1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hijacked! Compstuic and more! HELP!!

Discussion in 'Windows - Virus and spyware problems' started by stang67, Jun 29, 2006.

  1. stang67

    stang67 Member

    Joined:
    Jun 29, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    Please help me fix what my daughter did to our computer! Here is my Hijack file.

    Logfile of HijackThis v1.99.1
    Scan saved at 6:13:55 PM, on 6/29/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\ps2.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Zone Labs\Integrity Client\iclient.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\regsvr32.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\WINDOWS\system32\regsvr32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: hp center UI.lnk.disabled
    O4 - Global Startup: hp center.lnk.disabled
    O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
    O4 - Global Startup: Kodak EasyShare software.lnk.disabled
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1117877523967
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145942240953
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4795/mcfscan.cab
    O20 - AppInit_DLLs: C:\WINDOWS\system32\regsvr32.dll C:\WINDOWS\system32\nopdb.dll
    O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g2065296.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winzzc32 - C:\WINDOWS\SYSTEM32\winzzc32.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
     
  2. tapiiri

    tapiiri Regular member

    Joined:
    Jun 11, 2005
    Messages:
    1,142
    Likes Received:
    0
    Trophy Points:
    46
    Hi stang67

    Download and install Ewido Anti-Spyware 4.0 -> http://www.ewido.net/en/download/

    -> Open Ewido Anti-Spyware
    -> Click the Update icon at the top of the window
    -> Click the Start update button
    -> Wait for the update to download and install
    -> Quit the program, we'll use this later.

    Download Killbox to your desktop -> http://www.downloads.subratam.org/KillBox.zip
    Unzip it to your desktop.

    Run Killbox.exe
    -> Choose Delete on Reboot
    -> Click All Files option.

    Copy the following lines to your clipboard (choose text with your mouse, press CTRL+C or copy)

    C:\WINDOWS\system32\nopdb.dll
    C:\WINDOWS\g2065296.dll
    C:\WINDOWS\SYSTEM32\winzzc32.dll

    Then go back to Killbox
    -> go to File
    -> choose Paste from Clipboard
    -> Click the red-white Delete File option.
    -> Click Yes to Delete on Reboot question
    -> Click OK to any PendingFileRenameOperations requests (and tell me if you get any of these!)
    -> Restart your computer if Killbox won't do it.

    (If you get this error when running Killbox: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.", download Missingfilessetup.exe form here to your desktop and run the file, then try running killbox -> http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe)

    Scan hijack and check:

    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http...
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - Default URLSearchHook is missing
    O20 - AppInit_DLLs: C:\WINDOWS\system32\regsvr32.dll C:\WINDOWS\system32\nopdb.dll
    O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g2065296.dll
    O20 - Winlogon Notify: winzzc32 - C:\WINDOWS\SYSTEM32\winzzc32.dll

    Close all programs exept hijack and click Fix checked.

    Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

    -> Open Ewido Anti-Spyware
    -> Click the Scanner icon at the top of the window
    -> Click the Settings tab then select Recommended Options and choose Quarantine
    -> Click the Scan tab
    -> Select Complete System Scan. The scanning begins.
    -> When the scan has completed, click on the Save Scan Report button and save the scan to your Desktop.
    -> Copy and paste the scan results into your next post
     
  3. stang67

    stang67 Member

    Joined:
    Jun 29, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    Did what you asked and here is the ewido and new HJT reports.

    ewido:
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------
    + Created at: 9:36:53 PM 6/30/2006
    + Scan result:

    C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : No action taken.
    C:\Program Files\F�nts\nslookup.exe -> Adware.PurityScan : No action taken.
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007742.dll -> Adware.PurityScan : No action taken.
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007743.dll -> Adware.PurityScan : No action taken.
    C:\WINDOWS\SYSTEM32\hgghecy.dll -> Adware.Virtumonde : No action taken.
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0002264.exe -> Dialer.Intexdial : No action taken.
    C:\!KillBox\g2065296.dll -> Downloader.Delf.amb : No action taken.
    C:\!KillBox\g2065296.dll( 1) -> Downloader.Delf.amb : No action taken.
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007754.dll -> Downloader.Delf.amb : No action taken.
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007755.dll -> Downloader.Delf.amb : No action taken.
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007756.dll -> Downloader.Delf.amb : No action taken.
    C:\WINDOWS\g1013718.dll -> Downloader.Delf.amb : No action taken.
    C:\WINDOWS\g1298968.dll -> Downloader.Delf.amb : No action taken.
    C:\WINDOWS\g172093.dll -> Downloader.Delf.amb : No action taken.
    C:\WINDOWS\g1730000.dll -> Downloader.Delf.amb : No action taken.
    C:\WINDOWS\g1830203.dll -> Downloader.Delf.amb : No action taken.
    C:\WINDOWS\g2198078.dll -> Downloader.Delf.amb : No action taken.
    C:\WINDOWS\g2669843.dll -> Downloader.Delf.amb : No action taken.
    C:\WINDOWS\g284390.dll -> Downloader.Delf.amb : No action taken.
    C:\WINDOWS\g3171218.dll -> Downloader.Delf.amb : No action taken.
    C:\WINDOWS\g3991859.dll -> Downloader.Delf.amb : No action taken.
    C:\WINDOWS\g407093.dll -> Downloader.Delf.amb : No action taken.
    C:\WINDOWS\g407515.dll -> Downloader.Delf.amb : No action taken.
    C:\WINDOWS\g411640.dll -> Downloader.Delf.amb : No action taken.
    C:\WINDOWS\g529625.dll -> Downloader.Delf.amb : No action taken.
    C:\WINDOWS\g530187.dll -> Downloader.Delf.amb : No action taken.
    C:\WINDOWS\g530203.dll -> Downloader.Delf.amb : No action taken.
    C:\WINDOWS\g888468.dll -> Downloader.Delf.amb : No action taken.
    C:\Program Files\Common Files\Y1123OA.exe -> Downloader.PurityScan.cq : No action taken.
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP5\A0002182.exe -> Downloader.PurityScan.cq : No action taken.
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007731.exe -> Downloader.Zlob.vd : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp -> TrackingCookie.2o7 : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq504.tmp -> TrackingCookie.2o7 : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq59.tmp -> TrackingCookie.Adserver : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5D.tmp -> TrackingCookie.Adserver : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3.tmp -> TrackingCookie.Advertising : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq36.tmp -> TrackingCookie.Advertising : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3C.tmp -> TrackingCookie.Advertising : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6.tmp -> TrackingCookie.Advertising : No action taken.
    :mozilla.26:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s7vyuvsf.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp -> TrackingCookie.Atdmt : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq80.tmp -> TrackingCookie.Atdmt : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq15.tmp -> TrackingCookie.Bfast : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq55.tmp -> TrackingCookie.Bfast : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq52.tmp -> TrackingCookie.Bluestreak : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4D.tmp -> TrackingCookie.Bridgetrack : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq66.tmp -> TrackingCookie.Bridgetrack : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq56.tmp -> TrackingCookie.Burstnet : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq57.tmp -> TrackingCookie.Casalemedia : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6B.tmp -> TrackingCookie.Casalemedia : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq38.tmp -> TrackingCookie.Centrport : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq60.tmp -> TrackingCookie.Centrport : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq112.tmp -> TrackingCookie.Clickbank : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp -> TrackingCookie.Com : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq773.tmp -> TrackingCookie.Com : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq39.tmp -> TrackingCookie.Coremetrics : No action taken.
    :mozilla.27:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s7vyuvsf.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17.tmp -> TrackingCookie.Doubleclick : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3A.tmp -> TrackingCookie.Doubleclick : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1.tmp -> TrackingCookie.Falkag : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq68.tmp -> TrackingCookie.Falkag : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5.tmp -> TrackingCookie.Fastclick : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq64.tmp -> TrackingCookie.Fastclick : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq61.tmp -> TrackingCookie.Hitbox : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq62.tmp -> TrackingCookie.Hitbox : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq69.tmp -> TrackingCookie.Hitbox : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6A.tmp -> TrackingCookie.Hitbox : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq113.tmp -> TrackingCookie.Hypertracker : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp -> TrackingCookie.Mediaplex : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq58.tmp -> TrackingCookie.Mediaplex : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp -> TrackingCookie.Questionmarket : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq81.tmp -> TrackingCookie.Questionmarket : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6E.tmp -> TrackingCookie.Realtracker : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq255.tmp -> TrackingCookie.Ru4 : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3B.tmp -> TrackingCookie.Ru4 : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4.tmp -> TrackingCookie.Serving-sys : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5F.tmp -> TrackingCookie.Serving-sys : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq63.tmp -> TrackingCookie.Serving-sys : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp -> TrackingCookie.Serving-sys : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq82.tmp -> TrackingCookie.Sextracker : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq83.tmp -> TrackingCookie.Sextracker : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F.tmp -> TrackingCookie.Statcounter : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq104.tmp -> TrackingCookie.Trafficmp : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq53.tmp -> TrackingCookie.Tribalfusion : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5C.tmp -> TrackingCookie.Tribalfusion : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B.tmp -> TrackingCookie.Valueclick : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq774.tmp -> TrackingCookie.Webtrendslive : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq258.tmp -> TrackingCookie.Zedo : No action taken.
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6C.tmp -> TrackingCookie.Zedo : No action taken.
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007751.dll -> Trojan.Agent.vg : No action taken.
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SHIV8LYZ\bgates[1].exe -> Trojan.Dialer.pz : No action taken.

    ::Report end

    And HJT:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:00:23 PM, on 6/30/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ps2.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Documents and Settings\Owner\Desktop\Spyware Removal\ewido anti-spyware 4.0\ewido.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Zone Labs\Integrity Client\iclient.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Documents and Settings\Owner\Desktop\Spyware Removal\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HJT\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [!ewido] "C:\Documents and Settings\Owner\Desktop\Spyware Removal\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: hp center UI.lnk.disabled
    O4 - Global Startup: hp center.lnk.disabled
    O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
    O4 - Global Startup: Kodak EasyShare software.lnk.disabled
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1117877523967
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145942240953
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4795/mcfscan.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Owner\Desktop\Spyware Removal\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

    Thanks for the help so far!!!
     
  4. tapiiri

    tapiiri Regular member

    Joined:
    Jun 11, 2005
    Messages:
    1,142
    Likes Received:
    0
    Trophy Points:
    46
    Sorry to say, as you see ewido didn't delete anything :(

    Do scan by ewido again, and allow Ewido do recommended option .

    Send Ewido raport and a fresh hijack log
     
  5. stang67

    stang67 Member

    Joined:
    Jun 29, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    It seemed to do more this time. Here are the logs.

    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 5:35:29 PM 7/1/2006

    + Scan result:



    C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
    C:\Program Files\Fоnts\nslookup.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007742.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007743.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
    C:\WINDOWS\SYSTEM32\hgghecy.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0002264.exe -> Dialer.Intexdial : Cleaned with backup (quarantined).
    C:\!KillBox\g2065296.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\!KillBox\g2065296.dll( 1) -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007754.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007755.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007756.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g1013718.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g1298968.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g172093.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g1730000.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g1830203.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g2198078.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g2669843.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g284390.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g3171218.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g3991859.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g407093.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g407515.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g411640.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g529625.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g530187.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g530203.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g888468.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\Program Files\Common Files\Y1123OA.exe -> Downloader.PurityScan.cq : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP5\A0002182.exe -> Downloader.PurityScan.cq : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007731.exe -> Downloader.Zlob.vd : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq504.tmp -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Cookies\owner@z1.adserver[2].txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq59.tmp -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5D.tmp -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3.tmp -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq36.tmp -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3C.tmp -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6.tmp -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq80.tmp -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq15.tmp -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq55.tmp -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq52.tmp -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4D.tmp -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq66.tmp -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq56.tmp -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq57.tmp -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6B.tmp -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq38.tmp -> TrackingCookie.Centrport : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq60.tmp -> TrackingCookie.Centrport : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq112.tmp -> TrackingCookie.Clickbank : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp -> TrackingCookie.Com : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq773.tmp -> TrackingCookie.Com : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq39.tmp -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17.tmp -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3A.tmp -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1.tmp -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq68.tmp -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5.tmp -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq64.tmp -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq61.tmp -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq62.tmp -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq69.tmp -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6A.tmp -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq113.tmp -> TrackingCookie.Hypertracker : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq58.tmp -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq81.tmp -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6E.tmp -> TrackingCookie.Realtracker : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq255.tmp -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3B.tmp -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4.tmp -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5F.tmp -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq63.tmp -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq82.tmp -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq83.tmp -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F.tmp -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq104.tmp -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq53.tmp -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5C.tmp -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B.tmp -> TrackingCookie.Valueclick : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq774.tmp -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq258.tmp -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6C.tmp -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007751.dll -> Trojan.Agent.vg : Cleaned with backup (quarantined).


    ::Report end


    And the HJT Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 5:37:10 PM, on 7/1/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ps2.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Documents and Settings\Owner\Desktop\Spyware Removal\ewido anti-spyware 4.0\ewido.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Zone Labs\Integrity Client\iclient.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Documents and Settings\Owner\Desktop\Spyware Removal\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HJT\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [!ewido] "C:\Documents and Settings\Owner\Desktop\Spyware Removal\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: hp center UI.lnk.disabled
    O4 - Global Startup: hp center.lnk.disabled
    O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
    O4 - Global Startup: Kodak EasyShare software.lnk.disabled
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1117877523967
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145942240953
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4795/mcfscan.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Owner\Desktop\Spyware Removal\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

    Thanks!
     
  6. tapiiri

    tapiiri Regular member

    Joined:
    Jun 11, 2005
    Messages:
    1,142
    Likes Received:
    0
    Trophy Points:
    46
    Hi stang67,

    Looks fine :)
     
  7. stang67

    stang67 Member

    Joined:
    Jun 29, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    Thanks! Just to be sure, the last time I ran ewido I wasn't in safe mode, should I redo it in safe mode?

    Thanks
     
  8. tapiiri

    tapiiri Regular member

    Joined:
    Jun 11, 2005
    Messages:
    1,142
    Likes Received:
    0
    Trophy Points:
    46
    Yes, run Ewido in safe mode, then it can clean all founded lurks.
     

Share This Page