« previous next »
Pages: [1]

Author Topic: help please  (Read 679 times)

Offline GunzOfSteel 921

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
help please
« on: May 01, 2006, 08:32:45 PM »
Logfile of HijackThis v1.99.1
Scan saved at 2:18:19 PM, on 4/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1134603453\ee\AOLSoftware.exe
C:\Program Files\Network\ipnetwork.exe
C:\windows\mousepad15.exe
C:\WINDOWS\win32072026-140079.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\WINDOWS\lsalxqoA.exe
C:\WINDOWS\system32\TASKMAN.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Michael\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qjjty.exe
F2 - REG:system.ini: UserInit=userinit.exe,bepxjpv.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EBAEEFD6-942A-418F-A6FC-E373A98041D8} - C:\Program Files\Windows NT\horego.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134603453\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard15.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad15.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname15.exe
O4 - HKLM\..\Run: [win32072026-140079] C:\WINDOWS\win32072026-140079.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [lsalxqoA] C:\WINDOWS\lsalxqoA.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - AppInit_DLLs: sfklg.dll
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\iaeshare.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\WTDRMdev.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Flash (Macromedia) - Unknown owner - C:\WINDOWS\flash8player.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
help please
« Reply #1 on: May 01, 2006, 08:48:00 PM »
Download the latest version of Look2Me-Remover.exe by Atribune
and save it to your desktop

* Close all windows before continuing.
      * Double-click Look2Me-Remover.exe to run it.
      * Put a check next to Run this program as a task.
      * You will receive a message saying Look2Me-Remover will close and re-open in 1 minute. Click OK
      * When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
      * Once it's done scanning, click the Remove L2M button.
      * You will receive a Done Scanning message, click OK.
      * When completed, you will receive this message: Done removing infected files! Look2Me-Remover will now shutdown your computer, click OK.
      * Your computer will then shutdown.
      * After it has completed the shutdown>>Turn your computer back on.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX


Come back here and post the following
1. Post a fresh Hijackthis log
2. Post the report from Look2Me-Destroyer
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline GunzOfSteel 921

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
help please
« Reply #2 on: May 02, 2006, 06:26:30 PM »
Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 5/2/2006 7:14:03 PM

Infected! C:\WINDOWS\system32\iaeshare.dll
Infected! C:\WINDOWS\system32\WTDRMdev.dll

Attempting to delete infected files...

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3FFA4212-DCB7-4852-95F9-564C7986B07B}"
HKCR\Clsid\{3FFA4212-DCB7-4852-95F9-564C7986B07B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F77F5D7D-6188-48B3-84E7-977236DE8347}"
HKCR\Clsid\{F77F5D7D-6188-48B3-84E7-977236DE8347}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


Logfile of HijackThis v1.99.1
Scan saved at 7:22:41 PM, on 5/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\lsalxqoA.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Michael\Desktop\hijackthis\HijackThis.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qjjty.exe
F2 - REG:system.ini: UserInit=userinit.exe,bepxjpv.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EBAEEFD6-942A-418F-A6FC-E373A98041D8} - C:\Program Files\Windows NT\horego.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [lsalxqoA] C:\WINDOWS\lsalxqoA.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - AppInit_DLLs: sfklg.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
help please
« Reply #3 on: May 02, 2006, 10:24:07 PM »
Sorry for the delay, can you do the following please

Please download [color=\"red\"]Brute Force Uninstaller[/color][/b] to your desktop. (rightclick on this link and choose save as, if using IE save target as)
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
  • Download [color=\"red\"]qoofix.bat[/color] (rightclick on this link and choose save as, if using IE save target as)
  • Place qoofix.bat in your C:\BFU - folder. [color=\"#FF0000\"](Important!)[/color]
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
  • After the PC has restarted please post another hijackthis log.
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline GunzOfSteel 921

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
help please
« Reply #4 on: May 03, 2006, 06:01:35 PM »
Did all of that.. here's the logfile.

