Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
If that doesn't work, it probably would be good if we could see what else is running around in there, so I'm going to send you for a diagnostic tool. After you run it and post on the HijackThis Board we will know more.
** There is a list of trained analysts at the top of that board in the Announcements. If someone else replies, it will be your decision whether or not you want to take advice from them.
Please download
HJT Installer from
Here to your desktop.
If not available use this alternate link:
Here
Click the
Download button.
When the Trend Micro HJT install box appears, double click on the
HJTInstall.exe.
Click on Install.
It will be installed by default here: C:\Program Files\Trend Micro\HijackThis
A shortcut to the application will also be placed on your Desktop.
The program will open automatically after installation.
You can double-click the icon that was placed on the Desktop to run subsequent HijackThis scans or you can use the icon inside the folder.
The folder HijackThis is where you will find the HJT logs that you save. When you use the application to remove anything, you will also find the backup copies made by HJT inside this folder.
Close all open windows except HijackThis.
Click on "
Do a system scan and save logfile" When the log pops up in Notepad copy and paste that file as a NEW MESSAGE on the HijackThis Board.
Before closing HJT, please click on the
Analyze This button. "Analyze This" is for Trendmicro use, and does not mean "Analyze My Log". You must post on the forum in order to receive an analysis of your log.
Close the web page that appears and then close the program HJT.
Posting Your Log:
1. Just click the New Message button in the HijackThis forum here:
http://www.dellcommunity.com/supportforums/board?board.id=si_hijack to start your own thread requesting assistance.
2. In the Message Body window that opens, simply Right-Click and select Paste.
3. Please add text to describe your symptoms.
4. Include in the message subject line a description of your problem. For example, "Popups warning of infection".
5. Make certain you post the entire log by clicking the Preview Post link at the bottom of the window and comparing it to the log from your scan before you click Submit Post
** Note: "The box next to Automatically convert carriage returns to HTML line breaks" should be checked if that appears at the bottom of your Message Body when composing your post.
* DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or required.
Message Edited by Bugbatter on 01-09-2008 04:39 PM
1:54 PM: Removal process completed. Elapsed time 00:00:26
1:54 PM: Preparing to restart your computer. Please wait...
1:54 PM: Quarantining All Traces: tshirthell cookie
1:54 PM: Quarantining All Traces: burstbeacon cookie
1:54 PM: Quarantining All Traces: toplist cookie
1:54 PM: Quarantining All Traces: statcounter cookie
1:54 PM: Quarantining All Traces: dealtime cookie
1:54 PM: Quarantining All Traces: serving-sys cookie
1:54 PM: Quarantining All Traces: server.iad.liveperson cookie
1:54 PM: Quarantining All Traces: adjuggler cookie
1:54 PM: Quarantining All Traces: one-time-offer cookie
1:54 PM: Quarantining All Traces: nextag cookie
1:54 PM: Quarantining All Traces: imlive.com cookie
1:54 PM: Quarantining All Traces: ic-live cookie
1:54 PM: Quarantining All Traces: go.com cookie
1:54 PM: Quarantining All Traces: did-it cookie
1:54 PM: Quarantining All Traces: ccbill cookie
1:54 PM: Quarantining All Traces: casalemedia cookie
1:54 PM: Quarantining All Traces: azjmp cookie
1:54 PM: Quarantining All Traces: atlas dmt cookie
1:54 PM: Quarantining All Traces: apmebf cookie
1:54 PM: Quarantining All Traces: tacoda cookie
1:54 PM: Quarantining All Traces: alt cookie
1:54 PM: Quarantining All Traces: adserver cookie
1:54 PM: Quarantining All Traces: adrevolver cookie
1:54 PM: Quarantining All Traces: specificclick.com cookie
1:54 PM: Quarantining All Traces: adlegend cookie
1:54 PM: Quarantining All Traces: adecn cookie
1:54 PM: Quarantining All Traces: yieldmanager cookie
1:54 PM: Quarantining All Traces: about cookie
1:54 PM: Quarantining All Traces: 190dotcom cookie
1:54 PM: Quarantining All Traces: 5 cookie
1:54 PM: Quarantining All Traces: 2o7.net cookie
1:54 PM: Quarantining All Traces: Troj/Qoolaid-V
1:54 PM: c:\windows\system32\kdpeg.exe is in use. It will be removed on reboot.
1:54 PM: trojan-dnschanger is in use. It will be removed on reboot.
1:54 PM: Quarantining All Traces: trojan-dnschanger
1:54 PM: Quarantining All Traces: Mal/Behav-010
1:54 PM: Quarantining All Traces: Troj/Qoolaid-AF
1:54 PM: Quarantining All Traces: Troj/Qoolaid-U
1:54 PM: C:\Program Files\Video Add-on is in use. It will be removed on reboot.
1:54 PM: trojan-downloader-zlob is in use. It will be removed on reboot.
