win32/Apropos.B - Spyware.Apropos.C - Trojan.Win32.Crypt.t

My computer keeps crashing. Microsoft says I have win32/Apropos.B - Spyware.Apropos.C - Trojan.Win32.Crypt.t . I tried Spybot SD but it did not help. this thing is really driving crazy please help.
Logfile of HijackThis v1.99.1
Scan saved at 5:50:38 PM, on 5/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\EPOAgent\naimas32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Protector Plus\PPAVMon.exe
C:\Program Files\Protector Plus\PPServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\EPOAgent\naimag32.exe
C:\PROGRA~1\PROTEC~1\PPTbc.EXE
C:\PROGRA~1\PROTEC~1\PPInupdt.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.ucla.edu/cgi/proxy/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [PP2000 Taskbar Control] C:\PROGRA~1\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [PP2000 InstaUpdate] C:\PROGRA~1\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [docobj] C:\WINDOWS\System32\docobj.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINDOWS\System32\196_150_ni.exe
O4 - HKCU\..\Run: [197_150_ni_4] C:\WINDOWS\System32\197_150_ni_4.exe
O4 - HKCU\..\Run: [198_150_ni_1] "C:\Documents and Settings\Ryan Cabauatan\198_150_ni_1.exe"
O4 - HKCU\..\Run: [mmdrv] "C:\WINDOWS\system32\mmdrv.exe"
O4 - HKCU\..\Run: [mpr] "C:\WINDOWS\system32\mpr.exe"
O4 - HKCU\..\Run: [comuid] "C:\WINDOWS\system32\comuid.exe"
O4 - HKCU\..\Run: [avtapi] "C:\WINDOWS\system32\avtapi.exe"
O4 - HKCU\..\Run: [hticons] "C:\WINDOWS\system32\hticons.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/01323c6d37ff11396505/netzip/RdxIE2.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/en-us/wlscbase7617.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://mu.resnet.ucla.edu/vs/isetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F703D8B-54F4-4240-8A22-C55DEB35EF38}: NameServer = 164.67.128.1 164.67.128.2
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NAI ePolicy Orchestrator Agent (NAIMAGENT32) - Network Associates, Inc. - C:\EPOAgent\naimas32.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Protector Plus Anti-virus Monitor Service (ProtectorPlusAVMonitor) - Unknown owner - C:\Program Files\Protector Plus\PPAVMon.exe
O23 - Service: Protector Plus Service (ProtectorPlusService) - Unknown owner - C:\Program Files\Protector Plus\PPServ.exe

 

Hi Naomi22, you got a nice collection of infections...

We'll start the cleaning with this:

Please download AproposFix from here -> http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, double-click aproposfix.exe and unzip it to the desktop.
Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, reboot back into normal mode.

Go to here -> http://www.virustotal.com
-> Press Browse
-> Navigate to this file: C:\WINDOWS\system32\mpr.exe
-> Press Ok
-> Press Send
-> Wait for the scan results
-> Copy the results to a text file

Do the same procedure as above with these two files:
C:\WINDOWS\system32\comuid.exe
C:\WINDOWS\system32\hticons.exe

Post the following logs to here and we'll continue the cleaning:
-> a new HijackThis log
-> entire contents of the log.txt file in the aproposfix folder.
-> results from the virustotal scans

 

hello, thanks for the reply. here's the results from virustotal scans.

STATUS: FINISHEDComplete scanning result of "mpr.exe", received in VirusTotal at 05.29.2006, 10:03:37 (CET).

Antivirus Version Update Result
AntiVir 6.34.1.34 05.29.2006 TR/Dldr.Agent.am.3
Authentium 4.93.8 05.28.2006 W32/Downloader.SUE
Avast 4.6.695.0 05.26.2006 Win32:Trojano-2773
AVG 386 05.28.2006 Downloader.Agent.BIT
BitDefender 7.2 05.29.2006 Trojan.Downloader.Agent.AM
CAT-QuickHeal 8.00 05.27.2006 no virus found
ClamAV devel-20060426 05.29.2006 Trojan.Downloader.Agent-266
DrWeb 4.33 05.29.2006 Trojan.DownLoader.6301
eTrust-InoculateIT 23.72.20 05.28.2006 Win32/SillyDl.98586!Trojan
eTrust-Vet 12.6.2232 05.29.2006 Win32/SillyDl.ACN
Ewido 3.5 05.28.2006 Downloader.Agent.am
Fortinet 2.77.0.0 05.29.2006 W32/Dloader.JU!tr
F-Prot 3.16c 05.28.2006 security risk named W32/Downloader.SUE
Ikarus 0.2.65.0 05.28.2006 no virus found
Kaspersky 4.0.2.24 05.29.2006 Trojan-Downloader.Win32.Agent.am
McAfee 4771 05.26.2006 Downloader-JU
Microsoft 1.1441 05.29.2006 no virus found
NOD32v2 1.1563 05.28.2006 a variant of Win32/TrojanDownloader.Agent.AM
Norman 5.90.17 05.26.2006 W32/DLoader.QZY
Panda 9.0.0.4 05.28.2006 Suspicious file
Sophos 4.05.0 05.28.2006 no virus found
Symantec 8.0 05.29.2006 no virus found
TheHacker 5.9.8.149 05.26.2006 Trojan/Downloader.Agent.am
UNA 1.83 05.26.2006 TrojanDownloader.Win32.Agent
VBA32 3.11.0 05.28.2006 Trojan-Downloader.Win32.Agent.am


Aditional Information
File size: 98585 bytes
MD5: ea171d2cb384617e1b1c62d1ad9b70a0
SHA1: 9f0bc8c129b6f8b58cd15eedc9acce65f7d8b409



STATUS: FINISHEDComplete scanning result of "comuid.exe", received in VirusTotal at 05.29.2006, 10:22:26 (CET).

Antivirus Version Update Result
AntiVir 6.34.1.34 05.29.2006 TR/Dldr.Agent.am.3
Authentium 4.93.8 05.28.2006 no virus found
Avast 4.6.695.0 05.26.2006 Win32:Trojano-2773
AVG 386 05.28.2006 Generic.QYG
BitDefender 7.2 05.29.2006 no virus found
CAT-QuickHeal 8.00 05.27.2006 no virus found
ClamAV devel-20060426 05.29.2006 no virus found
DrWeb 4.33 05.29.2006 Trojan.DownLoader.8073
eTrust-InoculateIT 23.72.20 05.28.2006 Win32/SillyDl.ANI!Trojan
eTrust-Vet 12.6.2232 05.29.2006 Win32/SillyDl.ANI
Ewido 3.5 05.28.2006 Downloader.Small
Fortinet 2.77.0.0 05.29.2006 W32/Agent.AM!tr.dldr
F-Prot 3.16c 05.28.2006 no virus found
Ikarus 0.2.65.0 05.28.2006 no virus found
Kaspersky 4.0.2.24 05.29.2006 Trojan-Downloader.Win32.Agent.am
McAfee 4771 05.26.2006 no virus found
Microsoft 1.1441 05.29.2006 no virus found
NOD32v2 1.1563 05.28.2006 Win32/TrojanDownloader.Agent.AM
Norman 5.90.17 05.26.2006 W32/Agent.ZZG
Panda 9.0.0.4 05.28.2006 Suspicious file
Sophos 4.05.0 05.28.2006 no virus found
Symantec 8.0 05.29.2006 Download.Trojan
TheHacker 5.9.8.149 05.26.2006 no virus found
UNA 1.83 05.26.2006 TrojanDownloader.Win32.Agent
VBA32 3.11.0 05.28.2006 Trojan.Win32.TrojanDownloader.Agent.AM


Aditional Information
File size: 99097 bytes
MD5: e9c6b519770488cc2153ae5b9130bdfb
SHA1: 91836b87b6d7abdfc4e9ea80f13eab40e1693820


STATUS: FINISHEDComplete scanning result of "hticons.exe", received in VirusTotal at 05.29.2006, 10:26:24 (CET).

Antivirus Version Update Result
AntiVir 6.34.1.34 05.29.2006 TR/Dldr.Agent.am.3
Authentium 4.93.8 05.28.2006 no virus found
Avast 4.6.695.0 05.26.2006 Win32:Trojano-2773
AVG 386 05.28.2006 Generic.QYG
BitDefender 7.2 05.29.2006 no virus found
CAT-QuickHeal 8.00 05.27.2006 no virus found
ClamAV devel-20060426 05.29.2006 no virus found
DrWeb 4.33 05.29.2006 Trojan.DownLoader.8073
eTrust-InoculateIT 23.72.20 05.28.2006 Win32/SillyDl.ANI!Trojan
eTrust-Vet 12.6.2232 05.29.2006 Win32/SillyDl.ANI
Ewido 3.5 05.28.2006 Downloader.Small
Fortinet 2.77.0.0 05.29.2006 W32/Agent.AM!tr.dldr
F-Prot 3.16c 05.28.2006 no virus found
Ikarus 0.2.65.0 05.28.2006 no virus found
Kaspersky 4.0.2.24 05.29.2006 Trojan-Downloader.Win32.Agent.am
McAfee 4771 05.26.2006 no virus found
Microsoft 1.1441 05.29.2006 no virus found
NOD32v2 1.1563 05.28.2006 Win32/TrojanDownloader.Agent.AM
Norman 5.90.17 05.26.2006 W32/Agent.ZZG
Panda 9.0.0.4 05.28.2006 Suspicious file
Sophos 4.05.0 05.28.2006 no virus found
Symantec 8.0 05.29.2006 Download.Trojan
TheHacker 5.9.8.149 05.26.2006 no virus found
UNA 1.83 05.26.2006 TrojanDownloader.Win32.Agent
VBA32 3.11.0 05.28.2006 Trojan.Win32.TrojanDownloader.Agent.AM


Aditional Information
File size: 99097 bytes

 

here are the new hijack log and log txt in the aproposfix folder. thank you for taking the time to help me. i really appreciate this

Logfile of HijackThis v1.99.1
Scan saved at 3:31:55 AM, on 5/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\EPOAgent\naimas32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Protector Plus\PPAVMon.exe
C:\Program Files\Protector Plus\PPServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\EPOAgent\naimag32.exe
C:\PROGRA~1\PROTEC~1\PPTbc.EXE
C:\PROGRA~1\PROTEC~1\PPInupdt.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.ucla.edu/cgi/proxy/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [PP2000 Taskbar Control] C:\PROGRA~1\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [PP2000 InstaUpdate] C:\PROGRA~1\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [docobj] C:\WINDOWS\System32\docobj.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINDOWS\System32\196_150_ni.exe
O4 - HKCU\..\Run: [197_150_ni_4] C:\WINDOWS\System32\197_150_ni_4.exe
O4 - HKCU\..\Run: [198_150_ni_1] "C:\Documents and Settings\Ryan Cabauatan\198_150_ni_1.exe"
O4 - HKCU\..\Run: [mmdrv] "C:\WINDOWS\system32\mmdrv.exe"
O4 - HKCU\..\Run: [mpr] "C:\WINDOWS\system32\mpr.exe"
O4 - HKCU\..\Run: [comuid] "C:\WINDOWS\system32\comuid.exe"
O4 - HKCU\..\Run: [avtapi] "C:\WINDOWS\system32\avtapi.exe"
O4 - HKCU\..\Run: [hticons] "C:\WINDOWS\system32\hticons.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/01323c6d37ff11396505/netzip/RdxIE2.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/en-us/wlscbase7617.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://mu.resnet.ucla.edu/vs/isetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F703D8B-54F4-4240-8A22-C55DEB35EF38}: NameServer = 164.67.128.1 164.67.128.2
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NAI ePolicy Orchestrator Agent (NAIMAGENT32) - Network Associates, Inc. - C:\EPOAgent\naimas32.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Protector Plus Anti-virus Monitor Service (ProtectorPlusAVMonitor) - Unknown owner - C:\Program Files\Protector Plus\PPAVMon.exe
O23 - Service: Protector Plus Service (ProtectorPlusService) - Unknown owner - C:\Program Files\Protector Plus\PPServ.exe


Log of AproposFix v1.1

************

Running from directory:
C:\Documents and Settings\Ryan Cabauatan\Desktop\aproposfix

************



Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CuPRFAE7IV2D]
"Device"="\\\\.\\mnmltra"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\gamlmnt5.sys"
"DriverName"="WanACPI"
"UninstallerPath"="C:\\WINDOWS\\system32\\vfpjet32.exe"
"HDll"="C:\\WINDOWS\\system32\\nmmvga.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.ANT2"
"InstallationId"="{X40e5f8b-2f0c-26f5-2f2b-c112df8f640a}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Crelayer\\pinkbdpl.exe"
"AutoUpdater"="C:\\WINDOWS\\system32\\keybdkyr.exe"
"Version"="2.0.131"
"HideUninstallerName"="C:\\Program Files\\Crelayer\\txfcp32r.exe"
@="sw5WYleIJJIJJKJ4543B9wIJJIYLJsejZksoJAGAB 4POJz90D 9AJ.w4345BRKAGA"
--
[HKEY_LOCAL_MACHINE\Software\Aprps]

[HKEY_LOCAL_MACHINE\Software\Aprps\Client]
"PartnerId"="WB.VER2"


************

Removing hidden service:
Service WanACPI removed.

Removing hidden folder:
Deletion of folder Crelayer succeeded!

Deleting files:

Deletion of file C:\WINDOWS\system32\drivers\gamlmnt5.sys succeeded!
Deletion of file C:\WINDOWS\system32\keybdkyr.exe succeeded!
Deletion of file C:\WINDOWS\system32\nmmvga.dll succeeded!
Deletion of file C:\WINDOWS\system32\vfpjet32.exe succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CuPRFAE7IV2D]
[-HKEY_CURRENT_USER\Software\Aprps]
[-HKEY_LOCAL_MACHINE\Software\CuPRFAE7IV2D]
[-HKEY_LOCAL_MACHINE\Software\Aprps]

Done!

Finished!

 

Ok lets get the rest of the dirt cleaned....

You don't have a firewall on your computer. Download and install one firewall.

These are good (free) firewalls:
ZoneAlarm --> http://www.zonelabs.com
Kerio--> http://www.sunbelt-software.com/Kerio.cfm
Outpost-> http://www.agnitum.com

Cleaning instructions:

Download and install Ewido anti-malware -> http://www.ewido.net/en/download
Update it, but do NOT run a scan yet. We'll use it later.

Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O4 - HKCU\..\Run: [docobj] C:\WINDOWS\System32\docobj.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINDOWS\System32\196_150_ni.exe
O4 - HKCU\..\Run: [197_150_ni_4] C:\WINDOWS\System32\197_150_ni_4.exe
O4 - HKCU\..\Run: [198_150_ni_1] "C:\Documents and Settings\Ryan Cabauatan\198_150_ni_1.exe"
O4 - HKCU\..\Run: [mmdrv] "C:\WINDOWS\system32\mmdrv.exe"
O4 - HKCU\..\Run: [mpr] "C:\WINDOWS\system32\mpr.exe"
O4 - HKCU\..\Run: [comuid] "C:\WINDOWS\system32\comuid.exe"
O4 - HKCU\..\Run: [avtapi] "C:\WINDOWS\system32\avtapi.exe"
O4 - HKCU\..\Run: [hticons] "C:\WINDOWS\system32\hticons.exe"
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/01323c6d37ff11396505/netzip/RdxIE2.cab

Fix also these two if you haven't blocked access to Internet Explorer settings:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

Delete these files (if found):
C:\WINDOWS\System32\docobj.exe
C:\WINDOWS\System32\196_150_ni.exe
C:\WINDOWS\System32\197_150_ni_4.exe
C:\Documents and Settings\Ryan Cabauatan\198_150_ni_1.exe
C:\WINDOWS\system32\mmdrv.exe
C:\WINDOWS\system32\mpr.exe
C:\WINDOWS\system32\comuid.exe
C:\WINDOWS\system32\avtapi.exe
C:\WINDOWS\system32\hticons.exe

Scan and clean your computer with Ewido and save the report.

Clean the Recycle bin and make your hidden files visible again.

Restart your computer normally.

Post the following logs to here:
-> a fresh HijackThis log
-> Ewido's log

 

i did everything that u told me to do.

Logfile of HijackThis v1.99.1
Scan saved at 4:11:04 PM, on 5/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\EPOAgent\naimas32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Protector Plus\PPAVMon.exe
C:\Program Files\Protector Plus\PPServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\EPOAgent\naimag32.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\PROGRA~1\PROTEC~1\PPTbc.EXE
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\PROTEC~1\PPInupdt.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [PP2000 Taskbar Control] C:\PROGRA~1\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [PP2000 InstaUpdate] C:\PROGRA~1\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/en-us/wlscbase7617.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://mu.resnet.ucla.edu/vs/isetup.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NAI ePolicy Orchestrator Agent (NAIMAGENT32) - Network Associates, Inc. - C:\EPOAgent\naimas32.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Protector Plus Anti-virus Monitor Service (ProtectorPlusAVMonitor) - Unknown owner - C:\Program Files\Protector Plus\PPAVMon.exe
O23 - Service: Protector Plus Service (ProtectorPlusService) - Unknown owner - C:\Program Files\Protector Plus\PPServ.exe


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:49:34 PM, 5/29/2006
+ Report-Checksum: EDB2DFFB

+ Scan result:

HKLM\SOFTWARE\Classes\XTSearch.XTSearchHook -> Adware.SearchSquire : Cleaned with backup
HKLM\SOFTWARE\Classes\XTSearch.XTSearchHook\CLSID -> Adware.SearchSquire : Cleaned with backup
HKLM\SOFTWARE\Classes\XTSearch.XTSearchHook\CurVer -> Adware.SearchSquire : Cleaned with backup
HKLM\SOFTWARE\Classes\XTSearch.XTSearchHook.1 -> Adware.SearchSquire : Cleaned with backup
HKLM\SOFTWARE\Classes\XTSearch.XTSearchHook.1\CLSID -> Adware.Xupiter : Cleaned with backup
HKU\S-1-5-21-3238835185-2251066324-2621537104-1006\Software\Hiwire -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-3238835185-2251066324-2621537104-1006\Software\Hiwire\MusicMatch -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-3238835185-2251066324-2621537104-1006\Software\Hiwire\MusicMatch\Browser -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-3238835185-2251066324-2621537104-1006\Software\Hiwire\MusicMatch\Faceplate -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-3238835185-2251066324-2621537104-1006\Software\Hiwire\MusicMatch\History -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-3238835185-2251066324-2621537104-1006\Software\Hiwire\MusicMatch\History\Log -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-3238835185-2251066324-2621537104-1006\Software\Hiwire\MusicMatch\Presets -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-3238835185-2251066324-2621537104-1006\Software\Hiwire\MusicMatch\Registration -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-3238835185-2251066324-2621537104-1006\Software\Hiwire\MusicMatch\Resources -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-3238835185-2251066324-2621537104-1006\Software\Hiwire\MusicMatch\Stations -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-3238835185-2251066324-2621537104-1006\Software\Hiwire\MusicMatch\StationSelection -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-3238835185-2251066324-2621537104-1006\Software\Hiwire\MusicMatch\WebUpdate -> Adware.HiWire : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4QVVQKBO\198_150_i_1[1].abc -> Downloader.Agent.wd : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4QVVQKBO\198_150_i_1[2].abc -> Downloader.Agent.wd : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@planetout.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Cookies\ryan cabauatan@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Local Settings\Temp\Cookies\ryan cabauatan@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Local Settings\Temp\Cookies\ryan cabauatan@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Local Settings\Temp\Cookies\ryan cabauatan@ehg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Local Settings\Temp\Cookies\ryan cabauatan@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Local Settings\Temp\Cookies\ryan cabauatan@hotlog[1].txt -> TrackingCookie.Hotlog : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\Local Settings\Temp\Cookies\ryan cabauatan@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Ryan Cabauatan\xPYTLYWCUHH.exe -> Downloader.Agent.am : Cleaned with backup
C:\RECYCLER\S-1-5-21-3238835185-2251066324-2621537104-1006\Dc1.exe -> Downloader.Small : Cleaned with backup
C:\RECYCLER\S-1-5-21-3238835185-2251066324-2621537104-1006\Dc2.exe -> Downloader.Small : Cleaned with backup
C:\RECYCLER\S-1-5-21-3238835185-2251066324-2621537104-1006\Dc3.exe -> Downloader.Agent.am : Cleaned with backup
C:\RECYCLER\S-1-5-21-3238835185-2251066324-2621537104-1006\Dc4.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP419\A0225467.exe -> Downloader.Agent.am : Cleaned with backup
C:\WINDOWS\SYSTEM32\198_150_ni_1.exe -> Downloader.Agent.am : Cleaned with backup
C:\WINDOWS\SYSTEM32\comuid.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\SYSTEM32\moricons.exe -> Downloader.Reqlook.b : Cleaned with backup


::Report End

 

Hi Naomi22, you're looking clean

You didn't restart your computer between installing the Kerio Firewall and taking the HjT log, rigth? (it is just that I can see only one service from Kerio running, but it is ok if just installed it)

Do you have any other problems?

Now that you're clean, here are some tips how to stay clean.

-> Stand Up and Be Counted, Malware Complaints -> http://www.malwarecomplaints.info
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

-> Clear your system restore -> http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
This will clear the system restore folders from possible malware that was left behind during the cleaning process. Remember to create a new restore point after the cleaning.

-> Use CCleaner -> http://www.ccleaner.com
Download and install CCleaner. Clean your registry and temporary files with it regularly.

-> Use Ad-Aware -> http://www.bleepingcomputer.com/forums/?showtutorial=48
Download and install Ad-Aware. Update it and scan your computer regularly with it.

-> Use Ewido -> http://www.ewido.net/en
Download and install Ewido. Update it and scan your computer regularly with it.

-> Install SpywareBlaster -> http://www.javacoolsoftware.com/spywareblaster.html
SpywareBlaster will prevent spyware from being installed to your computer.

-> Install MVPS Hosts file -> http://mvps.org/winhelp2002/hosts.htm
This prevents your computer from connecting to harmful sites.

-> Change your browser to Firefox -> http://www.mozilla.org
Firefox is faster, safer and quicker browser than Internet Explorer.

-> Keep your systen up-to-date -> http://windowsupdate.microsoft.com
Visit Windows Update regularly.

-> Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

-> Read this article by TonyKlein -> http://castlecops.com/postlite7736-.html
So how did I get infected in the first place?

Stay clean

 

Thank you very much for all your help. You are a genius. I could not have done it without you. Again thanks

 

You're welcome