Logfile of HijackThis v1.99.1
Scan saved at 7:00:26 PM, on 5/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\lsalxqoA.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Upgrader.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Michael\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EBAEEFD6-942A-418F-A6FC-E373A98041D8} - C:\Program Files\Windows NT\horego.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [yqwhyi] C:\WINDOWS\system32\ayrpyk.exe reg_run
O4 - HKLM\..\Run: [lsalxqoA] C:\WINDOWS\lsalxqoA.exe
O4 - HKCU\..\Run: [vndia] C:\WINDOWS\system32\ayrpyk.exe reg_run
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - AppInit_DLLs: sfklg.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
help please
« Reply #5 on: May 03, 2006, 07:14:39 PM »
Before we continue, can you let me know the following
You may very well have installed this yourself, if not, we need to remove it
Did you install Free-Keylogger on your computer

These will log your keystrokes and let others gain access to passwords and such
without your knowledge
Here is some more info
http://www.refog.com/keylogger/faq.html
And instructions too remove it!

Post back a fresh hijackthis log if removed
Also
Can you do the following please
download
FindQool  by LonnyRJones

    * Extract the files and place the FindQool folder in root. Usually C:\
So you now have the folder extracted at C:\FindQool
    * Open the folder and run Qlocate.bat.
    * Post the contents of the txt.log which will open.
« Last Edit: May 03, 2006, 07:16:08 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline GunzOfSteel 921

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
help please
« Reply #6 on: May 03, 2006, 07:41:49 PM »
Yes, I do have a keylogger that was put on my computer by my parents to make sure I don't do anything bad with my laptop.. but I can not get rid of it... here are the results of the scan:

Wed 05/03/2006
Running from: C:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.
 
Known file names
 
MD5 Check....
 
Files found with locate com.
Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
...
 
 
...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
"yqwhyi"="C:\\WINDOWS\\system32\\ayrpyk.exe reg_run"
HKCU
"vndia"="C:\\WINDOWS\\system32\\ayrpyk.exe reg_run"
...
 
Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
   shell REG_SZ  Explorer.exe
   userinit REG_SZ  C:\WINDOWS\system32\Userinit.exe,
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 4/05/2006
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
help please
« Reply #7 on: May 03, 2006, 08:05:16 PM »
Let's go in for some final cleaning then
See if we can clean the rest of this

==Download and install Windows CleanUp! 4.5.1
Don't run this yet
NOTE: If you have an older version of Windows CleanUp!, Please uninstall it and use this newer version

==Download and then Install
Ewido anti-malware 3.5

When installing, under "Additional Options" Uncheck
 "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can take a look at the following link to help with
the updating
http://www.ewido.net/en/support/?AID=26

Save the rest of these instructions to a Notepad file saved to your desktop or Print them out for use in safe mode

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu


==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done>>Click Close
DECLINE to Log off or Restart the computer

==Open Ewido Anti-Malware
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
  *1. Perform Action = Remove
  *2. Create Encrypted Backup in Quarantine (Recommended)
  *3. Perform action with all infections
    Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows

Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {EBAEEFD6-942A-418F-A6FC-E373A98041D8} - C:\Program Files\Windows NT\horego.dll

O4 - HKLM\..\Run: [yqwhyi] C:\WINDOWS\system32\ayrpyk.exe reg_run
O4 - HKLM\..\Run: [lsalxqoA] C:\WINDOWS\lsalxqoA.exe
O4 - HKCU\..\Run: [vndia] C:\WINDOWS\system32\ayrpyk.exe reg_run


After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot back to Normal mode
Post back the following
1. Post a fresh hijackthis log
2. Post the whole report from Ewido's

