Options

Help with trojan-spy.html.smitfraud.c

Unknown
edited July 2005 in Spyware & Virus Removal
Okay I did the scan of RunThis and the HijackThis and it has cleared up the background problem however according to my computer it still is infected. My antivirus does not fix the problem. I have received help from another here and was instructed to post the log list here, below.

Logfile of HijackThis v1.99.1
Scan saved at 3:29:07 PM, on 7/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\navapsvc.exe
C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
C:\WINDOWS\System32\intel32.exe
C:\WINDOWS\system32\svcnt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsv.dll/blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {8F69ADF9-A5DE-30DA-0B84-99655E5A16A4} - C:\WINDOWS\netud.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [BootWarn] C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\BootWarn.exe /a
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManage] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103240871216
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{949291CE-0D01-4A25-8760-5A3CD5F17B76}: NameServer = 151.164.1.8 206.13.28.12
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\ntdt32.exe (file missing)

Comments

  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited July 2005
    Hi. Welcome to Short-Media forums :).

    You are running hijackthis from a temporary folder. You need to create a new folder in a permanent directory of your choice, (a folder on the desktop is fine) name the new folder hijackthis and move or unzip hijackthis.exe into that folder.

    --

    Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

    Download smitRem.zip and save the file to your desktop.
    Right click on the file and extract it to it's own folder on the desktop.

    Place a shortcut to Panda ActiveScan on your desktop.

    Please download the trial version of Ewido Security Suite here:
    http://www.ewido.net/en/download/

    Please read Ewido Setup Instructions
    Install it, and update the definitions to the newest files. Do NOT run a scan yet.

    If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
    Ad-Aware SE Setup
    Don't run it yet!

    Next, please reboot your computer in SafeMode by doing the following:
    1. Restart your computer
    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3. Instead of Windows loading as normal, a menu should appear
    4. Select the first option, to run Windows in Safe Mode.
    Now scan with HJT and place a checkmark next to each of the following items:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {8F69ADF9-A5DE-30DA-0B84-99655E5A16A4} - C:\WINDOWS\netud.dll (file missing)

    O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
    O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
    O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
    O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\PSGuard\PSGuard.exe
    O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe

    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149

    O23 - Service: Workstation NetLogon Service (�%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\ntdt32.exe (file missing)

    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.

    The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


    Open Ad-aware and do a full scan. Remove all it finds.


    Run Ewido:
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • During the scan it will prompt you to clean files, click OK
    • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
    • When the scan is finished, click the Save report button at the bottom of the screen.
    • Save the report to your desktop
    Close Ewido

    Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

    Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
    Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
    Let us know if any problems persist.

    ================

    I need you to also delete these;

    C:\WINDOWS\System32\tibs3.exe
    C:\WINDOWS\system32\svcnt.exe
  • Jamesy
    edited July 2005
    All right I did all that you said and here are the logfiles.

    Logfile of HijackThis v1.99.1
    Scan saved at 4:30:49 PM, on 7/17/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {8F69ADF9-A5DE-30DA-0B84-99655E5A16A4} - C:\WINDOWS\netud.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\NavShExt.dll (file missing)
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [BootWarn] C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\BootWarn.exe /a
    O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
    O4 - HKLM\..\Run: [C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManage] SBC Yahoo! Connection Manager
    O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
    O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
    O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\PSGuard\PSGuard.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103240871216
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\navapsvc.exe (file missing)
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\IWP\NPFMntor.exe (file missing)
    O23 - Service: SAVScan - Symantec Corporation - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\ntdt32.exe (file missing)

    smitfiles log:
    Pre-run Files Present

    ~~~ Program Files ~~~

    ~~~ Shortcuts ~~~

    ~~~ Favorites ~~~

    ~~ system32 folder ~~~

    intel32.exe

    ~~~ Windows directory ~~~

    ~~~ Drive root ~~~

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Post-run Files Present

    ~~~ Program Files ~~~

    ~~~ Shortcuts ~~~

    ~~~ Favorites ~~~

    ~~~ system32 folder ~~~

    ~~~ Windows directory ~~~

    ~~~ Drive root ~~~

    ~~~ Wininet.dll ~~~

    CLEAN!