1:53 PM: Quarantining All Traces: trojan-downloader-zlob
1:53 PM: Removal process initiated
1:53 PM: Traces Found: 79
1:53 PM: Full Sweep has completed. Elapsed time 00:41:30
1:52 PM: HKLM\software\microsoft\windows\currentversion\uninstall\information center\ (ID = 3151918)
1:52 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ie safety features\ (ID = 3151917)
1:52 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ie custom tools\ (ID = 3151916)
1:52 PM: File Sweep Complete, Elapsed Time: 00:36:21
1:44 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms3a623912-2e28-40b2-a375-966825439274.tmp]
1:44 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms87a0e05b-d254-4024-a610-72c96d83c8fe.tmp]
1:44 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsa7ceeb86-492a-4243-884d-ec04aa94b346.tmp]
1:44 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmscb01fd94-09d1-4805-ac51-aaac2060bee2.tmp]
1:44 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms826d12fc-0fba-48dc-83b2-d999740cafd2.tmp]
1:44 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms2a9745cb-97cf-4b46-a924-585c83df8bce.tmp]
1:44 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms1851a03d-7c9b-4454-8f22-8dcd88b02e81.tmp]
1:44 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms5d095b8f-bf52-414d-ad2e-4eeb9c0c16cd.tmp]
1:44 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms3a623912-2e28-40b2-a375-966825439274.tmp". The operation completed successfully
1:44 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms87a0e05b-d254-4024-a610-72c96d83c8fe.tmp". The operation completed successfully
1:44 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsa7ceeb86-492a-4243-884d-ec04aa94b346.tmp". The operation completed successfully
1:44 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmscb01fd94-09d1-4805-ac51-aaac2060bee2.tmp". The operation completed successfully
1:44 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms826d12fc-0fba-48dc-83b2-d999740cafd2.tmp". The operation completed successfully
1:44 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms2a9745cb-97cf-4b46-a924-585c83df8bce.tmp". The operation completed successfully
1:44 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms1851a03d-7c9b-4454-8f22-8dcd88b02e81.tmp". The operation completed successfully
1:44 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms5d095b8f-bf52-414d-ad2e-4eeb9c0c16cd.tmp". The operation completed successfully
1:43 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\program files\norton internet security\norton antivirus\savrt\0438nav~.tmp]
1:43 PM: Warning: Failed to open file "c:\program files\norton internet security\norton antivirus\savrt\0438nav~.tmp". The operation completed successfully
1:42 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\windows\system32\config\default]
1:42 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\kevin\ntuser.dat]
1:41 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\config\software]
1:41 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\config\system]
1:41 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms9c92bf45-9983-4e6b-99bd-77ef0f8c132d.tmp]
1:41 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsaf75710c-c755-4035-b120-ee5c48bdae30.tmp]
1:39 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms25897dd8-874e-4e63-aed0-fa3e9477b5e3.tmp]
1:39 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms79b5f8bb-dd69-4de6-8c01-5e6e241f7758.tmp]
1:38 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\70D16BFB.cpl (ID = 0)
1:38 PM: Found Troj/Qoolaid-V: Troj/Qoolaid-V
1:38 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1450395F.exe (ID = 0)
1:38 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1450395F.exe (ID = 0)
1:38 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1450395F.exe (ID = 0)
1:38 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1450395F.exe (ID = 0)
1:37 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms5fbc515d-ed8f-46f1-a2e2-2a2043d691a0.tmp]
1:37 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms6080cedd-36af-4720-9cae-6700e65ccb3a.tmp]
1:36 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmscb7af0c5-6b65-4f8e-9c13-89d2745a5fa2.tmp]
1:33 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\pagefile.sys]
1:31 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms436c87d6-2b1f-40bc-9b34-5a10e318e314.tmp]
1:31 PM: c:\windows\system32\kdpeg.exe (ID = 1250084)
1:31 PM: Found Trojan Horse: trojan-dnschanger
1:31 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1389383A.exe (ID = 0)
1:31 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1389383A.exe (ID = 0)
1:31 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1389383A.exe (ID = 0)
1:31 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1389383A.exe (ID = 0)
1:30 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\hiberfil.sys]
1:28 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\38945742.dll (ID = 0)
1:27 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms62962cdd-1a77-4530-96d4-5ff125b73c98.tmp]
1:25 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms9ba043db-56e9-4973-bd48-dcfec1457194.tmp]
1:24 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\windows\system32\config\security]
1:23 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\71BD797E.dll (ID = 0)
1:23 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\windows\system32\config\sam]
1:23 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\26DF7B9A.exe (ID = 0)
1:23 PM: Found Mal/Behav-010: Mal/Behav-010
1:23 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\26DF7B9A.exe (ID = 0)
1:23 PM: Found Troj/Qoolaid-AF: Troj/Qoolaid-AF
1:23 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\26DF7B9A.exe (ID = 0)
1:23 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\26DF7B9A.exe (ID = 0)
1:19 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\475145EF.exe (ID = 0)
1:19 PM: Found Troj/Qoolaid-U: Troj/Qoolaid-U
Thank you for the help and here is the log. Something is still trying to change my homepage on IE. Should I do the other thing? Thank you. Yes it had been awhile since a antispyware was run.
