« previous next »
Pages: [1]

Author Topic: Spyware Problem  (Read 1609 times)

Offline FriscoMikey

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Spyware Problem
« on: November 07, 2005, 09:46:29 PM »
I have FireFox set as my default browser. Recently it began opening up randomly. All windows that pop-up have the checker flag symbol next to the site in the address bar, if that helps at all. I have run Ad-aware, SpyBot, a^2, pcpitstop.com...nothing seems to work. Scans showed CWS and CoolWWWSearch registry entries, which I have removed, and they have not come back yet. Browser still randomly opens, though.

Here's the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:38:04 PM, on 11/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Michael Auskings\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O1 - Hosts: here.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128566035106
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\enlql1351.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe



Thanks in advance for your help!
Logged

Offline jaycomc

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Spyware Problem
« Reply #1 on: November 07, 2005, 10:03:26 PM »
I am certainly not an expert at all this but I will tell you what has worked for me.

If you download Ewido Suite at http://www.ewido.net/en/download/ and install. After installing be sure to click the update button.

It looks like you have Ad-Aware all ready.

Reboot your computer in safe mode by pressing the F8 key after your computer beeps when first starting to boot. After you have successfully rebooted in safe mode run Ewido and do a complete scan. Don't forget to save a log file.

Then reboot and update and run Ad-aware and save log file.

After all this which will take some time. Then post a HijackThis log back for the AWASOME MODS to take a look at.

Hope this helps in someway.

 http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Logged

Offline FriscoMikey

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Spyware Problem
« Reply #2 on: November 07, 2005, 10:09:33 PM »
I'll give it a shot. Thanks.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Spyware Problem
« Reply #3 on: November 07, 2005, 10:13:27 PM »
After you post the Ewido report
Can you
Download L2mfix from here

http://www.atribune.org/downloads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT:  Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/color]
« Last Edit: November 07, 2005, 10:14:17 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline FriscoMikey

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Spyware Problem
« Reply #4 on: November 08, 2005, 12:52:08 AM »
Okay, guys...here are the results of the ewido, ad-aware, and l2mfix scans...looks like ewido found a bunch of trojans, but the browser is still opening randomly...

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:         11:24:12 PM, 11/7/2005
 + Report-Checksum:      716E7274

 + Scan result:

   HKU\S-1-5-21-3306207928-2317988759-2504321181-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
   [656] C:\WINDOWS\system32\iyetpp.dll -> Spyware.Look2Me : Error during cleaning
   [788] C:\WINDOWS\system32\iyetpp.dll -> Spyware.Look2Me : Error during cleaning
   :mozilla.6:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.7:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.8:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   :mozilla.9:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.10:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.11:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.12:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.13:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.14:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.15:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.16:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.17:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.18:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.19:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.20:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.21:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.22:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.23:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.24:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.25:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.26:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.27:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
   :mozilla.28:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.29:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.30:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.31:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.32:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.41:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.42:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.43:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.44:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.45:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
   :mozilla.46:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.47:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.48:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
   :mozilla.49:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.50:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.51:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.52:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.57:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
   :mozilla.58:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
   :mozilla.59:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
   :mozilla.70:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
   :mozilla.71:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
   :mozilla.72:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
   :mozilla.73:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
   :mozilla.74:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
   :mozilla.75:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
   :mozilla.76:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
   :mozilla.77:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.78:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
   :mozilla.79:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
   :mozilla.80:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   :mozilla.81:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   :mozilla.82:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   :mozilla.83:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   :mozilla.84:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   :mozilla.86:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.87:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.88:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.89:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.90:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.104:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.105:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.106:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.107:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.108:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.117:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.118:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.119:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.120:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.121:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.122:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.123:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.124:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
   :mozilla.126:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
   :mozilla.127:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
   :mozilla.150:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.151:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.152:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.153:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.154:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.155:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.156:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.157:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.158:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.159:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.160:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.161:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.162:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.163:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.164:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.165:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.166:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.167:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.168:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.169:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.170:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.171:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.172:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.173:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.174:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   :mozilla.175:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
   :mozilla.176:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
   :mozilla.177:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
   :mozilla.178:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
   :mozilla.179:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
   :mozilla.180:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
   :mozilla.181:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
   :mozilla.200:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
   :mozilla.206:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
   :mozilla.208:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   :mozilla.209:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   :mozilla.228:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.229:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.230:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.231:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.252:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\nwcxgx22.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Cookies\michael [email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Cookies\michael auskings@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael auskings@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael auskings@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael [email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael auskings@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael auskings@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael auskings@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael auskings@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Temporary Internet Files\Content.IE5\D0S1HLF4\prompt[1].htm -> TrojanDownloader.IstBar.j : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Temporary Internet Files\Content.IE5\LRCXR26Y\prompt[1].htm -> TrojanDownloader.IstBar.j : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temporary Internet Files\Content.IE5\6TDARYX4\installer[1].exe -> Spyware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temporary Internet Files\Content.IE5\7QKVRLGH\ysb_prompt[1].htm -> TrojanDownloader.IstBar.j : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temporary Internet Files\Content.IE5\FLFVOWPI\contextplus[1].exe -> Trojan.Crypt.t : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temporary Internet Files\Content.IE5\OJHZYMND\mte3ndi6odoxng[1].exe -> TrojanDownloader.Small.buy : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temporary Internet Files\Content.IE5\OJHZYMND\sp2update00[1].exe -> TrojanDownloader.VB.nh : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temporary Internet Files\Content.IE5\XGZI12LM\drsmartload[1].exe -> Spyware.SmartLoad : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temporary Internet Files\Content.IE5\XGZI12LM\mm[2].js -> Spyware.Chitika : Cleaned with backup
   C:\WINDOWS\system32\acifil32.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\lv8o09l3e.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\mmls2.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\wdsdmoe.dll -> Spyware.Look2Me : Cleaned with backup


::Report End
==================================



Lavasoft Ad-Aware Professional Build 1.03
Logfile created on:Monday, November 07, 2005 11:28:58 PM
Using definitions file:SE1R73 03.11.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):11 total references
Tracking Cookie(TAC index:3):5 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Ignore spanned files when scanning cab archives
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Block pop-ups aggressively
Set : Automatically select problematic objects in results lists
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Show splash screen
Set : Backup current definitions file before updating
Set : Play sound at scan completion if scan locates critical objects


11-7-2005 11:28:58 PM - Scan started. (Full System Scan)

 MRU List Object Recognized!
    Location:          : C:\Documents and Settings\Michael Auskings\recent
    Description        : list of recently opened documents


 MRU List Object Recognized!
    Location:          : software\microsoft\direct3d\mostrecentapplication
    Description        : most recent application to use microsoft direct3d


 MRU List Object Recognized!
    Location:          : software\microsoft\direct3d\mostrecentapplication
    Description        : most recent application to use microsoft direct X


 MRU List Object Recognized!
    Location:          : software\microsoft\directdraw\mostrecentapplication
    Description        : most recent application to use microsoft directdraw


 MRU List Object Recognized!
    Location:          : S-1-5-21-3306207928-2317988759-2504321181-1005\software\microsoft\internet explorer
    Description        : last download directory used in microsoft internet explorer


 MRU List Object Recognized!
    Location:          : S-1-5-21-3306207928-2317988759-2504321181-1005\software\microsoft\internet explorer\typedurls
    Description        : list of recently entered addresses in microsoft internet explorer


 MRU List Object Recognized!
    Location:          : S-1-5-21-3306207928-2317988759-2504321181-1005\software\microsoft\windows\currentversion\applets\paint\recent file list
    Description        : list of files recently opened using microsoft paint


 MRU List Object Recognized!
    Location:          : S-1-5-21-3306207928-2317988759-2504321181-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
    Description        : list of recent programs opened


 MRU List Object Recognized!
    Location:          : S-1-5-21-3306207928-2317988759-2504321181-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
    Description        : list of recently saved files, stored according to file extension