NOTE: I forgot to transer the Panda log you posted in the other post
I'm not going to include the cookies that were found bad, but I'll post the other info
Quote
Adware:Adware/CommAd Not disinfected C:\WINDOWS\IA\KE.vbs
Adware:Adware/2Z0o Not disinfected C:\WINDOWS\lsalxqo.exe
Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall7_22.exe
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\newname.dat
Virus:Trj/Downloader.HPZ Not disinfected C:\WINDOWS\pf78.exe[pms111x.exe]Virus:Trj/VB.MC Not disinfected C:\WINDOWS\pf78.exe[SYSC00.exe]
Adware:Adware/Qoologic Not disinfected C:\WINDOWS\pss\rheqf.exeCommon Startup
Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\system32\ad.html
Adware:Adware/QoolAid Not disinfected C:\WINDOWS\system32\dmonwv.dll
Adware:Adware/Qoologic Not disinfected C:\WINDOWS\system32\fwhsk.dat
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\uninstall_nmon.vbs
Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\wallpap.exe
« Last Edit: May 06, 2006, 02:00:21 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline GunzOfSteel 921

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
help please
« Reply #8 on: May 14, 2006, 06:30:36 PM »
My computer won't start up into safe mode.  I tap F8 when required, but it won't go to that part- it'll skip where it's at and go right up to where windows starts up.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
help please
« Reply #9 on: May 14, 2006, 10:52:45 PM »
It's been 11 days since your last post!
We must start all over
Please post a fresh hijackthis log and let's see where we stand
« Last Edit: May 14, 2006, 11:21:36 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline GunzOfSteel 921

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
help please
« Reply #10 on: May 15, 2006, 07:14:09 PM »
Logfile of HijackThis v1.99.1
Scan saved at 8:12:33 PM, on 5/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\lsalxqoA.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Documents and Settings\Michael\Desktop\hijackthis\HijackThis.exe
c:\program files\mcafee.com\shared\mcinfo.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EBAEEFD6-942A-418F-A6FC-E373A98041D8} - C:\Program Files\Windows NT\horego.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [yqwhyi] C:\WINDOWS\system32\ayrpyk.exe reg_run
O4 - HKLM\..\Run: [lsalxqoA] C:\WINDOWS\lsalxqoA.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [vndia] C:\WINDOWS\system32\ayrpyk.exe reg_run
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - AppInit_DLLs: sfklg.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
help please
« Reply #11 on: May 15, 2006, 07:24:12 PM »
We'll try all the instructions I posted earlier in Normal mode

Do the following please
Save the rest of these instructions to a Notepad file saved to your desktop or Print them out

==Open Ewido Anti-Malware
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can take a look at the following link to manually update
http://www.ewido.net/en/download/updates/

==Close down all browser windows, including this one
Physically disconnect this computer from the Net till we are done here

Right click the bottom taskbar and select TaskManager
Under processes, highlight and end process on the following
lsalxqoA.exe

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done>>Click Close
DECLINE to Log off or Restart the computer

==Open Ewido Anti-Malware
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
  *1. Perform Action = Remove
  *2. Create Encrypted Backup in Quarantine (Recommended)
  *3. Perform action with all infections
    Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows

Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {EBAEEFD6-942A-418F-A6FC-E373A98041D8} - C:\Program Files\Windows NT\horego.dll

O4 - HKLM\..\Run: [yqwhyi] C:\WINDOWS\system32\ayrpyk.exe reg_run
O4 - HKLM\..\Run: [lsalxqoA] C:\WINDOWS\lsalxqoA.exe
O4 - HKCU\..\Run: [vndia] C:\WINDOWS\system32\ayrpyk.exe reg_run


After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Shut down the computer
Rehook back to the modem
Restart back to Normal mode

Post back the following
1. Post a fresh hijackthis log
2. Post the whole report from Ewido's

What parts of Panda are you running?
What parts of McAfee's?
« Last Edit: May 15, 2006, 07:25:45 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline GunzOfSteel 921

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
help please
« Reply #12 on: May 16, 2006, 02:59:13 PM »
Logfile of HijackThis v1.99.1
Scan saved at 3:56:43 PM, on 5/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Michael\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - AppInit_DLLs: sfklg.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:         3:46:19 PM, 5/16/2006
 + Report-Checksum:      97A7ED34

 + Scan result:

   HKU\.DEFAULT\Software\DNS -> Adware.Shorty : Cleaned with backup
   HKU\S-1-5-21-3697448870-4166010026-348496076-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{56F1D444-11BF-4879-A12B-79CF0177F038} -> Adware.180Solutions : Cleaned with backup
   HKU\S-1-5-21-3697448870-4166010026-348496076-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
   HKU\S-1-5-18\Software\DNS -> Adware.Shorty : Cleaned with backup
   [1016] C:\WINDOWS\system32\sfklg.dll -> Not-A-Virus.Monitor.Win32.Sfkeylogger.a : Cleaned with backup
   [1028] C:\WINDOWS\system32\sfklg.dll -> Not-A-Virus.Monitor.Win32.Sfkeylogger.a : Error during cleaning
   [1196] C:\WINDOWS\system32\sfklg.dll -> Not-A-Virus.Monitor.Win32.Sfkeylogger.a : Error during cleaning
   [1244] C:\WINDOWS\system32\sfklg.dll -> Not-A-Virus.Monitor.Win32.Sfkeylogger.a : Error during cleaning
   [1288] C:\WINDOWS\System32\sfklg.dll -> Not-A-Virus.Monitor.Win32.Sfkeylogger.a : Error during cleaning
   [1400] C:\WINDOWS\system32\sfklg.dll -> Not-A-Virus.Monitor.Win32.Sfkeylogger.a : Error during cleaning
   [1436] C:\WINDOWS\system32\sfklg.dll -> Not-A-Virus.Monitor.Win32.Sfkeylogger.a : Error during cleaning
   [1760] C:\WINDOWS\system32\sfklg.dll -> Not-A-Virus.Monitor.Win32.Sfkeylogger.a : Error during cleaning
   [1864] C:\WINDOWS\system32\sfklg.dll -> Not-A-Virus.Monitor.Win32.Sfkeylogger.a : Error during cleaning
   [1936] C:\WINDOWS\system32\sfklg.dll -> Not-A-Virus.Monitor.Win32.Sfkeylogger.a : Error during cleaning
   [2036] C:\WINDOWS\system32\sfklg.dll -> Not-A-Virus.Monitor.Win32.Sfkeylogger.a : Error during cleaning
   [264] C:\WINDOWS\system32\sfklg.dll -> Not-A-Virus.Monitor.Win32.Sfkeylogger.a : Error during cleaning
   [1600] C:\WINDOWS\System32\sfklg.dll -> Not-A-Virus.Monitor.Win32.Sfkeylogger.a : Error during cleaning
   [672] C:\WINDOWS\system32\sfklg.dll -> Not-A-Virus.Monitor.Win32.Sfkeylogger.a : Error during cleaning
   [2080] C:\WINDOWS\system32\sfklg.dll -> Not-A-Virus.Monitor.Win32.Sfkeylogger.a : Error during cleaning
   [2152] C:\WINDOWS\system32\sfklg.dll -> Not-A-Virus.Monitor.Win32.Sfkeylogger.a : Error during cleaning
   [2200] C:\WINDOWS\system32\sfklg.dll -> Not-A-Virus.Monitor.Win32.Sfkeylogger.a : Error during cleaning
   [2248] C:\WINDOWS\system32\sfklg.dll -> Not-A-Virus.Monitor.Win32.Sfkeylogger.a : Error during cleaning
   [1692] C:\WINDOWS\system32\sfklg.dll -> Not-A-Virus.Monitor.Win32.Sfkeylogger.a : Error during cleaning
   [3448] C:\WINDOWS\system32\sfklg.dll -> Not-A-Virus.Monitor.Win32.Sfkeylogger.a : Error during cleaning
   :mozilla.6:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
   :mozilla.15:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
   :mozilla.16:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
   :mozilla.24:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
   :mozilla.29:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
   :mozilla.30:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.31:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.32:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.33:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.34:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.35:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.36:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.37:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.38:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.39:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.40:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.41:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.42:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.43:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.44:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.45:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.46:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.47:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.48:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.49:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.50:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.51:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.52:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.53:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.63:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
   :mozilla.64:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
   :mozilla.65:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
   :mozilla.66:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
   :mozilla.67:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
   :mozilla.87:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
   :mozilla.88:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
   :mozilla.89:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
   :mozilla.90:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
   :mozilla.91:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
   :mozilla.96:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
   :mozilla.97:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
   :mozilla.98:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