1:19 PM: Found Troj/Qoolaid-U: Troj/Qoolaid-U
1:17 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\catroot2\tmp.edb]
1:16 PM: C:\Program Files\Video Add-on (12 subtraces) (ID = 2147576087)
1:16 PM: Starting File Sweep
1:16 PM: Cookie Sweep Complete, Elapsed Time: 00:00:03
1:16 PM: c:\documents and settings\kevin\cookies\kevin@www.tshirthell[1].txt (ID = 3596)
1:16 PM: Found Spy Cookie: tshirthell cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@www.burstbeacon[1].txt (ID = 2335)
1:16 PM: Found Spy Cookie: burstbeacon cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@toplist[1].txt (ID = 3557)
1:16 PM: Found Spy Cookie: toplist cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@tacoda[1].txt (ID = 6444)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@statcounter[2].txt (ID = 3447)
1:16 PM: Found Spy Cookie: statcounter cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@stat.dealtime[2].txt (ID = 2506)
1:16 PM: Found Spy Cookie: dealtime cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@sports.espn.go[1].txt (ID = 2729)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@sports-ak.espn.go[1].txt (ID = 2729)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@specificclick[1].txt (ID = 3399)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@serving-sys[1].txt (ID = 3343)
1:16 PM: Found Spy Cookie: serving-sys cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@server.iad.liveperson[2].txt (ID = 3341)
1:16 PM: Found Spy Cookie: server.iad.liveperson cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@scores.espn.go[1].txt (ID = 2729)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@rsi.espn.go[1].txt (ID = 2729)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@rotator.adjuggler[1].txt (ID = 2071)
1:16 PM: Found Spy Cookie: adjuggler cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@one-time-offer[1].txt (ID = 3095)
1:16 PM: Found Spy Cookie: one-time-offer cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@nextag[2].txt (ID = 5014)
1:16 PM: Found Spy Cookie: nextag cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@media.adrevolver[1].txt (ID = 2089)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@imlive[1].txt (ID = 2843)
1:16 PM: Found Spy Cookie: imlive.com cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@ic-live[1].txt (ID = 2821)
1:16 PM: Found Spy Cookie: ic-live cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@go[2].txt (ID = 2728)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@espn.go[2].txt (ID = 2729)
1:16 PM: Found Spy Cookie: go.com cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@did-it[2].txt (ID = 2523)
1:16 PM: Found Spy Cookie: did-it cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@ccbill[2].txt (ID = 2369)
1:16 PM: Found Spy Cookie: ccbill cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@casalemedia[2].txt (ID = 2354)
1:16 PM: Found Spy Cookie: casalemedia cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@baseball.about[1].txt (ID = 2038)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@azjmp[2].txt (ID = 2270)
1:16 PM: Found Spy Cookie: azjmp cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@atdmt[1].txt (ID = 2253)
1:16 PM: Found Spy Cookie: atlas dmt cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@apmebf[2].txt (ID = 2229)
1:16 PM: Found Spy Cookie: apmebf cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@anat.tacoda[2].txt (ID = 6445)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@anad.tacoda[1].txt (ID = 6445)
1:16 PM: Found Spy Cookie: tacoda cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@alt[1].txt (ID = 2217)
1:16 PM: Found Spy Cookie: alt cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@alcoholism.about[1].txt (ID = 2038)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@adserver[1].txt (ID = 2141)
1:16 PM: Found Spy Cookie: adserver cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@adrevolver[2].txt (ID = 2088)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@adrevolver[1].txt (ID = 2088)
1:16 PM: Found Spy Cookie: adrevolver cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@adopt.specificclick[2].txt (ID = 3400)
1:16 PM: Found Spy Cookie: specificclick.com cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@adlegend[1].txt (ID = 2074)
1:16 PM: Found Spy Cookie: adlegend cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@adecn[1].txt (ID = 2063)
1:16 PM: Found Spy Cookie: adecn cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@ad.yieldmanager[2].txt (ID = 3751)
1:16 PM: Found Spy Cookie: yieldmanager cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@about[2].txt (ID = 2037)
1:16 PM: Found Spy Cookie: about cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@64.28.190[1].txt (ID = 1936)
1:16 PM: Found Spy Cookie: 190dotcom cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@5[1].txt (ID = 1979)
1:16 PM: Found Spy Cookie: 5 cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@2o7[2].txt (ID = 1957)
1:16 PM: Found Spy Cookie: 2o7.net cookie
1:16 PM: Starting Cookie Sweep
1:16 PM: Registry Sweep Complete, Elapsed Time:00:00:17
1:16 PM: HKU\S-1-5-21-3566777786-2216419421-468148449-1007\software\online add-on\ (ID = 3151919)
1:16 PM: HKLM\software\microsoft\windows\currentversion\uninstall\windows safety alert\ (ID = 2118088)
1:16 PM: Found Trojan Horse: trojan-downloader-zlob
1:16 PM: Starting Registry Sweep
1:16 PM: Memory Sweep Complete, Elapsed Time: 00:04:39
1:11 PM: Warning: TFileCountEnum.ProcessPartition: TVolumeFAT.IC: invalid Boot Sector. Volume D:
1:11 PM: Starting Memory Sweep
1:11 PM: Start Full Sweep
1:11 PM: Sweep initiated using definitions version 1062
1:11 PM: BHO Shield: found: -- BHO installation denied at user request
1:11 PM: Warning: no filename sent to VerifyFileSignature
1:11 PM: BHO Shield: found: -- BHO installation denied at user request
1:11 PM: Warning: no filename sent to VerifyFileSignature
1:11 PM: BHO Shield: found: -- BHO installation denied at user request
1:11 PM: Warning: no filename sent to VerifyFileSignature
1:11 PM: BHO Shield: found: -- BHO installation denied at user request
1:10 PM: Warning: no filename sent to VerifyFileSignature
1:10 PM: BHO Shield: found: -- BHO installation denied at user request
1:09 PM: Warning: no filename sent to VerifyFileSignature
1:09 PM: BHO Shield: found: -- BHO installation denied at user request
1:09 PM: Your virus definitions have been updated.
1:09 PM: Informational: Loaded AntiVirus Engine: 2.53.1; SDK Version: 4.25E; Virus Definitions: 1/9/2008 5:38:54 AM (GMT)
1:05 PM: Your spyware definitions have been updated.
1:05 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
If you are still having problems, yes, post a log on the HijackThis Board. They are very busy there, so it may take a day or two until someone replies.
First of all remove Virus Protect from ur PC from Add and Remove Programs then
Confirm that the file SmitfraudFix.exe now resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps. The icon will look like the one below:
Next, please reboot your computer into Safe Mode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
When you are at the logon prompt, log in as the same user that you had performed the previous steps as.
When your computer has started in safe mode, and you see the desktop, close all open Windows.
Now, double-click on the SmitFraudfix icon that should be residing on your desktop.The icon will look like the one below:
When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen.
You will now see a menu as shown in the image below. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
The program will start cleaning your computer and go through a series of cleanup processes. When it is done, it will automatically start the Disk Cleanup program as shown by the image below.