    Incident Status Location

    Adware:adware/superspider No disinfected C:\PROGRAM FILES\q330994.exe
    Adware:adware/antivirus-gold No disinfected C:\DOCUMENTS AND SETTINGS\RYAN.SHERRIE-N0QRH1B\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\AntivirusGold 2.0.lnk
    Adware:adware/portalscan No disinfected C:\DOCUMENTS AND SETTINGS\RYAN.SHERRIE-N0QRH1B\LOCAL SETTINGS\TEMP\adlinstallwin32.exe
    Adware:adware/sahagent No disinfected C:\DOCUMENTS AND SETTINGS\RYAN.SHERRIE-N0QRH1B\LOCAL SETTINGS\TEMP\bundletracking.asp
    Adware:adware/adsmart No disinfected C:\DOCUMENTS AND SETTINGS\RYAN.SHERRIE-N0QRH1B\LOCAL SETTINGS\TEMP\pi.sys
    Spyware:spyware/istbar No disinfected C:\DOCUMENTS AND SETTINGS\RYAN.SHERRIE-N0QRH1B\LOCAL SETTINGS\TEMP\shortcuts.txt
    Spyware:spyware/bridge No disinfected C:\WINDOWS\SYSTEM32\bridge.dll
    Adware:adware/topspyware No disinfected C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmplayer.exe.tmp
    Adware:adware/startpage.id No disinfected C:\msdos.exe
    Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\mstasks1.exe
    Adware:adware/addestroyer No disinfected C:\PROGRAM FILES\AdDestroyer
    Adware:adware/apropos No disinfected C:\PROGRAM FILES\AutoUpdate
    Adware:adware/downloadware No disinfected C:\PROGRAM FILES\Recommended Hotfix - 421701D
    Adware:adware/searchexe No disinfected C:\PROGRAM FILES\se
    Adware:adware/searchrelevancy No disinfected C:\PROGRAM FILES\SearchRelevancy
    Spyware:spyware/surfsidekick No disinfected C:\PROGRAM FILES\SurfSideKick 2
    Adware:adware/topconvert No disinfected C:\PROGRAM FILES\TopConverting
    Adware:adware/virtualbouncer No disinfected C:\PROGRAM FILES\VBouncer
    Adware:adware/wupd No disinfected C:\PROGRAM FILES\Windows ServeAd
    Adware:adware/powerscan No disinfected C:\DOCUMENTS AND SETTINGS\RYAN.SHERRIE-N0QRH1B\START MENU\PROGRAMS\Power Scan
    Adware:adware/sqwire No disinfected C:\PROGRAM FILES\COMMON FILES\tsa
    Adware:adware/ncase No disinfected C:\TEMP\FLEOK
    Adware:adware/sidefind No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TSL INSTALLER
    Spyware:spyware/dyfuca No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\INTERNET OPTIMIZER
    Adware:adware/cws No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{10e42047-deb9-4535-a118-b3f6ec39b807}
    Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\John\Local Settings\Temp\SskUpdater.exe
    Adware:Adware/Apropos No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\0LY7C96N\auto_update[1]
    Virus:Trj/Downloader.TC Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\21LEVADG\global[1].css
    Virus:Trj/Downloader.TC Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\21LEVADG\global[2].css
    Adware:Adware/Xupiter No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\21LEVADG\OELoader[1].cab[OELoader.dll]
    Adware:Adware/WUpd No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\21LEVADG\Playstation%202_19621_Bujingai_cheats[1].html[Playstation%202_19621_Bujingai_cheats[1]]
    Adware:Adware/WUpd No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\21LEVADG\Playstation%202_19621_Bujingai_cheats[2].html
    Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\2VSPMR2D\CA2JSJ70.HTM
    Virus:VBS/Psyme.X No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\2VSPMR2D\hardmansp[1].chm[1.htm]
    Adware:Adware/CWS.Aboutblank No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\2VSPMR2D\hardmansp[1].chm[on-line.exe]
    Virus:Trj/Qhost.B Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\3U0JB58D\hosts[1]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4L0HABGX\loaderadv234[1].jar[Dummy.class]
    Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\CAXNND79.HTM
    Virus:Trj/Qhost.B Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\hosts[1]
    Virus:Trj/Qhost.B Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\hosts[2]
    Virus:Trj/Qhost.B Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\hosts[3]
    Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\mt[1].htm
    Virus:Trj/Qhost.B Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4TUNKXIZ\hosts[1]
    Adware:Adware/Apropos No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\7QKNBHWL\auto_update[1]
    Adware:Adware/Apropos No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\7QKNBHWL\auto_update[2]
    Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\BUEK2QUA\CAYFWLI3.HTM
    Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\DBVBDLKE\CADWQ99J.HTM
    Adware:Adware/Apropos No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\GBTRUUVT\auto_update[1]
    Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\GX87CJGJ\TBPS[1].cab[TBPS.exe]
    Virus:Trj/Qhost.B Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\IHJGP4RY\hosts[1]
    Virus:VBS/Psyme.C No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\IHJGP4RY\new2[3].chm[new2.html]
    Virus:VBS/Psyme.C No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\IHJGP4RY\new2[4].chm[new2.html]
    Virus:Trj/Qhost.B Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\IPCR6D25\hosts[1]
    Adware:Adware/Apropos No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\IR63QTIR\auto_update[1]
    Adware:Adware/NetPals No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\MQAGPUV6\nce9rck[1].cab[ATPartners.inf]
    Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\PRJV5LKA\CAUH4FWZ.HTM
    Spyware:Spyware/XXXToolbar No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\VJL7RTOW\CA7ZR93N.HTM
    Virus:Trj/Qhost.B Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\VJL7RTOW\hosts[1]
    Virus:Trj/Qhost.B Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\VJL7RTOW\hosts[2]
    Virus:Exploit/DialogArg Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\W7Z36SDP\2[1].htm
    Virus:Trj/Qhost.B Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\W7Z36SDP\hosts[1]
    Virus:Trj/Downloader.FK Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\W7Z36SDP\stc[1].htm
    Adware:Adware/WUpd No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\bridge-c18[1].cab[BridgeX.inf]
    Adware:Adware/WUpd No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\bridge-c18[2].cab[BridgeX.inf]
    Spyware:Spyware/XXXToolbar No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\CABAEDB7.HTM
    Adware:Adware/Gator No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\hdplugin_1019_bundle33v1d33[1].cab
    Adware:Adware/PortalScan No disinfected C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Local Settings\Temp\adlinstallwin32.exe
    Spyware:Spyware/Smitfraud No disinfected C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Local Settings\Temp\AGLanguage.ini
    Adware:Adware/Antivirus-gold No disinfected C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Local Settings\Temp\pggo.exe
    Virus:Trj/Downloader.TC Disinfected C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Local Settings\Temporary Internet Files\Content.IE5\2H7O14RI\wayofthesamurai2[1].htm
    Spyware:Spyware/Media-motor No disinfected C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Local Settings\Temporary Internet Files\Content.IE5\9RVRPXWE\alien[1].cab
    Spyware:Spyware/Media-motor No disinfected C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Local Settings\Temporary Internet Files\Content.IE5\9RVRPXWE\alien[1].cab[mm63.INF]
    Spyware:Spyware/Smitfraud No disinfected C:\Documents and Settings\shari.SHERRIE-N0QRH1B\Local Settings\Temp\AGLanguage.ini
    Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\tsa\rainbow\classify.dll
    Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\tsa\tsuninst.exe
    Adware:Adware/SearchRelevancy No disinfected C:\Program Files\SearchRelevancy\uninstall.exe
    Possible Virus. No disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp
    Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\xmlparse_.dll
    Virus:Trj/Downloader.DLH Disinfected C:\WINDOWS\system32\abirvalg32.dll
    ewido security suite - Scan report

    + Created on: 6:48:10 PM, 7/17/2005
    + Report-Checksum: 14F70926

    + Scan result:

    HKLM\SOFTWARE\Classes\CLSID\{0F9561D0-03B2-44a3-89A6-E95E417CBA25} -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{7E5B9131-9DA3-5441-BE0E-FA6A3B539A96} -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{491BE5B7-A7F8-40EC-AAD4-CBA11FDFD814} -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{29358AA6-679D-44EA-8A51-59A3C6E6F811} -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\salm -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\salm -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\SearchRelevancy -> Spyware.SearchRelevancy : Cleaned with backup
    HKLM\SOFTWARE\Windows ServeAd -> Spyware.BlazeFind : Cleaned with backup
    C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\2VSPMR2D\accuweather;in=home;pg=8t15d;pu=1;sz=1x1;tile=1;ord=5921690717[1].htm -> Spyware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\2VSPMR2D\accuweather;in=home;pu=1;sz=1x1;tile=1;ord=4996976404[1].htm -> Spyware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\2VSPMR2D\accuweather;in=home;zc=67219;wx1=34;wx2=03;wx3=35;wx4=07;wx5=15;wx6=06;wxtmp=0;pg=5daho;;pu=1;sz=1x1;tile=1;ord=1017977408168[1].htm -> Spyware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\D8C7LT05\freedownloads[1].htm -> Spyware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ELNSDKB6\links[1].htm -> Spyware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\GHEN8XMZ\AppWrap[2].exe -> TrojanDropper.Small.of : Cleaned with backup
    C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\GHEN8XMZ\AppWrap[3].exe -> TrojanDropper.Small.of : Cleaned with backup
    C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\K77FAWH1\consumerinfo2[1].htm -> Spyware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\K77FAWH1\featuredartists[1].htm -> Spyware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\K77FAWH1\music[1].htm -> Spyware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\MQAGPUV6\accuweather;in=home;pu=1;sz=1x1;tile=3;ord=5183278997[1].htm -> Spyware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\MQAGPUV6\accuweather;in=video;;pu=1;sz=1x1;tile=1;ord=1019098106121[1].htm -> Spyware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\YRON0Z81\accuweather;in=home;pu=1;sz=1x1;tile=1;ord=1017885011186[1].htm -> Spyware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\21LEVADG\AppWrap[1].exe -> TrojanDropper.Small.of : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\21LEVADG\AppWrap[2].exe -> TrojanDropper.Small.of : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\21LEVADG\bridge-c3[1].cab/BridgeX.dll -> TrojanDownloader.Briss.a : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\Tails1[1].html -> TrojanDownloader.Iwill.m : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\Tails1[2].html -> TrojanDownloader.Iwill.m : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\Tails2[2].html -> TrojanDownloader.Iwill.m : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\Tails2[3].html -> TrojanDownloader.Iwill.m : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\Tails3[2].html -> TrojanDownloader.Iwill.m : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\Tails4[2].html -> TrojanDownloader.Iwill.m : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\7QKNBHWL\AppWrap[1].exe -> TrojanDropper.Small.of : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\7QKNBHWL\hikaru[2].html -> TrojanDownloader.Iwill.m : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\7QKNBHWL\sonypictures[1].htm -> Spyware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\8TQJW9AF\pczx2[1].cab/pczx2.dll -> TrojanDownloader.Rameh.b : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\GHQZG5YR\tb3[1].cab/toolbar.dll -> Spyware.WebSearch : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\IR63QTIR\hdplugin_1019_bundle43v5d33[1].cab/HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\X7NFL1OE\netslv32_EN_XP[1].cab/netslv32.dll -> Dialer.Generic : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\cell[2].html -> Backdoor.IRC.Sitex : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\characters[2].html -> Backdoor.IRC.Sitex : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\characters[3].html -> Backdoor.IRC.Sitex : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\characters[4].html -> Backdoor.IRC.Sitex : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\characters[5].html -> Backdoor.IRC.Sitex : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\frieza[2].html -> Backdoor.IRC.Sitex : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\gero[2].html -> Backdoor.IRC.Sitex : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\gero[3].html -> Backdoor.IRC.Sitex : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\gero[4].html -> Backdoor.IRC.Sitex : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\index[5].html -> Backdoor.IRC.Sitex : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\index[6].html -> Backdoor.IRC.Sitex : Cleaned with backup
    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\secure[1].php -> TrojanDownloader.Psyme.i : Cleaned with backup
    C:\Documents and Settings\Shari\Local Settings\Temporary Internet Files\Content.IE5\0JRO0RG8\4657[1].htm -> Spyware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\Shari\Local Settings\Temporary Internet Files\Content.IE5\7ASFVXCH\0,2554,1-9696-All,00[2].htm -> Spyware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\Shari\Local Settings\Temporary Internet Files\Content.IE5\7ASFVXCH\0,2555,1-9696-AN-HighFEN4FENSchoolFEN4FENFEN7FENFEN4FENBeyond--2,00[1].html -> Spyware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\Shari\Local Settings\Temporary Internet Files\Content.IE5\7ASFVXCH\0,4006,1-9696-11665-1,00[1].html -> Spyware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\Shari\Local Settings\Temporary Internet Files\Content.IE5\WHGF4ZGR\0,2555,1-9696-AN-HighFEN4FENSchoolFEN4FENFEN7FENFEN4FENBeyond-,00[1].htm -> Spyware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\Shari\Local Settings\Temporary Internet Files\Content.IE5\WHGF4ZGR\0,2555,1-9696-AN-HighFEN4FENSchoolFEN4FENFEN7FENFEN4FENBeyond--3,00[1].html -> Spyware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\Shari\Local Settings\Temporary Internet Files\Content.IE5\WHGF4ZGR\home[3].htm -> Spyware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\shari.SHERRIE-N0QRH1B\Cookies\shari@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
    C:\WINDOWS\adddh32.dll:rymftf -> TrojanDownloader.Agent.ap : Cleaned with backup
    C:\WINDOWS\addoq32.dll:enkery -> TrojanDownloader.Agent.ap : Cleaned with backup
    C:\WINDOWS\explorer.exe:zeajf -> TrojanDownloader.Agent.bq : Cleaned with backup
    C:\WINDOWS\javaab.dll:hhovf -> TrojanDownloader.Agent.ap : Cleaned with backup
    C:\WINDOWS\mfclk32.dll:vywac -> TrojanDownloader.Agent.ap : Cleaned with backup
    C:\WINDOWS\msdfmap.ini:lzanxe -> TrojanDownloader.Agent.bq : Cleaned with backup
    C:\WINDOWS\NOTEPAD.EXE:xrcuf -> TrojanDownloader.Agent.bc : Cleaned with backup
    C:\WINDOWS\ntea.dll:walgur -> TrojanDownloader.Agent.ap : Cleaned with backup
    C:\WINDOWS\ntea.dll:wghzvi -> TrojanDownloader.Agent.bq : Cleaned with backup
    C:\WINDOWS\ntuq.dll:fvdly -> TrojanDownloader.Agent.ap : Cleaned with backup
    C:\WINDOWS\ntuq.dll:ohzfps -> TrojanDownloader.Agent.ap : Cleaned with backup
    C:\WINDOWS\patch.exe:axshwv -> TrojanDownloader.Agent.ap : Cleaned with backup
    C:\WINDOWS\patch.exe:uqxyde -> TrojanDownloader.Agent.bq : Cleaned with backup
    C:\WINDOWS\syshs.dll:ovxymk -> Spyware.OneMoreSearch : Cleaned with backup
    C:\WINDOWS\system32\cool.exe -> Backdoor.SdBot : Cleaned with backup
    C:\WINDOWS\system32\svcnt.exe -> TrojanDownloader.Delf.ks : Cleaned with backup
    C:\WINDOWS\system32\TFTP2356 -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
    C:\WINDOWS\system32\TFTP3636 -> Backdoor.Rbot : Cleaned with backup
    C:\WINDOWS\winhlp32.exe:glcgh -> TrojanDownloader.Agent.ap : Cleaned with backup