   :mozilla.103:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.108:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
   :mozilla.109:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
   :mozilla.110:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
   :mozilla.120:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
   :mozilla.122:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
   :mozilla.123:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
   :mozilla.124:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
   :mozilla.125:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
   :mozilla.139:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
   :mozilla.147:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
   :mozilla.148:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
   :mozilla.149:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
   :mozilla.150:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
   :mozilla.151:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
   :mozilla.152:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
   :mozilla.247:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
   :mozilla.248:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
   :mozilla.252:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
   :mozilla.260:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
   :mozilla.261:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
   :mozilla.279:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
   :mozilla.280:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
   :mozilla.281:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
   :mozilla.282:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
   :mozilla.303:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
   :mozilla.304:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
   :mozilla.305:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
   :mozilla.306:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
   :mozilla.307:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
   :mozilla.308:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
   :mozilla.309:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
   :mozilla.311:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
   :mozilla.312:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
   :mozilla.325:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
   :mozilla.328:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
   :mozilla.329:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
   :mozilla.355:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
   :mozilla.364:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
   :mozilla.365:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
   :mozilla.366:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
   :mozilla.367:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
   :mozilla.368:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
   :mozilla.374:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
   :mozilla.375:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
   :mozilla.382:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
   :mozilla.383:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
   :mozilla.415:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
   :mozilla.416:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
   :mozilla.417:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
   :mozilla.435:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
   :mozilla.436:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
   :mozilla.437:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
   :mozilla.442:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
   :mozilla.443:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
   :mozilla.444:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
   :mozilla.471:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\24pu0u1k.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
   C:\Program Files\Network\ipnetwork.exe -> Adware.Maxifiles : Cleaned with backup
   C:\Program Files\Windows NT\horego.dll -> Downloader.Small.ctb : Cleaned with backup
   C:\WINDOWS\keyboard15.exe -> Downloader.Adload.ay : Cleaned with backup
   C:\WINDOWS\lsalxqo.exe -> Hijacker.VB.ij : Cleaned with backup
   C:\WINDOWS\lsalxqoA.exe -> Hijacker.VB.ij : Cleaned with backup
   C:\WINDOWS\mousepad15.exe -> Hijacker.VB.mo : Cleaned with backup
   C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
   C:\WINDOWS\newname15.exe -> Downloader.Adload.ay : Cleaned with backup
   C:\WINDOWS\pss\rheqf.exeCommon Startup -> Downloader.Qoologic.bj : Cleaned with backup
   C:\WINDOWS\system32\ad.html -> Hijacker.Agent.e : Cleaned with backup
   C:\WINDOWS\system32\sfklg.dll -> Not-A-Virus.Monitor.Win32.Sfkeylogger.a : Cleaned with backup
   C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup
   C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup
   C:\WINDOWS\wallpap.exe -> Hijacker.Agent.gp : Cleaned with backup
   C:\WINDOWS\win32072026-140079.exe -> Adware.Enbrow : Cleaned with backup