This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will should continue with step 11.
When Disk Cleanup is finished, you will be presented with an option asking Do you want to clean the registry ? (y/n). At this screen you should press the Y button on your keyboard and then press the enter key.
When this last routine is finished, you will be presented with a red screen stating Computer will reboot now. Close all applications.You should now press the spacebar on your computer. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot.
Once the computer has rebooted, you will be presented with a Notepad screen containing a log of all the files removed from your computer. Examine this log, and when you are done, close the Notepad screen.
Your computer should now be free of the VirusProtect infection.
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
These steps may appear to be long and daunting. They are, though, quite easy to do and consist of so many steps only because I have written them in an extremely detailed manner.
Print out these instructions as we will need to close every window that is open later in the fix.
Download FixVPP.reg to your desktop by right clicking on the following link and then selecting Save Link As or Save File as, depending on your browser.
Confirm that the file FixVPP.reg now resides on your desktop as we will need it later.
Download SmitfraudFix.exe from here and save it to your desktop:
SmitFraudFix.exe
Confirm that the file SmitfraudFix.exe now resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps. The icon will look like the one below:
Go to your desktop and double click on the FixVPP.reg file that you downloaded earlier. When it asks if you would like to merge the information, press the Yes button and then the OK button.
Click on the Start button and then select the Run option.
In the Open: field type c:\windows\system32 and then press the OK button.
When the folder appears, if it says These files are hidden, click on the Show the contents of this folder option.
We now need to make it so you can see hidden files.
Click on the Tools menu and select Folder Options.
Click on the View tab.
Under the Hidden files and folders category select Show hidden files and folders.
Uncheck Hide protected operating system files.
Press Apply and then OK.
If you still can not see the file, then undo these changes and skip to step 11.
Scroll through the list of files in this folder and look for fftktmk.dll. Right-click on fftktmk.dll and select rename. Rename the file to fftktmk.dll.bad.
Look for the file ucmbegr.dll and rename the file to ucmbegr.dll.bad
Look for the file moywh.dll and rename the file to moywh.dll.bad
Look for the file wygomd.dll and rename the file to wygomd.dll.bad
Look for the file rldyt.dll and rename the file to rldyt.dll.bad
Look for the file chzbi.dll and rename the file to chzbi.dll.bad
Look for the file ymmzwd.dll and rename the file to ymmzwd.dll.bad
Look for the file ivrllc.dll and rename the file to ivrllc.dll.bad
Look for the file zcwlnic.dll and rename the file to zcwlnic.dll.bad
Look for the file ncrjf.dll and rename the file to ncrjf.dll.bad
Look for the file uglgs.dll and rename the file to uglgs.dll.bad
Look for the file tvtpwp.dll and rename the file to tvtpwp.dll.bad
Look for the file wowlze.dll and rename the file to wowlze.dll.bad
Look for the file cjuvwa.dll and rename the file to cjuvwa.dll.bad
Look for the file gnjsjc.dll and rename the file to gnjsjc.dll.bad
Look for the file ezzhjmt.dll and rename the file to ezzhjmt.dll.bad
Look for the file fsehfcu.dll and rename the file to fsehfcu.dll.bad
Note: Please rename any of the above files that you may find. If you do not find any of these files, then you should post a note about it in the Am I Infected? forum.
After you rename the file, you can close the System32 folder window.
Next, please reboot your computer into Safe Mode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
When you are at the logon prompt, log in as the same user which you had done the previous steps.
When your computer has started in safe mode and you see the desktop, click on the Start Menu button.
Click on the Control Panel option.
Double-click on the Add or Remove Programs icon.
Find the entries for VirusProtect 3.8 or VirusProtect 3.9and double-click on them to uninstall if found. Follow the prompts to uninstall the program, but do not allow it to reboot the computer if it asks.
When it has completed uninstalling you can close Add or Remove Programs and your Control Panel.
Delete the following files and folders (Do not be concerned if a folder does not exist): C:\Windows\System32\fftktmk.dll.bad C:\Windows\System32\ucmbegr.dll.bad C:\Windows\System32\moywh.dll.bad C:\Windows\System32\wygomd.dll.bad C:\Windows\System32\chzbi.dll.bad C:\Windows\System32\rldyt.dll.bad C:\Windows\System32\ymmzwd.dll.bad C:\Windows\System32\ivrllc.dll.bad C:\Windows\System32\zcwlnic.dll.bad C:\Windows\System32\ncrjf.dll.bad C:\Windows\System32\uglgs.dll.bad C:\Windows\System32\tvtpwp.dll.bad C:\Windows\System32\wowlze.dll.bad C:\Windows\System32\cjuvwa.dll.bad C:\Windows\System32\gnjsjc.dll.bad C:\Windows\System32\ezzhjmt.dll.bad C:\Windows\System32\fsehfcu.dll.bad C:\Windows\System32\e404d.dll C:\Program Files\Helper\ C:\Program Files\VirusProtect 3.8\ C:\Program Files\VirusProtect 3.9\
Close all open Windows.
Now, double-click on the SmitFraudfix icon that should be residing on your desktop.The icon will look like the one below:
When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen.
When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen.
You will now see a menu as shown in the image below. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
The program will start cleaning your computer and go through a series of cleanup processes. When it is done, it will automatically start the Disk Cleanup program as shown by the image below.
This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will should continue with step 25.
When Disk Cleanup is finished, you will be presented with an option asking Do you want to clean the registry ? (y/n). At this screen you should press the Y button on your keyboard and then press the enter key.
When this last routine is finished, you will be presented with a red screen stating Computer will reboot now. Close all applications.You should now press the spacebar on your computer. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot.
Once the computer has rebooted, you will be presented with a Notepad screen containing a log of all the files removed from your computer. Examine this log to see what files were found, and when you are done, close the Notepad screen.
We next perform an online scan with Panda to find any possible inactive remnants from this infection: Panda Online
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a few minutes)
When download is complete, click on Local Disks to start the scan
When the online scan has been completed, let it remove what it finds, and then you can close Internet Explorer.
Your computer should now be free of the Virus Protect infection.
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
Last night I went in and deleted all the temporary internet files, cookies and history. I thought just doing it for that day would work but it did not. I also reassigned my homepage and it seems to be ok but then I type in a website I want to go to in yahoo and it gives me a list that looks like yahoo but then redirects me to another site like edmunds.com so I am guessing that I should run the diagnostic/hijack program? Thanks again for your help.
Thanks for trying to help, Rebirth_online, but we do not read SmitfraudFix logs on this board. That is done over on the HijackThis board that I provided a link to in my post above.
Your instructions appear to be copied from those written by Grinler at Bleeping Computer. He does excellent work on his tutorials, so we will give credit to the author.
Not all the files from that fix may be present on the infected computer and there may, in fact, be some different ones, not listed, because these infections tend to attract others.
---------------------------------------------
I suggest that redds34 either post a HijackThis log at our Hijackthis Board or at the HijackThis forum mentioned in the above tutorial. Either way, the helpers handling logs at those boards will walk through a fix that is written to address issues on the specific computer, rather than having you follow a generic fix.
Message Edited by Bugbatter on 01-10-2008 09:44 AM
Bugbatter
3 Apprentice
•
20.5K Posts
0
January 9th, 2008 19:00
First, disable SpySweeper so it doesn't interfere with this scanner!
Download and scan with SUPERAntiSpyware Free for Home Users
If that doesn't work, it probably would be good if we could see what else is running around in there, so I'm going to send you for a diagnostic tool. After you run it and post on the HijackThis Board we will know more.
** There is a list of trained analysts at the top of that board in the Announcements. If someone else replies, it will be your decision whether or not you want to take advice from them.
Please download HJT Installer from Here to your desktop.
If not available use this alternate link: Here
Click the Download button.
When the Trend Micro HJT install box appears, double click on the HJTInstall.exe.
Click on Install.
It will be installed by default here: C:\Program Files\Trend Micro\HijackThis
A shortcut to the application will also be placed on your Desktop.
The program will open automatically after installation.
You can double-click the icon that was placed on the Desktop to run subsequent HijackThis scans or you can use the icon inside the folder.
The folder HijackThis is where you will find the HJT logs that you save. When you use the application to remove anything, you will also find the backup copies made by HJT inside this folder.
Close all open windows except HijackThis.
Click on " Do a system scan and save logfile" When the log pops up in Notepad copy and paste that file as a NEW MESSAGE on the HijackThis Board.
Before closing HJT, please click on the Analyze This button. "Analyze This" is for Trendmicro use, and does not mean "Analyze My Log". You must post on the forum in order to receive an analysis of your log.
Close the web page that appears and then close the program HJT.
Posting Your Log:
1. Just click the New Message button in the HijackThis forum here: http://www.dellcommunity.com/supportforums/board?board.id=si_hijack
to start your own thread requesting assistance.
2. In the Message Body window that opens, simply Right-Click and select Paste.
3. Please add text to describe your symptoms.
4. Include in the message subject line a description of your problem. For example, "Popups warning of infection".
5. Make certain you post the entire log by clicking the Preview Post link at the bottom of the window and comparing it to the log from your scan before you click Submit Post
** Note: "The box next to Automatically convert carriage returns to HTML line breaks" should be checked if that appears at the bottom of your Message Body when composing your post.
* DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or required.
Message Edited by Bugbatter on 01-09-2008 04:39 PM
redds34
10 Posts
0
January 10th, 2008 00:00
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
1:01 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
1:01 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
1:01 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
1:01 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
1:01 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
1:01 PM: Tamper Detection
1:01 PM: Warning: no filename sent to VerifyFileSignature
1:54 PM: Removal process completed. Elapsed time 00:00:26
1:54 PM: Preparing to restart your computer. Please wait...
1:54 PM: Quarantining All Traces: tshirthell cookie
1:54 PM: Quarantining All Traces: burstbeacon cookie
1:54 PM: Quarantining All Traces: toplist cookie
1:54 PM: Quarantining All Traces: statcounter cookie
1:54 PM: Quarantining All Traces: dealtime cookie
1:54 PM: Quarantining All Traces: serving-sys cookie
1:54 PM: Quarantining All Traces: server.iad.liveperson cookie
1:54 PM: Quarantining All Traces: adjuggler cookie
1:54 PM: Quarantining All Traces: one-time-offer cookie
1:54 PM: Quarantining All Traces: nextag cookie
1:54 PM: Quarantining All Traces: imlive.com cookie
1:54 PM: Quarantining All Traces: ic-live cookie
1:54 PM: Quarantining All Traces: go.com cookie
1:54 PM: Quarantining All Traces: did-it cookie
1:54 PM: Quarantining All Traces: ccbill cookie
1:54 PM: Quarantining All Traces: casalemedia cookie
1:54 PM: Quarantining All Traces: azjmp cookie
1:54 PM: Quarantining All Traces: atlas dmt cookie
1:54 PM: Quarantining All Traces: apmebf cookie
1:54 PM: Quarantining All Traces: tacoda cookie
1:54 PM: Quarantining All Traces: alt cookie
1:54 PM: Quarantining All Traces: adserver cookie
1:54 PM: Quarantining All Traces: adrevolver cookie
1:54 PM: Quarantining All Traces: specificclick.com cookie
1:54 PM: Quarantining All Traces: adlegend cookie
1:54 PM: Quarantining All Traces: adecn cookie
1:54 PM: Quarantining All Traces: yieldmanager cookie
1:54 PM: Quarantining All Traces: about cookie
1:54 PM: Quarantining All Traces: 190dotcom cookie
1:54 PM: Quarantining All Traces: 5 cookie
1:54 PM: Quarantining All Traces: 2o7.net cookie
1:54 PM: Quarantining All Traces: Troj/Qoolaid-V
1:54 PM: c:\windows\system32\kdpeg.exe is in use. It will be removed on reboot.
1:54 PM: trojan-dnschanger is in use. It will be removed on reboot.
1:54 PM: Quarantining All Traces: trojan-dnschanger
1:54 PM: Quarantining All Traces: Mal/Behav-010
1:54 PM: Quarantining All Traces: Troj/Qoolaid-AF
1:54 PM: Quarantining All Traces: Troj/Qoolaid-U
1:54 PM: C:\Program Files\Video Add-on is in use. It will be removed on reboot.
1:54 PM: trojan-downloader-zlob is in use. It will be removed on reboot.
1:53 PM: Quarantining All Traces: trojan-downloader-zlob
1:53 PM: Removal process initiated
1:53 PM: Traces Found: 79
1:53 PM: Full Sweep has completed. Elapsed time 00:41:30
1:52 PM: HKLM\software\microsoft\windows\currentversion\uninstall\information center\ (ID = 3151918)
1:52 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ie safety features\ (ID = 3151917)
1:52 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ie custom tools\ (ID = 3151916)
1:52 PM: File Sweep Complete, Elapsed Time: 00:36:21
1:44 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms3a623912-2e28-40b2-a375-966825439274.tmp]
1:44 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms87a0e05b-d254-4024-a610-72c96d83c8fe.tmp]
1:44 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsa7ceeb86-492a-4243-884d-ec04aa94b346.tmp]
1:44 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmscb01fd94-09d1-4805-ac51-aaac2060bee2.tmp]
1:44 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms826d12fc-0fba-48dc-83b2-d999740cafd2.tmp]
1:44 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms2a9745cb-97cf-4b46-a924-585c83df8bce.tmp]
1:44 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms1851a03d-7c9b-4454-8f22-8dcd88b02e81.tmp]
1:44 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms5d095b8f-bf52-414d-ad2e-4eeb9c0c16cd.tmp]
1:44 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms3a623912-2e28-40b2-a375-966825439274.tmp". The operation completed successfully
1:44 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms87a0e05b-d254-4024-a610-72c96d83c8fe.tmp". The operation completed successfully
1:44 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsa7ceeb86-492a-4243-884d-ec04aa94b346.tmp". The operation completed successfully
1:44 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmscb01fd94-09d1-4805-ac51-aaac2060bee2.tmp". The operation completed successfully
1:44 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms826d12fc-0fba-48dc-83b2-d999740cafd2.tmp". The operation completed successfully
1:44 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms2a9745cb-97cf-4b46-a924-585c83df8bce.tmp". The operation completed successfully
1:44 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms1851a03d-7c9b-4454-8f22-8dcd88b02e81.tmp". The operation completed successfully
1:44 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms5d095b8f-bf52-414d-ad2e-4eeb9c0c16cd.tmp". The operation completed successfully
1:43 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\program files\norton internet security\norton antivirus\savrt\0438nav~.tmp]
1:43 PM: Warning: Failed to open file "c:\program files\norton internet security\norton antivirus\savrt\0438nav~.tmp". The operation completed successfully
1:42 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\windows\system32\config\default]
1:42 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\kevin\ntuser.dat]
1:41 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\config\software]
1:41 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\config\system]
1:41 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms9c92bf45-9983-4e6b-99bd-77ef0f8c132d.tmp]
1:41 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsaf75710c-c755-4035-b120-ee5c48bdae30.tmp]
1:39 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms25897dd8-874e-4e63-aed0-fa3e9477b5e3.tmp]
1:39 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms79b5f8bb-dd69-4de6-8c01-5e6e241f7758.tmp]
1:38 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\70D16BFB.cpl (ID = 0)
1:38 PM: Found Troj/Qoolaid-V: Troj/Qoolaid-V
1:38 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1450395F.exe (ID = 0)
1:38 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1450395F.exe (ID = 0)
1:38 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1450395F.exe (ID = 0)
1:38 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1450395F.exe (ID = 0)
1:37 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms5fbc515d-ed8f-46f1-a2e2-2a2043d691a0.tmp]
1:37 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms6080cedd-36af-4720-9cae-6700e65ccb3a.tmp]
1:36 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmscb7af0c5-6b65-4f8e-9c13-89d2745a5fa2.tmp]
1:33 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\pagefile.sys]
1:31 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms436c87d6-2b1f-40bc-9b34-5a10e318e314.tmp]
1:31 PM: c:\windows\system32\kdpeg.exe (ID = 1250084)
1:31 PM: Found Trojan Horse: trojan-dnschanger
1:31 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1389383A.exe (ID = 0)
1:31 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1389383A.exe (ID = 0)
1:31 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1389383A.exe (ID = 0)
1:31 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1389383A.exe (ID = 0)
1:30 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\hiberfil.sys]
1:28 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\38945742.dll (ID = 0)
1:27 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms62962cdd-1a77-4530-96d4-5ff125b73c98.tmp]
1:25 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms9ba043db-56e9-4973-bd48-dcfec1457194.tmp]
1:24 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\windows\system32\config\security]
1:23 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\71BD797E.dll (ID = 0)
1:23 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\windows\system32\config\sam]
1:23 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\26DF7B9A.exe (ID = 0)
1:23 PM: Found Mal/Behav-010: Mal/Behav-010
1:23 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\26DF7B9A.exe (ID = 0)
1:23 PM: Found Troj/Qoolaid-AF: Troj/Qoolaid-AF
1:23 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\26DF7B9A.exe (ID = 0)
1:23 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\26DF7B9A.exe (ID = 0)
1:19 PM: C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\475145EF.exe (ID = 0)
1:19 PM: Found Troj/Qoolaid-U: Troj/Qoolaid-U
redds34
10 Posts
0
January 10th, 2008 00:00
1:19 PM: Found Troj/Qoolaid-U: Troj/Qoolaid-U
1:17 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\catroot2\tmp.edb]
1:16 PM: C:\Program Files\Video Add-on (12 subtraces) (ID = 2147576087)
1:16 PM: Starting File Sweep
1:16 PM: Cookie Sweep Complete, Elapsed Time: 00:00:03
1:16 PM: c:\documents and settings\kevin\cookies\kevin@www.tshirthell[1].txt (ID = 3596)
1:16 PM: Found Spy Cookie: tshirthell cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@www.burstbeacon[1].txt (ID = 2335)
1:16 PM: Found Spy Cookie: burstbeacon cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@toplist[1].txt (ID = 3557)
1:16 PM: Found Spy Cookie: toplist cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@tacoda[1].txt (ID = 6444)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@statcounter[2].txt (ID = 3447)
1:16 PM: Found Spy Cookie: statcounter cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@stat.dealtime[2].txt (ID = 2506)
1:16 PM: Found Spy Cookie: dealtime cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@sports.espn.go[1].txt (ID = 2729)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@sports-ak.espn.go[1].txt (ID = 2729)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@specificclick[1].txt (ID = 3399)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@serving-sys[1].txt (ID = 3343)
1:16 PM: Found Spy Cookie: serving-sys cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@server.iad.liveperson[2].txt (ID = 3341)
1:16 PM: Found Spy Cookie: server.iad.liveperson cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@scores.espn.go[1].txt (ID = 2729)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@rsi.espn.go[1].txt (ID = 2729)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@rotator.adjuggler[1].txt (ID = 2071)
1:16 PM: Found Spy Cookie: adjuggler cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@one-time-offer[1].txt (ID = 3095)
1:16 PM: Found Spy Cookie: one-time-offer cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@nextag[2].txt (ID = 5014)
1:16 PM: Found Spy Cookie: nextag cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@media.adrevolver[1].txt (ID = 2089)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@imlive[1].txt (ID = 2843)
1:16 PM: Found Spy Cookie: imlive.com cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@ic-live[1].txt (ID = 2821)
1:16 PM: Found Spy Cookie: ic-live cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@go[2].txt (ID = 2728)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@espn.go[2].txt (ID = 2729)
1:16 PM: Found Spy Cookie: go.com cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@did-it[2].txt (ID = 2523)
1:16 PM: Found Spy Cookie: did-it cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@ccbill[2].txt (ID = 2369)
1:16 PM: Found Spy Cookie: ccbill cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@casalemedia[2].txt (ID = 2354)
1:16 PM: Found Spy Cookie: casalemedia cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@baseball.about[1].txt (ID = 2038)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@azjmp[2].txt (ID = 2270)
1:16 PM: Found Spy Cookie: azjmp cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@atdmt[1].txt (ID = 2253)
1:16 PM: Found Spy Cookie: atlas dmt cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@apmebf[2].txt (ID = 2229)
1:16 PM: Found Spy Cookie: apmebf cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@anat.tacoda[2].txt (ID = 6445)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@anad.tacoda[1].txt (ID = 6445)
1:16 PM: Found Spy Cookie: tacoda cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@alt[1].txt (ID = 2217)
1:16 PM: Found Spy Cookie: alt cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@alcoholism.about[1].txt (ID = 2038)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@adserver[1].txt (ID = 2141)
1:16 PM: Found Spy Cookie: adserver cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@adrevolver[2].txt (ID = 2088)
1:16 PM: c:\documents and settings\kevin\cookies\kevin@adrevolver[1].txt (ID = 2088)
1:16 PM: Found Spy Cookie: adrevolver cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@adopt.specificclick[2].txt (ID = 3400)
1:16 PM: Found Spy Cookie: specificclick.com cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@adlegend[1].txt (ID = 2074)
1:16 PM: Found Spy Cookie: adlegend cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@adecn[1].txt (ID = 2063)
1:16 PM: Found Spy Cookie: adecn cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@ad.yieldmanager[2].txt (ID = 3751)
1:16 PM: Found Spy Cookie: yieldmanager cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@about[2].txt (ID = 2037)
1:16 PM: Found Spy Cookie: about cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@64.28.190[1].txt (ID = 1936)
1:16 PM: Found Spy Cookie: 190dotcom cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@5[1].txt (ID = 1979)
1:16 PM: Found Spy Cookie: 5 cookie
1:16 PM: c:\documents and settings\kevin\cookies\kevin@2o7[2].txt (ID = 1957)
1:16 PM: Found Spy Cookie: 2o7.net cookie
1:16 PM: Starting Cookie Sweep
1:16 PM: Registry Sweep Complete, Elapsed Time:00:00:17
1:16 PM: HKU\S-1-5-21-3566777786-2216419421-468148449-1007\software\online add-on\ (ID = 3151919)
1:16 PM: HKLM\software\microsoft\windows\currentversion\uninstall\windows safety alert\ (ID = 2118088)
1:16 PM: Found Trojan Horse: trojan-downloader-zlob
1:16 PM: Starting Registry Sweep
1:16 PM: Memory Sweep Complete, Elapsed Time: 00:04:39
1:11 PM: Warning: TFileCountEnum.ProcessPartition: TVolumeFAT.IC: invalid Boot Sector. Volume D:
1:11 PM: Starting Memory Sweep
1:11 PM: Start Full Sweep
1:11 PM: Sweep initiated using definitions version 1062
1:11 PM: BHO Shield: found: -- BHO installation denied at user request
1:11 PM: Warning: no filename sent to VerifyFileSignature
1:11 PM: BHO Shield: found: -- BHO installation denied at user request
1:11 PM: Warning: no filename sent to VerifyFileSignature
1:11 PM: BHO Shield: found: -- BHO installation denied at user request
1:11 PM: Warning: no filename sent to VerifyFileSignature
1:11 PM: BHO Shield: found: -- BHO installation denied at user request
1:10 PM: Warning: no filename sent to VerifyFileSignature
1:10 PM: BHO Shield: found: -- BHO installation denied at user request
1:09 PM: Warning: no filename sent to VerifyFileSignature
1:09 PM: BHO Shield: found: -- BHO installation denied at user request
1:09 PM: Your virus definitions have been updated.