 MRU List Object Recognized!
    Location:          : S-1-5-21-3306207928-2317988759-2504321181-1005\software\microsoft\windows\currentversion\explorer\recentdocs
    Description        : list of recent documents opened


 MRU List Object Recognized!
    Location:          : S-1-5-21-3306207928-2317988759-2504321181-1005\software\microsoft\windows media\wmsdk\general
    Description        : windows media sdk


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
    FilePath           : \SystemRoot\System32\
    ProcessID          : 488
    ThreadCreationTime : 11-8-2005 5:28:08 AM
    BasePriority       : Normal


#:2 [winlogon.exe]
    FilePath           : \??\C:\WINDOWS\system32\
    ProcessID          : 568
    ThreadCreationTime : 11-8-2005 5:28:11 AM
    BasePriority       : High


#:3 [services.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 612
    ThreadCreationTime : 11-8-2005 5:28:12 AM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Services and Controller app
    InternalName       : services.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : services.exe

#:4 [lsass.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 624
    ThreadCreationTime : 11-8-2005 5:28:12 AM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : LSA Shell (Export Version)
    InternalName       : lsass.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : lsass.exe

#:5 [svchost.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 772
    ThreadCreationTime : 11-8-2005 5:28:14 AM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:6 [svchost.exe]
    FilePath           : C:\WINDOWS\System32\
    ProcessID          : 872
    ThreadCreationTime : 11-8-2005 5:28:15 AM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:7 [acs.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 948
    ThreadCreationTime : 11-8-2005 5:28:15 AM
    BasePriority       : Normal


#:8 [spoolsv.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 1392
    ThreadCreationTime : 11-8-2005 5:28:18 AM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
    ProductVersion     : 5.1.2600.2696
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Spooler SubSystem App
    InternalName       : spoolsv.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : spoolsv.exe

#:9 [ccsetmgr.exe]
    FilePath           : C:\Program Files\Common Files\Symantec Shared\
    ProcessID          : 1492
    ThreadCreationTime : 11-8-2005 5:28:18 AM
    BasePriority       : Normal
    FileVersion        : 2.2.0.577
    ProductVersion     : 2.2.0.577
    ProductName        : Common Client
    CompanyName        : Symantec Corporation
    FileDescription    : Common Client Settings Manager Service
    InternalName       : ccSetMgr
    LegalCopyright     : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
    OriginalFilename   : ccSetMgr.exe

#:10 [ctsvccda.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 1512
    ThreadCreationTime : 11-8-2005 5:28:19 AM
    BasePriority       : Normal
    FileVersion        : 1.0.1.0
    ProductVersion     : 1.0.0.0
    ProductName        : Creative Service for CDROM Access
    CompanyName        : Creative Technology Ltd
    FileDescription    : Creative Service for CDROM Access
    InternalName       : CTsvcCDAEXE
    LegalCopyright     : Copyright © Creative Technology Ltd., 1999. All rights reserved.
    OriginalFilename   : CTsvcCDA.EXE

#:11 [defwatch.exe]
    FilePath           : C:\Program Files\Symantec AntiVirus\
    ProcessID          : 1528
    ThreadCreationTime : 11-8-2005 5:28:19 AM
    BasePriority       : Normal
    FileVersion        : 9.0.0.338
    ProductVersion     : 9.0.0.338
    ProductName        : Symantec AntiVirus
    CompanyName        : Symantec Corporation
    FileDescription    : Virus Definition Daemon
    InternalName       : DefWatch
    LegalCopyright     : Copyright 1998 - 2004 Symantec Corporation. All rights reserved.
    OriginalFilename   : DefWatch.exe

#:12 [dvdramsv.exe]
    FilePath           : C:\WINDOWS\System32\
    ProcessID          : 1552
    ThreadCreationTime : 11-8-2005 5:28:19 AM
    BasePriority       : Normal
    FileVersion        : 2, 0, 5, 0
    ProductVersion     : 2, 0, 5, 0
    CompanyName        : Matsu[censored]a Electric Industrial Co., Ltd.
    FileDescription    : Service of RAMAsst for Windows XP
    LegalCopyright     : Copyright © Matsu[censored]a Electric Industrial Co., Ltd. 2002
    OriginalFilename   : DVDRAMSV.EXE