::Report End

I believe I am using all of Panda, and internet security from McAfee
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
help please
« Reply #13 on: May 16, 2006, 08:08:08 PM »
Find and delete these files please if found
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\newname.dat
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\pf78.exe
C:\WINDOWS\system32\fwhsk.dat
C:\WINDOWS\uninstall_nmon.vbs


Do you want to keep the keylogger?
I just want to make sure we're clear on that

Also, let me know how everything's running please

Quote
I believe I am using all of Panda, and internet security from McAfee

I hope you know that's it's not a good idea to run 2 AV's or firewall in the background at the same time as this may cause conflicts in the Operating System
However, looking at your last log, it is OK to have 2 AV's installed with one as an on-demand scanner (Only scans when prompted by the user)
« Last Edit: May 16, 2006, 08:55:23 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline GunzOfSteel 921

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
help please
« Reply #14 on: May 16, 2006, 09:30:54 PM »
I got rid of all of them except C:\WINDOWS\IA\KE.vbs
It's here somewhere, but I can't find it no matter what I do.  If I try to run it (I have scripts blocked...), it'll come up as script blocked rather than saying that the file is not on the computer.  I also looked for it through the search (even to look for hidden files).. and that didn't come up either- and yes, how would I go about getting rid of the keylog?
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
help please
« Reply #15 on: May 16, 2006, 09:43:37 PM »
Can you do the following for me please
It was so long since we started fixing this computer I forgot about the problems on the computer
I hope you still have Brute Force Uninstaller saved to the BFU folder

Can you do the following please
[color=\"#CC0000\"]RIGHT CLICK HERE[/color]
 and choose "Save As" (in IE it's "Save Target As") in order to download  [color=\"#3333FF\"]Alcanshorty.bfu[/color].
Save it in the folder you made earlier (c:\BFU)
So you now have C:\Bfu\alcanshorty.bfu

Print this out or save the instructions too notepad

Close down all browser windows including this one

Follow the instructions as I posted earlier to remove the keylogger if it applies
Select Start -> Programs -> KGB Spy -> UnInstall
Step 2: Follow the on-screen instructions
OR
Un-installing using Control Panel
Step 1: Select Start -> Settings -> Control Panel
Step 2: Open "Add \ Remove Programs" item in Control Panel
Step 3: Select KGB Spy from the applications list and press the "Remove" button

Dont' reboot the computer yet
Instead
NOTE: You must allow this script to run if notified by your AV
=Open the C:\BFU folder
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to alcanshorty.bfu in the C:\BFU folder
Right click alcanshorty.bfu and choose Select
In Brute Force Uninstaller select Execute
Wait for the "complete script execution" box to pop up and press OK.
Press exit to terminate the BFU program.

Reboot the computer

come back here and post a fresh hijackthis log afterwards

Can you find this folder and delete the whole folder?
C:\WINDOWS\IA <-this folder
« Last Edit: May 17, 2006, 08:43:30 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline GunzOfSteel 921

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
help please
« Reply #16 on: May 20, 2006, 11:07:19 AM »
I found the folder using Run, although there is nothing in the folder (not even hidden), and I can not delete it because I have nothing to move to the recycle bin.

I also can not get rid of the keylog because it is not in my programs list, and I can not find it.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
help please
« Reply #17 on: May 20, 2006, 11:38:01 AM »
Were you successful in running Alcanshorty?
Some of the tools I am having you run are Scripts, you need to allow these to run

Are there other users on this computer with Adminstrative privileges?
Can I see an uninstall list from Hijackthis please

Open Hijackthis>>Open Misc tools section>>Open Uninstall Manager
Click the SAVE LIST button
Save this list too desktop then copy and paste back here the whole contents please
« Last Edit: May 20, 2006, 11:58:06 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline GunzOfSteel 921

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
help please
« Reply #18 on: May 20, 2006, 04:26:22 PM »
yes there is one other user on the computer with adminstrative priviledges

Ad-Aware SE Personal
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.5
Adobe Stock Photos 1.0
AOL Connectivity Services
AOL Instant Messenger
AOL Spyware Protection
AOL Uninstaller (Choose which Products to Remove)
Bonjour
CC_ccProxyExt
ccCommon
ccPxyCore
CleanUp!
Conexant AC-Link Audio
Digital Media Reader
ewido anti-malware
HijackThis 1.99.1
Intel® Extreme Graphics 2 Driver
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 3
Learn2 Player (Uninstall Only)
LimeWire PRO 4.8.1
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
McAfee AntiSpyware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Money 2005
Microsoft Works
Mozilla Firefox (1.5)
MSRedist
MX240a
Nero BurnRights
Nero OEM
Norton AntiSpam
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton WMI Update
Norton WMI Update
Panda ActiveScan
Panda Antivirus Platinum
PowerDVD
QuickTime
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
SPBBC
Spybot - Search & Destroy 1.4
Symantec Script Blocking Installer
SymNet
Synaptics Pointing Device Driver
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Viewpoint Media Player
Windows Backup Utility
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Logged
Pages: [1]
« previous next »