1:09 PM: Informational: Loaded AntiVirus Engine: 2.53.1; SDK Version: 4.25E; Virus Definitions: 1/9/2008 5:38:54 AM (GMT)
1:05 PM: Your spyware definitions have been updated.
1:05 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:03 PM: BHO Shield: found: -- BHO installation denied at user request
1:03 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
1:02 PM: Warning: no filename sent to VerifyFileSignature
1:02 PM: BHO Shield: found: -- BHO installation denied at user request
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
Bugbatter
3 Apprentice
•
20.5K Posts
0
January 10th, 2008 01:00
Rebirth_online
2 Posts
0
January 10th, 2008 09:00
First of all remove Virus Protect from ur PC from Add and Remove Programs then
This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will should continue with step 11.
Your computer should now be free of the VirusProtect infection.
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
Preparation Guide For Use Before Posting A Hijackthis Log
Manual Removal Instructions for VirusProtect:
These steps may appear to be long and daunting. They are, though, quite easy to do and consist of so many steps only because I have written them in an extremely detailed manner.
Confirm that the file FixVPP.reg now resides on your desktop as we will need it later.
SmitFraudFix.exe
Confirm that the file SmitfraudFix.exe now resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps. The icon will look like the one below:
Look for the file ucmbegr.dll and rename the file to ucmbegr.dll.bad
Look for the file moywh.dll and rename the file to moywh.dll.bad
Look for the file wygomd.dll and rename the file to wygomd.dll.bad
Look for the file rldyt.dll and rename the file to rldyt.dll.bad
Look for the file chzbi.dll and rename the file to chzbi.dll.bad
Look for the file ymmzwd.dll and rename the file to ymmzwd.dll.bad
Look for the file ivrllc.dll and rename the file to ivrllc.dll.bad
Look for the file zcwlnic.dll and rename the file to zcwlnic.dll.bad
Look for the file ncrjf.dll and rename the file to ncrjf.dll.bad
Look for the file uglgs.dll and rename the file to uglgs.dll.bad
Look for the file tvtpwp.dll and rename the file to tvtpwp.dll.bad
Look for the file wowlze.dll and rename the file to wowlze.dll.bad
Look for the file cjuvwa.dll and rename the file to cjuvwa.dll.bad
Look for the file gnjsjc.dll and rename the file to gnjsjc.dll.bad
Look for the file ezzhjmt.dll and rename the file to ezzhjmt.dll.bad
Look for the file fsehfcu.dll and rename the file to fsehfcu.dll.bad
Note: Please rename any of the above files that you may find. If you do not find any of these files, then you should post a note about it in the Am I Infected? forum.
C:\Windows\System32\fftktmk.dll.bad
C:\Windows\System32\ucmbegr.dll.bad
C:\Windows\System32\moywh.dll.bad
C:\Windows\System32\wygomd.dll.bad
C:\Windows\System32\chzbi.dll.bad
C:\Windows\System32\rldyt.dll.bad
C:\Windows\System32\ymmzwd.dll.bad
C:\Windows\System32\ivrllc.dll.bad
C:\Windows\System32\zcwlnic.dll.bad
C:\Windows\System32\ncrjf.dll.bad
C:\Windows\System32\uglgs.dll.bad
C:\Windows\System32\tvtpwp.dll.bad
C:\Windows\System32\wowlze.dll.bad
C:\Windows\System32\cjuvwa.dll.bad
C:\Windows\System32\gnjsjc.dll.bad
C:\Windows\System32\ezzhjmt.dll.bad
C:\Windows\System32\fsehfcu.dll.bad
C:\Windows\System32\e404d.dll
C:\Program Files\Helper\
C:\Program Files\VirusProtect 3.8\
C:\Program Files\VirusProtect 3.9\
This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will should continue with step 25.
Your computer should now be free of the Virus Protect infection.
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
redds34
10 Posts
0
January 10th, 2008 12:00
Message Edited by redds34 on 01-10-2008 08:20 AM
Bugbatter
3 Apprentice
•
20.5K Posts
0
January 10th, 2008 12:00
Your instructions appear to be copied from those written by Grinler at Bleeping Computer. He does excellent work on his tutorials, so we will give credit to the author.
Not all the files from that fix may be present on the infected computer and there may, in fact, be some different ones, not listed, because these infections tend to attract others.
---------------------------------------------
I suggest that redds34 either post a HijackThis log at our Hijackthis Board or at the HijackThis forum mentioned in the above tutorial. Either way, the helpers handling logs at those boards will walk through a fix that is written to address issues on the specific computer, rather than having you follow a generic fix.
Message Edited by Bugbatter on 01-10-2008 09:44 AM
Bugbatter
3 Apprentice
•
20.5K Posts
0
January 10th, 2008 12:00