#:13 [ewidoctrl.exe]
    FilePath           : C:\Program Files\ewido\security suite\
    ProcessID          : 1584
    ThreadCreationTime : 11-8-2005 5:28:19 AM
    BasePriority       : Normal
    FileVersion        : 3, 0, 0, 1
    ProductVersion     : 3, 0, 0, 1
    ProductName        : ewido control
    CompanyName        : ewido networks
    FileDescription    : ewido control
    InternalName       : ewido control
    LegalCopyright     : Copyright © 2004
    OriginalFilename   : ewidoctrl.exe

#:14 [nvsvc32.exe]
    FilePath           : C:\WINDOWS\System32\
    ProcessID          : 1612
    ThreadCreationTime : 11-8-2005 5:28:19 AM
    BasePriority       : Normal
    FileVersion        : 6.13.10.3240
    ProductVersion     : 6.13.10.3240
    ProductName        : NVIDIA Driver Helper Service, Version 32.40
    CompanyName        : NVIDIA Corporation
    FileDescription    : NVIDIA Driver Helper Service, Version 32.40
    InternalName       : NVSVC
    LegalCopyright     : © NVIDIA Corporation. All rights reserved.
    OriginalFilename   : nvsvc32.exe

#:15 [rtvscan.exe]
    FilePath           : C:\Program Files\Symantec AntiVirus\
    ProcessID          : 1708
    ThreadCreationTime : 11-8-2005 5:28:20 AM
    BasePriority       : Normal
    FileVersion        : 9.0.0.338
    ProductVersion     : 9.0.0.338
    ProductName        : Symantec AntiVirus
    CompanyName        : Symantec Corporation
    FileDescription    : Symantec AntiVirus
    LegalCopyright     : Copyright 1991 - 2004 Symantec Corporation. All rights reserved.

#:16 [explorer.exe]
    FilePath           : C:\WINDOWS\
    ProcessID          : 1876
    ThreadCreationTime : 11-8-2005 5:28:21 AM
    BasePriority       : Normal
    FileVersion        : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 6.00.2900.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Explorer
    InternalName       : explorer
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : EXPLORER.EXE

#:17 [mspmspsv.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 1976
    ThreadCreationTime : 11-8-2005 5:28:21 AM
    BasePriority       : Normal
    FileVersion        : 7.00.00.1954
    ProductVersion     : 7.00.00.1954
    ProductName        : Microsoft ® DRM
    CompanyName        : Microsoft Corporation
    FileDescription    : WMDM PMSP Service
    InternalName       : MSPMSPSV.EXE
    LegalCopyright     : Copyright © Microsoft Corp. 1981-2000
    OriginalFilename   : MSPMSPSV.EXE

#:18 [ccevtmgr.exe]
    FilePath           : C:\Program Files\Common Files\Symantec Shared\
    ProcessID          : 1996
    ThreadCreationTime : 11-8-2005 5:28:21 AM
    BasePriority       : Normal
    FileVersion        : 2.2.0.577
    ProductVersion     : 2.2.0.577
    ProductName        : Common Client
    CompanyName        : Symantec Corporation
    FileDescription    : Common Client Event Manager Service
    InternalName       : ccEvtMgr
    LegalCopyright     : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
    OriginalFilename   : ccEvtMgr.exe

#:19 [ezsp_px.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 1320
    ThreadCreationTime : 11-8-2005 5:28:32 AM
    BasePriority       : Normal


#:20 [msmsgs.exe]
    FilePath           : C:\Program Files\Messenger\
    ProcessID          : 1524
    ThreadCreationTime : 11-8-2005 5:28:34 AM
    BasePriority       : Normal
    FileVersion        : 4.7.3001
    ProductVersion     : Version 4.7.3001
    ProductName        : Messenger
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Messenger
    InternalName       : msmsgs
    LegalCopyright     : Copyright © Microsoft Corporation 2004
    LegalTrademarks    : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
    OriginalFilename   : msmsgs.exe

