.0.0.338
ProductVersion : 9.0.0.338
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright 1991 - 2004 Symantec Corporation. All rights reserved.

#:16 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1876
ThreadCreationTime : 11-8-2005 5:28:21 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:17 [mspmspsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1976
ThreadCreationTime : 11-8-2005 5:28:21 AM
BasePriority : Normal
FileVersion : 7.00.00.1954
ProductVersion : 7.00.00.1954
ProductName : Microsoft ® DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:18 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1996
ThreadCreationTime : 11-8-2005 5:28:21 AM
BasePriority : Normal
FileVersion : 2.2.0.577
ProductVersion : 2.2.0.577
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:19 [ezsp_px.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1320
ThreadCreationTime : 11-8-2005 5:28:32 AM
BasePriority : Normal

#:20 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 1524
ThreadCreationTime : 11-8-2005 5:28:34 AM
BasePriority : Normal
FileVersion : 4.7.3001
ProductVersion : Version 4.7.3001
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright © Microsoft Corporation 2004
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:21 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1096
ThreadCreationTime : 11-8-2005 5:28:34 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:22 [aim.exe]
FilePath : C:\PROGRA~1\AIM\
ProcessID : 1740
ThreadCreationTime : 11-8-2005 5:28:35 AM
BasePriority : Normal
FileVersion : 5.9.3861
ProductVersion : 5.9.3861
ProductName : AOL Instant Messenger
CompanyName : America Online, Inc.
FileDescription : AOL Instant Messenger
InternalName : AIM
LegalCopyright : Copyright © 1996-2005 America Online, Inc.
OriginalFilename : AIM.EXE

#:23 [nmbgmonitor.exe]
FilePath : C:\Program Files\Common Files\Ahead\lib\
ProcessID : 1752
ThreadCreationTime : 11-8-2005 5:28:36 AM
BasePriority : Normal

#:24 [ramasst.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2076
ThreadCreationTime : 11-8-2005 5:28:38 AM
BasePriority : Normal
FileVersion : 1, 0, 8, 0
ProductVersion : 1, 0, 8, 0
CompanyName : Matsu[censored]a Electric Industrial Co., Ltd.
FileDescription : CD Burning of Windows XP disabling tool for DVD MULTI Drive
LegalCopyright : Copyright © Matsu[censored]a Electric Industrial Co., Ltd. 2002
OriginalFilename : RAMASST.EXE

#:25 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Professional\
ProcessID : 2572
ThreadCreationTime : 11-8-2005 5:28:42 AM
BasePriority : Normal
FileVersion : 6.2.0.161
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : michael auskings@trafficmp[2].txt
Category : Data Miner
Comment : Cookie:michael [email protected]/
Value : Cookie:michael [email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : michael auskings@findwhat[1].txt
Category : Data Miner
Comment : Cookie:michael [email protected]/
Value : Cookie:michael [email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : michael auskings@abcsearch[1].txt
Category : Data Miner
Comment : Cookie:michael [email protected]/
Value : Cookie:michael [email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : michael auskings@questionmarket[1].txt
Category : Data Miner
Comment : Cookie:michael [email protected]/
Value : Cookie:michael [email protected]/

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 15

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : michael auskings@abcsearch[1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael auskings@abcsearch[1].txt

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
46 entries scanned.
New critical objects:0
Objects found so far: 16

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16

11:41:17 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:12:19.110
Objects scanned:125950
Objects identified:5
Objects ignored:0
New critical objects:5
========================

L2MFIX find log 1.04a
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\d8j02i1mg8.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F0327992-AC38-78CF-EAD3-8E962E07E3A6}"=""

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CC
Title: Spyware Problem
Post by: FriscoMikey on November 08, 2005, 01:12:39 AM: Oops...forgot to post the new HijackThis file...

Logfile of HijackThis v1.99.1
Scan saved at 12:09:30 AM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michael Auskings\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com (http://\"http://www.toshiba.com\")
O1 - Hosts: here.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128566035106 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128566035106\")
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab (http://\"http://www.windowsecurity.com/trojanscan/axscan.cab\")
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab (http://\"http://pcpitstop.com/antivirus/PitPav.cab\")
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\d8j02i1mg8.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Title: Spyware Problem
Post by: guestolo on November 08, 2005, 01:51:03 AM: Can you do the following please

Download the trial version of Spy Sweeper from HERE (http://\"http://www.webroot.com/consumer/downloads/\")
Click on the Free trial link

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Please print the rest of these instructions or copy and paste them too notepad for reference

Make sure you are disconnected from the internet.

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

When prompted, allow Spy Sweeper to restart your computer

Back in Windows
Stay disconnected from the Net

Close any open programs running in the background, this step requires another reboot
Run L2MFix again with these instructions

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log
Post the contents of this log back here

If the L2MFix doesn't run after the restart, then go into the L2M fix folder and double click on second.bat to run it.

