Unsolved

This post is more than 5 years old

788

June 8th, 2006 23:00

warning!spyware operation

Logfile of HijackThis v1.99.1
Scan saved at 7:36:26 PM, on 6/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\taskdir.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\TitanShield Antispyware\titanshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\users32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\John\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\System32\adobepnl.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\System32\susp.exe
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\System32\runsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O4 - Startup: titanshield.lnk = C:\Program Files\TitanShield Antispyware\titanshield.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www106.coolsavings.com/download/cscmv5X.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114582040064
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4729/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
 

3.3K Posts

June 9th, 2006 05:00

Make sure you can view all files:
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select
Show hidden files and folders.
* Uncheck the Hide protected operating system files
(recommended) option.
* Click Yes to confirm.
* Click OK.

Close every application you have open before continuing.

Next:
Open a command prompt. Click start-->run
and type CMD in the run box. When the Command Prompt opens, type or copy and paste the following:

ren taskir.dll delthis.dll

then hit your enter key. After the file has been successfully renamed, please do the following:

Right click on the task bar at the bottom of the screen and select Task Manager. When Task Manager opens, click the "Processes" tab and locate explorer.exe in the list under "Image Name". Highlight it then click the End Process button at the bottom. The Desktop background will seem to disappear. Next, in Task Mangaer, click 'File" and select "New Task". Type explorer and click "OK". Now, in the list of Processes, locate each instance of taskdir.dll. Highlight each one (if more than one) and click the "End Process" button at the bottom.

Next, click start-->search
When the search window opens, click the "All files and folders" link from the left pane.
Then, enter taskir.dll in the "all or part of the file name" box at the top. Scroll down to the "Look in" box and click the drop down arrow. Select your Local Hard Drive. Scroll down a bit more and click the "More advanced options". Make sure these three are checked:
Search system folders
Search hidden files and folders
Search subfolders


Then click the Search button at the bottom. Delete every instance of the file found.

Next, search again, but this time search for the file delthis.dll and delete it.

Reboot the computer and post back a new HijackThis log. We have lots of work to do. Thanks!

June 10th, 2006 00:00

ren taskir.dll delthis.dll not found
tried searching for delthis.dll and windows keeps shutting down.
I rebooted and here is the new log file.
Thanks
 
 
Logfile of HijackThis v1.99.1
Scan saved at 9:21:47 PM, on 6/9/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\taskdir.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\TitanShield Antispyware\titanshield.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\John\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\System32\adobepnl.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\System32\susp.exe
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\System32\runsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O4 - Startup: titanshield.lnk = C:\Program Files\TitanShield Antispyware\titanshield.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www106.coolsavings.com/download/cscmv5X.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114582040064
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4729/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
 

3.3K Posts

June 10th, 2006 01:00

Download F-Secure BlackLight Beta.
Scroll down to click the I Accept button. Double click the "blbeta.exe" and tick the I accept the agreement option. Click "Next" then click "Scan".

If the scan finds Hidden items, please read this.

When the scan has completed, it will place a log in the folder where you downloaded the software. The log will have a name that looks something like this: fsbl-20060610014753.log

Please copy and paste the contents of that log here in your next reply. Thanks!

June 10th, 2006 17:00

06/10/06 14:39:47 [Info]: BlackLight Engine 1.0.37 initialized
06/10/06 14:39:47 [Info]: OS: 5.1 build 2600 (Service Pack 1)
06/10/06 14:39:53 [Note]: 7019 4
06/10/06 14:39:53 [Note]: 7005 0
06/10/06 14:40:00 [Note]: 7006 0
06/10/06 14:40:00 [Note]: 7011 1560
06/10/06 14:40:01 [Note]: 7026 0
06/10/06 14:40:01 [Note]: 7026 0
06/10/06 14:40:16 [Note]: FSRAW library version 1.7.1015
06/10/06 14:58:46 [Note]: 7007 0

3.3K Posts

June 11th, 2006 01:00

Your Blacklight scan log looks fine. I'm puzzled.

See this entry in your HijackThis log:
C:\WINDOWS\System32\taskdir.exe

Of all the problems in your log, I consider this one the priority.

It is a trojan that uses rootkit type stealth. However, your Blacklight scan log did not indicate that any of the associated files (that should be present) were found.

Before we go further, right click the task bar and select "Task Manager". When Task Manager opens, click the "Processes" tab. Locate the entry taskdir.exe and highlight it. Click "End Process" at the bottom. Answer yes to the warning box and see if it terminates. If it does, run Blacklight Beta again and post back that log.
Thanks!