#:21 [ctfmon.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 1096
    ThreadCreationTime : 11-8-2005 5:28:34 AM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : CTF Loader
    InternalName       : CTFMON
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : CTFMON.EXE

#:22 [aim.exe]
    FilePath           : C:\PROGRA~1\AIM\
    ProcessID          : 1740
    ThreadCreationTime : 11-8-2005 5:28:35 AM
    BasePriority       : Normal
    FileVersion        : 5.9.3861
    ProductVersion     : 5.9.3861
    ProductName        : AOL Instant Messenger
    CompanyName        : America Online, Inc.
    FileDescription    : AOL Instant Messenger
    InternalName       : AIM
    LegalCopyright     : Copyright © 1996-2005 America Online, Inc.
    OriginalFilename   : AIM.EXE

#:23 [nmbgmonitor.exe]
    FilePath           : C:\Program Files\Common Files\Ahead\lib\
    ProcessID          : 1752
    ThreadCreationTime : 11-8-2005 5:28:36 AM
    BasePriority       : Normal


#:24 [ramasst.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 2076
    ThreadCreationTime : 11-8-2005 5:28:38 AM
    BasePriority       : Normal
    FileVersion        : 1, 0, 8, 0
    ProductVersion     : 1, 0, 8, 0
    CompanyName        : Matsu[censored]a Electric Industrial Co., Ltd.
    FileDescription    : CD Burning of Windows XP disabling tool for DVD MULTI Drive
    LegalCopyright     : Copyright © Matsu[censored]a Electric Industrial Co., Ltd. 2002
    OriginalFilename   : RAMASST.EXE

#:25 [ad-aware.exe]
    FilePath           : C:\Program Files\Lavasoft\Ad-Aware SE Professional\
    ProcessID          : 2572
    ThreadCreationTime : 11-8-2005 5:28:42 AM
    BasePriority       : Normal
    FileVersion        : 6.2.0.161
    ProductVersion     : VI.Second Edition
    ProductName        : Lavasoft Ad-Aware SE
    CompanyName        : Lavasoft Sweden
    FileDescription    : Ad-Aware SE Core application
    InternalName       : Ad-Aware.exe
    LegalCopyright     : Copyright © Lavasoft Sweden
    OriginalFilename   : Ad-Aware.exe
    Comments           : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : michael auskings@trafficmp[2].txt
    Category           : Data Miner
    Comment            : Cookie:michael [email protected]/
    Value              : Cookie:michael [email protected]/

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : michael auskings@findwhat[1].txt
    Category           : Data Miner
    Comment            : Cookie:michael [email protected]/
    Value              : Cookie:michael [email protected]/

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : michael auskings@abcsearch[1].txt
    Category           : Data Miner
    Comment            : Cookie:michael [email protected]/
    Value              : Cookie:michael [email protected]/

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : michael auskings@questionmarket[1].txt
    Category           : Data Miner
    Comment            : Cookie:michael [email protected]/
    Value              : Cookie:michael [email protected]/

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 15



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : michael auskings@abcsearch[1].txt
    Category           : Data Miner
    Comment            :
    Value              : C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael auskings@abcsearch[1].txt

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
46 entries scanned.
New critical objects:0
Objects found so far: 16




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16

11:41:17 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:12:19.110
Objects scanned:125950
Objects identified:5
Objects ignored:0
New critical objects:5
========================


L2MFIX find log 1.04a
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\d8j02i1mg8.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read           BUILTIN\Users
(ID-IO) ALLOW  Read           BUILTIN\Users
(ID-NI) ALLOW  Full access    BUILTIN\Administrators
(ID-IO) ALLOW  Full access    BUILTIN\Administrators
(ID-NI) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    CREATOR OWNER


********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F0327992-AC38-78CF-EAD3-8E962E07E3A6}"=""

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CC
Logged

Offline FriscoMikey

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Spyware Problem
« Reply #5 on: November 08, 2005, 01:12:39 AM »
Oops...forgot to post the new HijackThis file...