    ::Report End
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited July 2005
    You still have some entries there that need removing.

    ===============

    When we're done cleaning off your system, I'd recommend that you install all the critical windows updates available from Microsoft, up to service pack 1. This will help to make your system more secure and prevent many 'problems' from reoccurring in the future.

    ===============

    Go to Add/Remove programs and remove(uninstall) the following, if present:

    PSGuard
    TIBS

    The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

    ===============

    Run HiJackThis, click "Scan", then check(tick) the following, if present:


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {8F69ADF9-A5DE-30DA-0B84-99655E5A16A4} - C:\WINDOWS\netud.dll (file missing)

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\NavShExt.dll (file missing)
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_ 7_0.dll (file missing)

    O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
    O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
    O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\PSGuard\PSGuard.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

    O23 - Service: Workstation NetLogon Service (?%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\ntdt32.exe (file missing)


    Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

    ===============

    Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

    files...

    C:\WINDOWS\System32\tibs3.exe
    C:\WINDOWS\System32\intel32.exe

    folder(s)...

    C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\PSGuard

    -

    Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

    -

    Reboot.

    ===============

    After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
  • Jamesy
    edited July 2005
    It seems that I am having problems locating:

    C:\WINDOWS\System32\tibs3.exe
    C:\WINDOWS\System32\intel32.exe
    C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\PSGuard     (it is not on the desktop)

    Also the programs:

    PSGuard
    TIBS

    Are not on the Add/Remove List. Though I did do the checking and the "Fix Checked" with the HiJackThis and the service pack from Microsoft.
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited July 2005
    It is possible that those entries were orphaned. If you have rebooted since my last post, rescan with hijackthis and post another log. Otherwise, reboot now and do it please.
  • Jamesy
    edited July 2005
    The new log file:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:54:36 PM, on 7/20/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\navapsvc.exe
    C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\IWP\NPFMntor.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [BootWarn] C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\BootWarn.exe /a
    O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManage] SBC Yahoo! Connection Manager
    O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103240871216
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{949291CE-0D01-4A25-8760-5A3CD5F17B76}: NameServer = 151.164.1.8 206.13.28.12
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\IWP\NPFMntor.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\ntdt32.exe (file missing)
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited July 2005
    First, Disconnect from the Internet!!

    (Please copy these instructions to NotePad for copy/paste use, since you will be off the Internet.)
    ____
    Next, launch Notepad, and copy/paste all the blue REGEDIT below to it
    Save in: Desktop
    File Name: fixme.reg
    Save as Type: All files
    Click: Save

    REGEDIT4

    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

    Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.

    Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also have to re-install IE-SpyAd if installed.

    =========

    Start>>Run and type regedit
    Press enter.
    Navigate to:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Workstation NetLogon Service (�%AF夶À¨)

    If Workstation NetLogon Service (�%AF夶À¨) exists , right click on it and choose delete from the menu.

    Now navigate to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Workstation NetLogon Service (�%AF夶À¨)

    If LEGACY_Workstation NetLogon Service (�%AF夶À¨) exists then right click on it and choose delete from the menu.
  • Jamesy
    edited July 2005
    Well, I created the file as you said but I cannot locate the files you gave to delete. That is all I know. What was I doing? Was there something bad I'm assuming?
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited July 2005
    Might just be an orphaned entry :).
    Download Registrar Lite from here:
    http://www.resplendence.com/download/reglite.exe

    Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.

    Install, run, copy and paste this line to reglite's address bar:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

    and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.
  • Jamesy
    edited July 2005
    Okay, well I did all that you said to do and put in into the address bar but "AppInit_DLLs" was no where on the right side panel. I had to search for it with the search button. What I found I am not sure what to put.

    There's a value name which has: AppInit_DLLs
    There's just a value which has: SYS:Microsoft\Windows NT\CurrentVersion\Windows

    Also a type, type no. and size. Not sure if those were needed either. Hopefully I posted what you needed.
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited July 2005
    Looks like it is just an orphaned entry after all. I would say that you are right to go now :). How is you PC behaving now?
  • Jamesy
    edited July 2005
    Well it is behaving fine now. Only thing that came of concern was on the day you told me to "First disconnect from the internet!" and the instructions that followed I ran Ad-Aware Personal and it came up with some files that posed a 10 threat rating. However ever since it dealt with them that has not came up again. Over all things seem okay. I must greatly thank you for all that you have done and assisted with, ever much so, I thank you.
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited July 2005
    Jamesy, you are most welcome :).
  • Jamesy
    edited July 2005
    Well I might have one problem with the PC I just found out. It seems that I cannot turn off the firewall. When I try to go to the settings a box pops up that says. "Due to an unknown problem the firewall settings cannot be displayed" You see I wanted to sent something through Yahoo! Messenger and it won't let me because of the firewall being on.
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited July 2005
    That one I have no clue. Sorry :(.
Sign In or Register to comment.