Additionally,
Copy and paste the SpySweeper log together with a fresh hijackthis log into this thread.
Title: Spyware Problem
Post by: Guest on November 08, 2005, 02:39:39 AM: Results from Spy Sweeper, l2mfix Step 2, and HijackThis

Spy Sweeper:

********
1:08 AM: | Start of Session, Tuesday, November 08, 2005 |
1:08 AM: Spy Sweeper started
1:08 AM: Sweep initiated using definitions version 569
1:08 AM: Starting Memory Sweep
1:09 AM: Found Adware: icannnews
1:09 AM: Detected running threat: C:\WINDOWS\system32\d8j02i1mg8.dll (ID = 83)
1:10 AM: Detected running threat: C:\WINDOWS\system32\itpromon.dll (ID = 83)
1:10 AM: Detected running threat: C:\WINDOWS\system32\guard.tmp (ID = 83)
1:10 AM: Memory Sweep Complete, Elapsed Time: 00:01:50
1:10 AM: Starting Registry Sweep
1:10 AM: Found Adware: targetsaver
1:10 AM: HKU\S-1-5-21-3306207928-2317988759-2504321181-1005\software\tsl2\ (1 subtraces) (ID = 143616)
1:10 AM: Registry Sweep Complete, Elapsed Time:00:00:15
1:10 AM: Starting Cookie Sweep
1:10 AM: Found Spy Cookie: websponsors cookie
1:10 AM: michael [email protected][2].txt (ID = 3665)
1:10 AM: Found Spy Cookie: adecn cookie
1:10 AM: michael auskings@adecn[2].txt (ID = 2063)
1:10 AM: Found Spy Cookie: ask cookie
1:10 AM: michael auskings@ask[1].txt (ID = 2245)
1:10 AM: Found Spy Cookie: atwola cookie
1:10 AM: michael auskings@atwola[1].txt (ID = 2255)
1:10 AM: Found Spy Cookie: belnk cookie
1:10 AM: michael auskings@belnk[1].txt (ID = 2292)
1:10 AM: michael [email protected][2].txt (ID = 2293)
1:10 AM: Found Spy Cookie: howstuffworks cookie
1:10 AM: michael auskings@howstuffworks[1].txt (ID = 2805)
1:10 AM: Found Spy Cookie: partypoker cookie
1:10 AM: michael auskings@partypoker[2].txt (ID = 3111)
1:10 AM: Found Spy Cookie: servlet cookie
1:10 AM: michael auskings@servlet[2].txt (ID = 3345)
1:10 AM: Found Spy Cookie: reliablestats cookie
1:10 AM: michael [email protected][2].txt (ID = 3254)
1:10 AM: Found Spy Cookie: yadro cookie
1:10 AM: michael auskings@yadro[1].txt (ID = 3743)
1:10 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
1:10 AM: Starting File Sweep
1:12 AM: 113_dollarrevenue_4_0_3_9[1].exe (ID = 166444)
1:12 AM: tsupdate[1].ini (ID = 112322)
1:13 AM: glf7glf7.exe (ID = 78276)
1:18 AM: Found System Monitor: potentially rootkit-masked files
1:18 AM: bricpiec.sys (ID = 0)
1:18 AM: dpltofmt.exe (ID = 0)
1:19 AM: File Sweep Complete, Elapsed Time: 00:08:24
1:19 AM: Full Sweep has completed. Elapsed time 00:10:33
1:19 AM: Traces Found: 21
1:20 AM: Removal process initiated
1:20 AM: Quarantining All Traces: icannnews
1:20 AM: icannnews is in use. It will be removed on reboot.
1:20 AM: C:\WINDOWS\system32\d8j02i1mg8.dll is in use. It will be removed on reboot.
1:20 AM: C:\WINDOWS\system32\itpromon.dll is in use. It will be removed on reboot.
1:20 AM: C:\WINDOWS\system32\guard.tmp is in use. It will be removed on reboot.
1:20 AM: Quarantining All Traces: potentially rootkit-masked files
1:20 AM: potentially rootkit-masked files is in use. It will be removed on reboot.
1:20 AM: bricpiec.sys is in use. It will be removed on reboot.
1:20 AM: dpltofmt.exe is in use. It will be removed on reboot.
1:20 AM: Quarantining All Traces: targetsaver
1:20 AM: Quarantining All Traces: adecn cookie
1:20 AM: Quarantining All Traces: ask cookie
1:20 AM: Quarantining All Traces: atwola cookie
1:20 AM: Quarantining All Traces: belnk cookie
1:20 AM: Quarantining All Traces: howstuffworks cookie
1:20 AM: Quarantining All Traces: partypoker cookie
1:20 AM: Quarantining All Traces: reliablestats cookie
1:20 AM: Quarantining All Traces: servlet cookie
1:20 AM: Quarantining All Traces: websponsors cookie
1:20 AM: Quarantining All Traces: yadro cookie
1:20 AM: Removal process completed. Elapsed time 00:00:45
********
1:06 AM: | Start of Session, Tuesday, November 08, 2005 |
1:06 AM: Spy Sweeper started
1:07 AM: Your spyware definitions have been updated.
1:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:08 AM: | End of Session, Tuesday, November 08, 2005 |
=================================================

l2mfix Step 2:

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1316 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1672 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\d80m0id1e80.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iyetpp.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\d80m0id1e80.dll
Successfully Deleted: C:\WINDOWS\system32\d80m0id1e80.dll
deleting: C:\WINDOWS\system32\iyetpp.dll
Successfully Deleted: C:\WINDOWS\system32\iyetpp.dll

Zipping up files for submission:
adding: d80m0id1e80.dll (188 bytes security) (deflated 4%)
adding: iyetpp.dll (188 bytes security) (deflated 4%)
adding: clear.reg (188 bytes security) (deflated 37%)
adding: lo2.txt (188 bytes security) (deflated 61%)
adding: test.txt (188 bytes security) (deflated 34%)
adding: test2.txt (188 bytes security) (deflated 17%)
adding: test3.txt (188 bytes security) (deflated 17%)
adding: test5.txt (188 bytes security) (deflated 17%)
adding: xfind.txt (188 bytes security) (deflated 28%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: d80m0id1e80.dll
deleting local copy: iyetpp.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\d80m0id1e80.dll
C:\WINDOWS\system32\iyetpp.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{231D3B03-BF29-4BEB-8D67-A21C588C7163}"=-
"{16BDB3C4-8D9A-4E3B-B823-69065CD113C2}"=-
[-HKEY_CLASSES_ROOT\CLSID\{231D3B03-BF29-4BEB-8D67-A21C588C7163}]
[-HKEY_CLASSES_ROOT\CLSID\{16BDB3C4-8D9A-4E3B-B823-69065CD113C2}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

=================================================

HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 1:32:04 AM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com (http://\"http://www.toshiba.com\")
O1 - Hosts: here.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128566035106 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128566035106\")
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab (http://\"http://www.windowsecurity.com/trojanscan/axscan.cab\")
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thanks.
Title: Spyware Problem
Post by: guestolo on November 08, 2005, 10:12:39 AM: Good work, if you didn't manually add this entry to your Hosts file can you remove it

Do another scan with Hijackthis and put a check next to these entries:

O1 - Hosts: here.com

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer

Open Ewido and check for updates
Run another complete scan

Post back a fresh hijackthis log and the new report from Ewido's

Is your AV working properly?
I don't see any run entries associated with it, is it enabled to run on startup?
Title: Spyware Problem
Post by: FriscoMikey on November 08, 2005, 12:36:43 PM: Should I be in SAFE MODE when I re-run Ewidos?

About the AV, I'm not sure if it was functioning properly yesterday when I was doing the scans. Normally I see a Norton AV icon in the system tray, which I did not see today...I removed, reinstalled, and updated Norton AV and the icon shows in my system tray again.

I'll get the changes/scans done and post them up. My browser doesn't seem to be opening randomly anymore, but I want to make sure it doesn't re-install itself.

Thanks again.
Title: Spyware Problem
Post by: FriscoMikey on November 08, 2005, 08:37:45 PM: bump /cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />
Title: Spyware Problem
Post by: guestolo on November 08, 2005, 09:26:19 PM: No, you don't need safe mode anymore when running Ewido's

Please post a fresh hijackthis log
Title: Spyware Problem
Post by: FriscoMikey on November 10, 2005, 02:56:20 AM: Ewido Log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         1:53:08 AM, 11/10/2005
+ Report-Checksum:      E0A47239

+ Scan result:

   C:\backup.zip/d80m0id1e80.dll -> Spyware.Look2Me : Cleaned with backup
   C:\backup.zip/iyetpp.dll -> Spyware.Look2Me : Cleaned with backup
   :mozilla.9:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   :mozilla.12:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.13:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.14:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.15:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.16:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.17:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.22:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   :mozilla.28:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.29:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.32:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.34:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
   :mozilla.35:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
   :mozilla.36:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
   :mozilla.37:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.38:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.39:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.40:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.43:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.44:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.45:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.46:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.47:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.53:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
   :mozilla.56:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   :mozilla.57:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Cookies\michael auskings@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Cookies\michael auskings@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Cookies\michael [email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Cookies\michael auskings@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Cookies\michael auskings@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael auskings@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael [email protected][2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael [email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael auskings@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael [email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael auskings@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup

::Report End
=================================================

HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 1:55:09 AM, on 11/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com (http://\"http://www.toshiba.com\")
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128566035106 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128566035106\")
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab (http://\"http://www.windowsecurity.com/trojanscan/axscan.cab\")
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

=============================================

Thanks again.
Title: Spyware Problem
Post by: guestolo on November 12, 2005, 12:18:19 PM: Sorry for the delay

Looks good

Some final cleanup
If everything is running better, please do the following
You should disable system restore>>>reboot>> and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")

Once System Restore is reenabled

You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"
IE-Spyad is compatible with SP2 as well

Hold onto SpySweeper for the duration of the trial period if you don't plan on purchasing it
Afterwards, right click it's icon by the systemtray clock and shut it down and then uninstall it
Title: Spyware Problem
Post by: guestolo on November 19, 2005, 01:36:46 AM: Problems appear resolved
I'll lock this topic