Logfile of HijackThis v1.99.1
Scan saved at 12:09:30 AM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michael Auskings\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O1 - Hosts: here.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128566035106
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\d8j02i1mg8.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Spyware Problem
« Reply #6 on: November 08, 2005, 01:51:03 AM »
Can you do the following please

Download the trial version of Spy Sweeper from HERE
Click on the Free trial link

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Please print the rest of these instructions or copy and paste them too notepad for reference

Make sure you are disconnected from the internet.

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

When prompted, allow Spy Sweeper to restart your computer

Back in Windows
Stay disconnected from the Net

Close any open programs running in the background, this step requires another reboot
Run L2MFix again with these instructions

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log
Post the contents of this log back here

 If the L2MFix doesn't run after the restart, then go into the L2M fix folder and double click on second.bat to run it.

Additionally,
Copy and paste the SpySweeper log together with a fresh hijackthis log into this thread.
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest

  • Guest
Spyware Problem
« Reply #7 on: November 08, 2005, 02:39:39 AM »
Results from Spy Sweeper, l2mfix Step 2, and HijackThis

Spy Sweeper:

********
1:08 AM: |       Start of Session, Tuesday, November 08, 2005       |
1:08 AM: Spy Sweeper started
1:08 AM: Sweep initiated using definitions version 569
1:08 AM: Starting Memory Sweep
1:09 AM:   Found Adware: icannnews
1:09 AM:   Detected running threat: C:\WINDOWS\system32\d8j02i1mg8.dll (ID = 83)
1:10 AM:   Detected running threat: C:\WINDOWS\system32\itpromon.dll (ID = 83)
1:10 AM:   Detected running threat: C:\WINDOWS\system32\guard.tmp (ID = 83)
1:10 AM: Memory Sweep Complete, Elapsed Time: 00:01:50
1:10 AM: Starting Registry Sweep
1:10 AM:   Found Adware: targetsaver
1:10 AM:   HKU\S-1-5-21-3306207928-2317988759-2504321181-1005\software\tsl2\  (1 subtraces) (ID = 143616)
1:10 AM: Registry Sweep Complete, Elapsed Time:00:00:15
1:10 AM: Starting Cookie Sweep
1:10 AM:   Found Spy Cookie: websponsors cookie
1:10 AM:   michael [email protected][2].txt (ID = 3665)
1:10 AM:   Found Spy Cookie: adecn cookie
1:10 AM:   michael auskings@adecn[2].txt (ID = 2063)
1:10 AM:   Found Spy Cookie: ask cookie
1:10 AM:   michael auskings@ask[1].txt (ID = 2245)
1:10 AM:   Found Spy Cookie: atwola cookie
1:10 AM:   michael auskings@atwola[1].txt (ID = 2255)
1:10 AM:   Found Spy Cookie: belnk cookie
1:10 AM:   michael auskings@belnk[1].txt (ID = 2292)
1:10 AM:   michael [email protected][2].txt (ID = 2293)
1:10 AM:   Found Spy Cookie: howstuffworks cookie
1:10 AM:   michael auskings@howstuffworks[1].txt (ID = 2805)
1:10 AM:   Found Spy Cookie: partypoker cookie
1:10 AM:   michael auskings@partypoker[2].txt (ID = 3111)
1:10 AM:   Found Spy Cookie: servlet cookie
1:10 AM:   michael auskings@servlet[2].txt (ID = 3345)
1:10 AM:   Found Spy Cookie: reliablestats cookie
1:10 AM:   michael [email protected][2].txt (ID = 3254)
1:10 AM:   Found Spy Cookie: yadro cookie
1:10 AM:   michael auskings@yadro[1].txt (ID = 3743)
1:10 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
1:10 AM: Starting File Sweep
1:12 AM:   113_dollarrevenue_4_0_3_9[1].exe (ID = 166444)
1:12 AM:   tsupdate[1].ini (ID = 112322)
1:13 AM:   glf7glf7.exe (ID = 78276)
1:18 AM:   Found System Monitor: potentially rootkit-masked files
1:18 AM:   bricpiec.sys (ID = 0)
1:18 AM:   dpltofmt.exe (ID = 0)
1:19 AM: File Sweep Complete, Elapsed Time: 00:08:24
1:19 AM: Full Sweep has completed.  Elapsed time 00:10:33
1:19 AM: Traces Found: 21
1:20 AM: Removal process initiated
1:20 AM:   Quarantining All Traces: icannnews
1:20 AM:   icannnews is in use.  It will be removed on reboot.
1:20 AM:     C:\WINDOWS\system32\d8j02i1mg8.dll is in use.  It will be removed on reboot.
1:20 AM:     C:\WINDOWS\system32\itpromon.dll is in use.  It will be removed on reboot.
1:20 AM:     C:\WINDOWS\system32\guard.tmp is in use.  It will be removed on reboot.
1:20 AM:   Quarantining All Traces: potentially rootkit-masked files
1:20 AM:   potentially rootkit-masked files is in use.  It will be removed on reboot.
1:20 AM:     bricpiec.sys is in use.  It will be removed on reboot.
1:20 AM:     dpltofmt.exe is in use.  It will be removed on reboot.
1:20 AM:   Quarantining All Traces: targetsaver
1:20 AM:   Quarantining All Traces: adecn cookie
1:20 AM:   Quarantining All Traces: ask cookie
1:20 AM:   Quarantining All Traces: atwola cookie
1:20 AM:   Quarantining All Traces: belnk cookie
1:20 AM:   Quarantining All Traces: howstuffworks cookie
1:20 AM:   Quarantining All Traces: partypoker cookie
1:20 AM:   Quarantining All Traces: reliablestats cookie
1:20 AM:   Quarantining All Traces: servlet cookie
1:20 AM:   Quarantining All Traces: websponsors cookie
1:20 AM:   Quarantining All Traces: yadro cookie
1:20 AM: Removal process completed.  Elapsed time 00:00:45
********
1:06 AM: |       Start of Session, Tuesday, November 08, 2005       |
1:06 AM: Spy Sweeper started
1:07 AM: Your spyware definitions have been updated.
1:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:08 AM: |       End of Session, Tuesday, November 08, 2005       |
=================================================