June 11th, 2006 02:00

06/10/06 23:19:14 [Info]: BlackLight Engine 1.0.37 initialized
06/10/06 23:19:14 [Info]: OS: 5.1 build 2600 (Service Pack 1)
06/10/06 23:19:14 [Note]: 7019 4
06/10/06 23:19:14 [Note]: 7005 0
06/10/06 23:19:17 [Note]: 7006 0
06/10/06 23:19:17 [Note]: 7011 908
06/10/06 23:19:17 [Note]: 7026 0
06/10/06 23:19:17 [Note]: 7026 0
06/10/06 23:19:28 [Note]: FSRAW library version 1.7.1015
06/10/06 23:23:10 [Note]: 7007 0
 
I forgot to mention that my home page automatically goes to about:blank

Message Edited by Ithinkimstupid on 06-10-200610:28 PM

3.3K Posts

June 11th, 2006 04:00

Your version of Java is out of date.
Click start-->control panel-->add/remove programs. Scroll down the list and locate each instance of Java and click Remove.

While you're there, uninstall this too:
TitanShield Antispyware (This is a rogue antispyware application)

When finished uninstalling, please reboot the computer.

We'll download the latest version when we get you all cleaned up.

First, let's tighten up the security a bit.
Please select and install One of these free antivirus applications:
AVG Free for Windows
AntiVir Personal Edition Classic
Avast! 4 Home Edition
After successful installation, update the application. Do Not Scan With It Yet! Just run the update, then close the application. Please reboot the computer.

Please select and install one of these free Firewall applications:
ZoneAlarm Free Version
Outpost Free
Kerio

When the installation completes successfully, reboot the computer.

Download KILLBOX, extract it to your desktop. Do nothing with it yet.

Please download Ewido Security suite.

After download, double click on the file to launch the install process.
During installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

Launch ewido by double-clicking the "e" icon on your desktop.
The program will prompt you to update - click the "OK" button.
On the left side of the main screen, click on "Update" and then click "Start Update". The update will start and a progress bar will show the updates being installed.

After the updates are installed, you will see "Update Successful" in the lower left corner.

Once the updates are installed do the following:
Click on "Scanner" and choose "Settings".
Under the bottom section "What to Scan?" make sure "Scan every file" is selected.
Select "OK" and you will return to scanning options.

Boot the computer into safe mode.
Once in safe mode, continue with the instructions below:

On the main screen click on "Complete System Scan" to start the scan.
While the scan is in progress, you will be prompted to clean the first infected file it finds. Put a check next to "Perform action on all infections" in the lower left corner.
Then choose "Clean" and click "OK".

When the scan has completed, Ewido will create a report.txt file.
Click the "Save Report" button on the bottom of the screen and save the log to your desktop.
Exit Ewido when done.

Run a complete system scan using your on board antivirus scanner. Use the software to remove whatever it finds. When finished, close the application.

Open killbox.exe.

First click on Tools>Delete Temp Files.
A box will open with a list of all user profiles.

Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.

Temporary Internet Files
Temp Files
XP Prefetch

If you want to clean your cookies, history, and list of recent files run you may check those boxes as well.

Then, click on the Button titled "Delete Selected Temp Files".
Exit by clicking the Button titled "Exit(Save Settings)".

Once back into the main killbox program, check the box:

Delete on Reboot

Highlight all the entries in Bold text below and then Copy them.

C:\WINDOWS\System32\users32.exe
C:\WINDOWS\System32\susp.exe
:\WINDOWS\System32\runsrv32.exe
C:\WINDOWS\System32\taskdir.exe
C:\Program Files\TitanShield Antispyware\titanshield.exe

Then in killbox click File>>Paste from Clipboard

At this point the "All Files" button should be enabled so you can click it.
Click the "All Files" button.

Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes.

A second message will ask to Reboot now? you will need to click No for now.
Note: Killbox will let you know if a file does not exist.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until you've completed the instructions below.

Please run Hijackthis again and put a check in the box next to these entries that may still exist:
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\System32\adobepnl.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O4 - HKLM\..\Run: C:\WINDOWS\System32\susp.exe
O4 - HKLM\..\Run: C:\WINDOWS\System32\runsrv32.exe
O4 - HKCU\..\Run: C:\WINDOWS\System32\taskdir.exe
O4 - Startup: titanshield.lnk = C:\Program Files\TitanShield Antispyware\titanshield.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www106.coolsavings.com/download/cscmv5X.cab


Close all windows except for HijackThis then click Fix Checked.

Using Windows Explorer, locate a delete the following folder indicated in Bold text:
C:\Program Files\ TitanShield Antispyware\titanshield.exe
Reboot normally.

Post back a new HijackThis log along with the log from the Ewido scan.
Please advise how the computer is now behaving and if you are still having any other issues. Thanks!

June 12th, 2006 22:00

Here are the log files.  So far so good.  Thanks a lot.  You've been very helpful.
 
Logfile of HijackThis v1.99.1
Scan saved at 7:45:01 PM, on 6/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\John\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114582040064
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4729/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
 
 
ewido log will be in next reply

June 12th, 2006 22:00

---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------
 + Created on:   8:15:30 PM, 6/11/2006
 + Report-Checksum:  B1A9DD00
 + Scan result:
 HKLM\SOFTWARE\Alexa Internet -> Adware.Alexa : Cleaned with backup
 HKLM\SOFTWARE\Classes\AlxTB.BHO -> Adware.Alexa : Cleaned with backup
 HKLM\SOFTWARE\Classes\AppID\DailyToolbar.DLL -> Adware.DailyToolbar : Cleaned with backup
 HKLM\SOFTWARE\Classes\Bridge.brdg -> Adware.BlazeFind : Cleaned with backup
 HKLM\SOFTWARE\Classes\CLSID\{E52DEDBB-D168-4BDB-B229-C48160800E81} -> Hijacker.Generic : Cleaned with backup
 HKLM\SOFTWARE\Classes\CpnMgr.CMV5 -> Adware.CoolSavings : Cleaned with backup
 HKLM\SOFTWARE\Classes\CpnMgr.CMV5\CLSID -> Adware.CoolSavings : Cleaned with backup
 HKLM\SOFTWARE\Classes\CpnMgr.CMV5\CurVer -> Adware.CoolSavings : Cleaned with backup
 HKLM\SOFTWARE\Classes\CpnMgr.CMV5.3 -> Adware.CoolSavings : Cleaned with backup
 HKLM\SOFTWARE\Classes\DailyToolbar.IEBand -> Adware.DailyToolbar : Cleaned with backup
 HKLM\SOFTWARE\Classes\DailyToolbar.SysMgr -> Adware.DailyToolbar : Cleaned with backup
 HKLM\SOFTWARE\Classes\IEToolbar.AffiliateCtl -> Adware.DailyToolbar : Cleaned with backup
 HKLM\SOFTWARE\Classes\jao.jao -> Adware.BlazeFind : Cleaned with backup
 HKLM\SOFTWARE\Classes\PopMenu.Menu -> Adware.Alexa : Cleaned with backup
 HKLM\SOFTWARE\Classes\Popup.PopupKiller -> Adware.Alexa : Cleaned with backup
 HKLM\SOFTWARE\DailyToolbar -> Adware.DailyToolbar : Cleaned with backup
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e52dedbb-d168-4bdb-b229-c48160800e81} -> Hijacker.Generic : Cleaned with backup
 HKLM\SOFTWARE\NIX Solutions -> Adware.DailyToolbar : Cleaned with backup
 HKLM\SOFTWARE\NIX Solutions\DailyToolbar -> Adware.DailyToolbar : Cleaned with backup
 HKLM\SOFTWARE\RespondMiter -> Adware.VX2 : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@bfast[2].txt -> TrackingCookie.Bfast : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@counter7.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@cz4.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@cz7.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@cz8.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
 C:\Documents and Settings\John\Cookies\john@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
 C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\HWCNX5OP\ipod[1].raw -> Proxy.Lager.bj : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@ads.x10[2].txt -> TrackingCookie.X10 : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@baby.valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@bfast[2].txt -> TrackingCookie.Bfast : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@commission-junction[2].txt -> TrackingCookie.Commission-junction : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@counter.hitslink[1].txt -> TrackingCookie.Hitslink : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@counter7.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@data1.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@e-2dj6wjk4qod5ihp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@ehg-babyuniverse.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@ehg-electricbusiness.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@ehg-iwantoneofthose.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@ehg-littletykes.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@ehg-nestleusainc.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@ehg-talbots.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@ehg-theviptour.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@linksynergy[1].txt -> TrackingCookie.Linksynergy : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@robeez.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@snapfish.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@spinbox[2].txt -> TrackingCookie.Spinbox : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@twci.coremetrics[2].txt -> TrackingCookie.Coremetrics : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@valueclick[3].txt -> TrackingCookie.Valueclick : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@webpdp.gator[2].txt -> TrackingCookie.Gator : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@webstat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@xxxtoolbar[2].txt -> TrackingCookie.Xxxtoolbar : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
 C:\Documents and Settings\Sue\Cookies\sue@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
 C:\Documents and Settings\Sue\Local Settings\Temp\Cookies\sue@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
 C:\n.exe -> Downloader.Small.cdy : Cleaned with backup
 C:\RECYCLER\S-1-5-21-2516372513-1603753494-1231984521-1007\Dc1.exe -> Adware.DownloadWare : Cleaned with backup
 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP545\A0048211.exe -> Trojan.Small : Cleaned with backup
 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP545\A0048249.exe -> Proxy.Lager.aw : Cleaned with backup
 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP558\A0048415.exe -> Proxy.Lager.aw : Cleaned with backup
 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP568\A0049539.exe -> Trojan.Small : Cleaned with backup
 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP606\A0054577.exe -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup
 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP606\A0054595.exe -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup
 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP607\A0054599.exe -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup
 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP607\A0054600.exe -> Not-A-Virus.Hoax.Win32.Renos.dk : Cleaned with backup
 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP607\A0054611.dll -> Proxy.Lager.aq : Cleaned with backup
 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP607\A0054616.exe -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup
 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP607\A0054637.exe -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup
 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP610\A0055863.dll -> Proxy.Lager.aq : Cleaned with backup
 C:\WINDOWS\Downloaded Program Files\CpnMgr.dll -> Adware.CoolSavings : Cleaned with backup
 C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup
 C:\WINDOWS\SYSTEM32\adobepnl.dll -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup
 C:\WINDOWS\SYSTEM32\cmqxxvvl.exe -> Trojan.Small : Cleaned with backup
 C:\WINDOWS\SYSTEM32\crjcxtbv.exe -> Downloader.Small. : Cleaned with backup
 C:\WINDOWS\SYSTEM32\dfsvwmse.exe -> Downloader.VB.aeq : Cleaned with backup
 C:\WINDOWS\SYSTEM32\djhngkci.exe -> Trojan.Small : Cleaned with backup
 C:\WINDOWS\SYSTEM32\dtqsbwyl.exe -> Trojan.Small : Cleaned with backup
 C:\WINDOWS\SYSTEM32\hywgjniv.thv -> Hijacker.Small.js : Cleaned with backup
 C:\WINDOWS\SYSTEM32\ipod.raw.exe -> Proxy.Lager.bj : Cleaned with backup
 C:\WINDOWS\SYSTEM32\itexriek.exe -> Downloader.Small. : Cleaned with backup
 C:\WINDOWS\SYSTEM32\jqvdevhz.ckz -> Hijacker.Small.js : Cleaned with backup
 C:\WINDOWS\SYSTEM32\kwzkrpqb.exe -> Trojan.Small : Cleaned with backup
 C:\WINDOWS\SYSTEM32\nhomlxla.ftl -> Hijacker.Small.js : Cleaned with backup
 C:\WINDOWS\SYSTEM32\phqghume.exe -> Trojan.Small : Cleaned with backup
 C:\WINDOWS\SYSTEM32\qjrkvy.exe -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup
 C:\WINDOWS\SYSTEM32\tswuqevi.exe -> Downloader.VB.aan : Cleaned with backup
 C:\WINDOWS\SYSTEM32\users32.exe -> Not-A-Virus.Hoax.Win32.Renos.dk : Cleaned with backup
 C:\WINDOWS\SYSTEM32\voblaizdupla.exe -> Downloader.Small.ciw : Cleaned with backup
 C:\WINDOWS\SYSTEM32\winflash.dll -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup

::Report End
 
 
I had to remove some three letter words or I couldn't post.

3.3K Posts

June 12th, 2006 23:00

Congratulations, your log looks clean!

Now that your system is clean, let's create a new restore point.
Please click "Start > Programs > Accessories > System Tools > System Restore"
In the new window, check the 'Create a restore point' in the right pane and click "Next".
In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20060101_Clean)
Click "Create" and reboot your computer.


In the future, there are some things you can do to prevent spyware infections:

Install the following freeware programs:
SpywareGuard
Spywareblaster

Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

If you do not have a firewall, here are a couple freeware firewalls you can install:
Kerio Personal Firewall
Zone Alarm


Stay updated with the most recent Windows patches using
Microsoft's Windows Update.

Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox from http://www.mozilla.org

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often
or Disk Cleanup ("Start > Programs > Accessories > System Tools > Disk Cleanup") and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files

So how did I get infected in the first place?
Regards, and Happy Surfing!
No Events found!

Top