l2mfix Step 2:

Setting Directory
C:\
C:\
System Rebooted!
 
Running From:
C:\
 
killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1316 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1672 'rundll32.exe'
 
Scanning First Pass. Please Wait!
 
First Pass Completed
 
Second Pass Scanning
 
Second pass Completed!
Backing Up: C:\WINDOWS\system32\d80m0id1e80.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iyetpp.dll
        1 file(s) copied.
deleting: C:\WINDOWS\system32\d80m0id1e80.dll  
Successfully Deleted: C:\WINDOWS\system32\d80m0id1e80.dll
deleting: C:\WINDOWS\system32\iyetpp.dll  
Successfully Deleted: C:\WINDOWS\system32\iyetpp.dll
 
 
Zipping up files for submission:
  adding: d80m0id1e80.dll (188 bytes security) (deflated 4%)
  adding: iyetpp.dll (188 bytes security) (deflated 4%)
  adding: clear.reg (188 bytes security) (deflated 37%)
  adding: lo2.txt (188 bytes security) (deflated 61%)
  adding: test.txt (188 bytes security) (deflated 34%)
  adding: test2.txt (188 bytes security) (deflated 17%)
  adding: test3.txt (188 bytes security) (deflated 17%)
  adding: test5.txt (188 bytes security) (deflated 17%)
  adding: xfind.txt (188 bytes security) (deflated 28%)
 
Restoring Registry Permissions:
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

 
Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read           BUILTIN\Users
(ID-IO) ALLOW  Read           BUILTIN\Users
(ID-NI) ALLOW  Full access    BUILTIN\Administrators
(ID-IO) ALLOW  Full access    BUILTIN\Administrators
(ID-NI) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    CREATOR OWNER


Restoring Sedebugprivilege:
 
 Granting SeDebugPrivilege to Administrators   ... successful
 
Restoring Windows Update Certificates.:
 
deleting local copy: d80m0id1e80.dll  
deleting local copy: iyetpp.dll  
 
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

 
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\d80m0id1e80.dll
C:\WINDOWS\system32\iyetpp.dll
 
Registry Entries that were Deleted:
Please verify that the listing looks ok.  
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{231D3B03-BF29-4BEB-8D67-A21C588C7163}"=-
"{16BDB3C4-8D9A-4E3B-B823-69065CD113C2}"=-
[-HKEY_CLASSES_ROOT\CLSID\{231D3B03-BF29-4BEB-8D67-A21C588C7163}]
[-HKEY_CLASSES_ROOT\CLSID\{16BDB3C4-8D9A-4E3B-B823-69065CD113C2}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

=================================================

HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 1:32:04 AM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O1 - Hosts: here.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128566035106
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


Thanks.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Spyware Problem
« Reply #8 on: November 08, 2005, 10:12:39 AM »
Good work, if you didn't manually add this entry to your Hosts file can you remove it

Do another scan with Hijackthis and put a check next to these entries:

O1 - Hosts: here.com

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer

Open Ewido and check for updates
Run another complete scan

Post back a fresh hijackthis log and the new report from Ewido's

Is your AV working properly?
I don't see any run entries associated with it, is it enabled to run on startup?
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline FriscoMikey

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Spyware Problem
« Reply #9 on: November 08, 2005, 12:36:43 PM »
Should I be in SAFE MODE when I re-run Ewidos?

About the AV, I'm not sure if it was functioning properly yesterday when I was doing the scans. Normally I see a Norton AV icon in the system tray, which I did not see today...I removed, reinstalled, and updated Norton AV and the icon shows in my system tray again.

I'll get the changes/scans done and post them up. My browser doesn't seem to be opening randomly anymore, but I want to make sure it doesn't re-install itself.

Thanks again.
Logged

Offline FriscoMikey

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Spyware Problem
« Reply #10 on: November 08, 2005, 08:37:45 PM »
bump http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Spyware Problem
« Reply #11 on: November 08, 2005, 09:26:19 PM »
No, you don't need safe mode anymore when running Ewido's

Please post a fresh hijackthis log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline FriscoMikey

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Spyware Problem
« Reply #12 on: November 10, 2005, 02:56:20 AM »
Ewido Log

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:         1:53:08 AM, 11/10/2005
 + Report-Checksum:      E0A47239

 + Scan result:

   C:\backup.zip/d80m0id1e80.dll -> Spyware.Look2Me : Cleaned with backup
   C:\backup.zip/iyetpp.dll -> Spyware.Look2Me : Cleaned with backup
   :mozilla.9:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   :mozilla.12:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.13:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.14:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.15:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.16:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.17:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.22:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   :mozilla.28:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.29:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.32:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.34:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
   :mozilla.35:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
   :mozilla.36:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
   :mozilla.37:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.38:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.39:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.40:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.43:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.44:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.45:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.46:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.47:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.53:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
   :mozilla.56:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   :mozilla.57:C:\Documents and Settings\Michael Auskings\Application Data\Mozilla\Firefox\Profiles\7r7h6ulr.Default User\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Cookies\michael auskings@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Cookies\michael auskings@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Cookies\michael [email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Cookies\michael auskings@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Cookies\michael auskings@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael auskings@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael [email protected][2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael [email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael auskings@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael [email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Michael Auskings\Local Settings\Temp\Cookies\michael auskings@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup


::Report End
=================================================

HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 1:55:09 AM, on 11/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128566035106
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

=============================================

Thanks again.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Spyware Problem
« Reply #13 on: November 12, 2005, 12:18:19 PM »
Sorry for the delay

Looks good

Some final cleanup
If everything is running better, please do the following
You should disable system restore>>>reboot>> and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature

Once System Restore is reenabled

You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"
IE-Spyad is compatible with SP2 as well

Hold onto SpySweeper for the duration of the trial period if you don't plan on purchasing it
Afterwards, right click it's icon by the systemtray clock and shut it down and then uninstall it
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Spyware Problem
« Reply #14 on: November 19, 2005, 01:36:46 AM »
Problems appear resolved
I'll lock this topic
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »