Options
aurora popup virus...please help
all i know is ive had the aurora popup virus for a few weeks and it keeps getting worse. Ive read a lot of different ways of how to get rid of it but nothing seems to work for me.
can someone tell me exactly what i need to do to get this living hell of a computer bug off of my system.
thanks,
sonofgondor1219
can someone tell me exactly what i need to do to get this living hell of a computer bug off of my system.
thanks,
sonofgondor1219
0
Comments
Scan saved at 5:45:31 PM, on 8/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\pezqxne.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\hccbe.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\exp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\?ttrib.exe
C:\WINDOWS\system32\grp2dvag.exe
C:\Program Files\ipee\othb.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\eZula\mmod.exe
C:\PROGRA~1\WEBOFF~1\wo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\Temporary Directory 4 for hijackthis[1].zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINDOWS\ttext.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {430148A3-F43A-FEEF-65B6-800D808DF5ED} - C:\WINDOWS\system32\dbnugk.dll
O2 - BHO: (no name) - {4A0148A6-F44C-8C99-65B3-F70D878DF5E9} - C:\WINDOWS\system32\dbnugk.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EFBEF3DB-4162-3CB6-4C62-1A5332F652EF} - C:\WINDOWS\system32\vqib.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [vEtX36e] hccbe.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [cdcbfp] c:\windows\system32\pezqxne.exe r
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKCU\..\Run: [Utqgai] C:\WINDOWS\system32\?ttrib.exe
O4 - HKCU\..\Run: [ep27RWKFl] grp2dvag.exe
O4 - HKCU\..\Run: [Aaou] C:\Program Files\ipee\othb.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download/bargain_buddy/cab/installer_MARKETING11.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccess/ie/bridge-c8.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/213d24961cc06d8ad823/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096647604687
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4544/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\wiock32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Download the trial version of ewido security suite:
http://www.ewido.net/en/download/
Save the setup file to a convenient location such as your desktop. Run the setup file for ewido. Open ewido and update it. Run a full system scan with ewido removing all files located.
Run two of these online scans:
http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm
http://www.bitdefender.com/scan8/ie.html
http://housecall.trendmicro.com/
Make sure all hidden files can be viewed.
Post a new Hijack This log.
thanks for all your help
Please download the Nailfixutility.
DO NOT run it yet.
Reboot into Safe Mode. To do this with Windows XP, you can follow these steps from Microsoft:
1. Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears.
2. Select an option when the Windows Advanced Options menu appears, and then press ENTER.
3. When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.
Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
Next, run Ewido again.
1. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
2. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
3. When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Then run HijackThis, click Scan, and place a checkmark by the following item:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
Close all open windows except for HijackThis and click Fix Checked.
Now, run CCleaner.
1. Uncheck "Cookies" under "Internet Explorer".
2. Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
ewido security suite - Scan report
+ Created on: 11:58:33 PM, 8/3/2005
+ Report-Checksum: 8055481A
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CurVer -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
HKLM\SOFTWARE\VGroup -> Spyware.SAHA : Cleaned with backup
HKLM\SOFTWARE\VGroup\SAHPopup -> Spyware.SAHA : Cleaned with backup
HKU\S-1-5-21-1498679233-2411367660-3921838442-1007\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1498679233-2411367660-3921838442-1007\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1498679233-2411367660-3921838442-1007\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1498679233-2411367660-3921838442-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
[720] C:\WINDOWS\system32\mejter35.dll -> Spyware.Look2Me : Cleaned with backup
[944] C:\WINDOWS\system32\soreamci.dll -> Spyware.Look2Me : Error during cleaning
[996] C:\WINDOWS\system32\nswrssk.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\michael valalik\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-53b42299-4308fa23.zip/Gummy.class -> Trojan.Java.Femad : Cleaned with backup
C:\Documents and Settings\michael valalik\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-53b42299-4308fa23.zip/Beyond.class -> Trojan.Femad : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\Cookies\michael [email]valalik@2o7[1].txt[/email] -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\Cookies\michael [email]valalik@abetterinternet[1].txt[/email] -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\Cookies\michael [email]valalik@ads.addynamix[2].txt[/email] -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\Cookies\michael [email]valalik@advertising[2].txt[/email] -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\Cookies\michael [email]valalik@as-eu.falkag[2].txt[/email] -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\Cookies\michael [email]valalik@atdmt[2].txt[/email] -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\Cookies\michael [email]valalik@doubleclick[1].txt[/email] -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\Cookies\michael [email]valalik@servedby.advertising[1].txt[/email] -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\Cookies\michael [email]valalik@tribalfusion[2].txt[/email] -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\Cookies\michael [email]valalik@valueclick[1].txt[/email] -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\Cookies\michael [email]valalik@www.shopathomeselect[1].txt[/email] -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\Del26.tmp -> TrojanDownloader.Small.asf : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\res27.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\resF8.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\temp.fr1844 -> Spyware.IBIS : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\temp.fr1F6F -> Spyware.IBIS : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\temp.fr22E6 -> Spyware.IBIS : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\temp.fr25E7 -> Spyware.IBIS : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\temp.fr5631 -> Spyware.IBIS : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\temp.fr5AA8 -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\temp.fr5D66 -> Spyware.IBIS : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\temp.fr650E -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\temp.fr6EF7 -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\temp.fr7ED9 -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\temp.fr90A6 -> Spyware.IBIS : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\temp.frA8EF -> Spyware.IBIS : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\temp.frBC69 -> Spyware.IBIS : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\temp.frC5F6 -> Spyware.IBIS : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\temp.frC862 -> Spyware.IBIS : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\temp.frD189 -> Spyware.IBIS : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\temp.frD31B -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\temp.frD583 -> Spyware.IBIS : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\temp.frF23D -> Spyware.IBIS : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\temp.frF4AA -> Spyware.IBIS : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\temp.frF79C -> Spyware.IBIS : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\__delete_on_reboot__QAGITPQA.dll -> Adware.SAHA : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\__delete_on_reboot__umqltg4cl_.exe -> Adware.SAHA : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temp\__delete_on_reboot__zxinst12.exe -> Trojan.Zx.12 : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temporary Internet Files\Content.IE5\G5M74XUZ\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\michael valalik\Local Settings\Temporary Internet Files\Content.IE5\RESVFT8X\!update-2234[1].0000 -> TrojanDownloader.PurityScan.y : Cleaned with backup
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\094VORUH\!update-2244[1].0000 -> TrojanDownloader.PurityScan.y : Cleaned with backup
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\094VORUH\!update-2264[1].0000 -> Spyware.MediaTickets : Cleaned with backup
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\094VORUH\!update-2264[2].0000 -> Spyware.MediaTickets : Cleaned with backup
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WF4ROVMZ\!update-2234[1].0000 -> TrojanDownloader.PurityScan.y : Cleaned with backup
C:\Program Files\eZula\__delete_on_reboot__chcon.dll -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\__delete_on_reboot__seng.dll -> Adware.eZula : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskBho.dll -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskCore.dll -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq86.tmp -> Spyware.MarketScore : Cleaned with backup
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\system32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mejter35.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mqexdlm.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\nswrssk.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wiock32.dll -> Spyware.Look2Me : Cleaned with backup
Logfile of HijackThis v1.99.1
Scan saved at 12:00:15 AM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Works\WksWP.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\michael valalik\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidesearch.cgi?uid=11603987&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidesearch.cgi?uid=11603987&id=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidesearch.cgi?uid=11603987&id=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidesearch.cgi?uid=11603987&id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.shopnav.com/sidesearch.cgi?uid=11603987&id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.shopnav.com/sidesearch.cgi?uid=11603987&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINDOWS\ttext.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {430148A3-F43A-FEEF-65B6-800D808DF5ED} - C:\WINDOWS\system32\dbnugk.dll (file missing)
O2 - BHO: (no name) - {4A0148A6-F44C-8C99-65B3-F70D878DF5E9} - C:\WINDOWS\system32\dbnugk.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EFBEF3DB-4162-3CB6-4C62-1A5332F652EF} - C:\WINDOWS\system32\vqib.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [vEtX36e] hccbe.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [llhvsu] c:\windows\system32\lbknbh.exe r
O4 - HKCU\..\Run: [Utqgai] C:\WINDOWS\system32\?ttrib.exe
O4 - HKCU\..\Run: [ep27RWKFl] grp2dvag.exe
O4 - HKCU\..\Run: [Aaou] C:\Program Files\ipee\othb.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [sndser] C:\WINDOWS\system32\sndser.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download/bargain_buddy/cab/installer_MARKETING11.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccess/ie/bridge-c8.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/213d24961cc06d8ad823/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096647604687
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4544/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\soreamci.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Download Ad-Aware SE and save the setup file to a convenient location. Run the setup file and create a shortcut to your desktop. Open Ad-Aware se and click "check for updates now." Once Ad-Aware has updated exit Ad-Aware for now.
Download Spybot Search & Destroy and save the setup file to a convenient location. Run the setup file and create a shortcut to your desktop. During the setup process Spybot will take you through several steps before being able to run the program. One of these is to update Spybot so make sure you update it it now and then exit Spybot.
Download Killbox and save the zipped file to a convenient location. Open the zipped file and extract all files. Move the Killbox icon to your desktop. Exit Killbox for now.
Open start menu and navigate to your add/remove programs list. Uninstall these programs:
Bullseye network
SurfSideKick 3
Navisearch-if it exists
180searchassistant
Run Hijack This and place a checkmark next to these entries then click Fix Checked:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidese...d=11603987&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidese...d=11603987&id=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...ilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidese...d=11603987&id=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidese...d=11603987&id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.shopnav.com/sidese...d=11603987&id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.shopnav.com/sidese...d=11603987&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINDOWS\ttext.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: (no name) - {430148A3-F43A-FEEF-65B6-800D808DF5ED} - C:\WINDOWS\system32\dbnugk.dll (file missing)
O2 - BHO: (no name) - {4A0148A6-F44C-8C99-65B3-F70D878DF5E9} - C:\WINDOWS\system32\dbnugk.dll (file missing)
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [vEtX36e] hccbe.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [llhvsu] c:\windows\system32\lbknbh.exe r
O4 - HKCU\..\Run: [Utqgai] C:\WINDOWS\system32\?ttrib.exe
O4 - HKCU\..\Run: [ep27RWKFl] grp2dvag.exe
O4 - HKCU\..\Run: [Aaou] C:\Program Files\ipee\othb.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [sndser] C:\WINDOWS\system32\sndser.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/d...MARKETING11.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/213d249...ip/RdxIE601.cab
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\soreamci.dll
Now delete these files or directories if they exist. If you can't find them do not worry:
C:\Program Files\SurfSideKick 3
C:\WINDOWS\ttext.dll
C:\WINDOWS\dsr.dll
C:\WINDOWS\system32\dbnugk.dll
C:\WINDOWS\dinst.exe
C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\cfgmgr52.dll
C:\Program Files\Media Access
c:\program files\180searchassistant
C:\WINDOWS\ttupt.exe
C:\Program Files\BullsEye Network
C:\Program Files\NaviSearch
C:\Program Files\CashBack
C:\Program Files\SurfSideKick 3
c:\windows\system32\lbknbh.exe
C:\WINDOWS\system32\?ttrib.exe
C:\Program Files\ipee
C:\WINDOWS\system32\sndser.exe
C:\WINDOWS\system32\soreamci.dll
Now open Killbox. In the "path of file to delete" copy and paste
C:\WINDOWS\Nail.exe
Check the delete on reboot option. Click delete(red button with white X). Killbox will ask if you want to proceed. Click yes.
Reboot in to safe mode. To enter safe mode>once rebooted tap the F8 button at startup until the menu appears. From the menu select safe mode.
Now run a "Full System Scan" with Ad-Aware SE and Spybot S&D making to sure to remove all items detected.
Now repeat this step to ensure you have removed this file:
Now open Killbox. In the "path of file to delete" copy and paste
C:\WINDOWS\Nail.exe
Check the delete on reboot option. Click delete(red button with white X). Killbox will ask if you want to proceed. Click yes.
Reboot into normal mode.
Run ewido security suite. Be sure ewido is updated with the latest signatures.
Run two of these online scans:
Activescan
Bitdefender
Housecall
Save the results from Activescan and post them with a new Hijack This log.
Logfile of HijackThis v1.99.1
Scan saved at 7:00:44 PM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\sndser.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\sndser.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\ei.exe
C:\Program Files\Microsoft Works\WksWP.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\michael valalik\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EFBEF3DB-4162-3CB6-4C62-1A5332F652EF} - C:\WINDOWS\system32\vqib.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [sndser] C:\WINDOWS\system32\sndser.exe
O4 - HKCU\..\RunOnce: [sndser] C:\WINDOWS\system32\sndser.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\Documents and Settings\michael valalik\ezStub.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccess/ie/bridge-c8.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096647604687
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4544/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: Shell Extentions - C:\WINDOWS\system32\pplmon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\pplmon.dll
While you are in safe mode run HJT and place a checkmark next to these entries. Then click Fix Checked:
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {EFBEF3DB-4162-3CB6-4C62-1A5332F652EF} - C:\WINDOWS\system32\vqib.dll
O4 - HKCU\..\Run: [sndser] C:\WINDOWS\system32\sndser.exe
O4 - HKCU\..\RunOnce: [sndser] C:\WINDOWS\system32\sndser.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\Documents and Settings\michael valalik\ezStub.exe
O20 - Winlogon Notify: Shell Extentions - C:\WINDOWS\system32\pplmon.dll (if it exists in your log)
Now delete these files or folders if they exist:
C:\Program Files\E2G\IeBHOs.dll
C:\WINDOWS\system32\vqib.dll
C:\WINDOWS\system32\sndser.exe
C:\Documents and Settings\michael valalik\ezStub.exe
Then open Killbox. Same procedure as above.
C:\WINDOWS\system32\pplmon.dll
Reboot into normal mode.
Please run these online scans (active links above):
Activescan
Bitdefender
Save the results from activescan and post them with a new HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 10:28:49 AM, on 8/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\ei.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\michael valalik\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccess/ie/bridge-c8.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096647604687
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4544/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\pplmon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
http://www.pandasoftware.com
You will need to shutdown any other Anti-virus/firewall programs you are currently running.
Install titanium and run a scan after you update it. Post the scan results here.
EVENT DATE RESULTS ADDITIONAL INFORMATION
Suspicious operation 08/09/05 20:24:57 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 20:23:57 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 20:22:57 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Scan completed 08/09/05 20:22:50 Scan: All My Computer
Suspicious operation 08/09/05 20:21:57 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 20:20:57 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Adware detected: Adware/Look2Me 08/09/05 20:20:24 Notified Location:
Suspicious operation 08/09/05 20:19:57 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 20:18:57 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 20:17:56 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 20:16:56 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 20:15:56 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 20:14:56 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 20:13:56 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Adware detected: Adware/WinTools 08/09/05 20:13:30 Eliminated Location: C:\temp\ZCWEDowST3.exe
Suspicious operation 08/09/05 20:12:55 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Adware detected: Adware/PurityScan 08/09/05 20:12:04 Eliminated Location: C:\RECYCLER\S-1-5-21-1498679233-2411367660-3921838442-1007\Dc8\othb.exe
Spyware detected: Spyware/BargainBuddy 08/09/05 20:12:03 Eliminated Location: C:\RECYCLER\S-1-5-21-1498679233-2411367660-3921838442-1007\Dc7\logo.gif
Spyware detected: Spyware/BargainBuddy 08/09/05 20:12:03 Eliminated Location: C:\RECYCLER\S-1-5-21-1498679233-2411367660-3921838442-1007\Dc7\icon.gif
Spyware detected: Spyware/BargainBuddy 08/09/05 20:12:03 Eliminated Location: C:\RECYCLER\S-1-5-21-1498679233-2411367660-3921838442-1007\Dc7\bin\cashback.exe
Spyware detected: Spyware/BargainBuddy 08/09/05 20:12:02 Eliminated Location: C:\RECYCLER\S-1-5-21-1498679233-2411367660-3921838442-1007\Dc5\Uninstall.exe
Spyware detected: Spyware/BargainBuddy 08/09/05 20:12:02 Eliminated Location: C:\RECYCLER\S-1-5-21-1498679233-2411367660-3921838442-1007\Dc7\bb_auto_wider.swf
Spyware detected: Spyware/BargainBuddy 08/09/05 20:12:02 Eliminated Location: C:\RECYCLER\S-1-5-21-1498679233-2411367660-3921838442-1007\Dc7\bb_click_wider.swf
Spyware detected: Spyware/BargainBuddy 08/09/05 20:12:02 Eliminated Location: C:\RECYCLER\S-1-5-21-1498679233-2411367660-3921838442-1007\Dc7\bb_welcome1.swf
Spyware detected: Spyware/BargainBuddy 08/09/05 20:12:02 Eliminated Location: C:\RECYCLER\S-1-5-21-1498679233-2411367660-3921838442-1007\Dc7\bb_welcome.html
Adware detected: Adware/E2Give 08/09/05 20:11:55 Eliminated Location: C:\RECYCLER\S-1-5-21-1498679233-2411367660-3921838442-1007\Dc12\__delete_on_reboot__IeBHOs.dll
Suspicious operation 08/09/05 20:11:55 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Adware detected: Adware/Imibar 08/09/05 20:11:51 Eliminated Location: C:\RECYCLER\S-1-5-21-1498679233-2411367660-3921838442-1007\Dc10.dll
Spyware detected: Spyware/MarketScore 08/09/05 20:11:50 Eliminated Location: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq85.tmp
Spyware detected: Spyware/ClearSearch 08/09/05 20:10:59 Eliminated Location: C:\Program Files\ProSiteFinder\l1pugyg9.DLL
Spyware detected: Spyware/ClearSearch 08/09/05 20:10:59 Eliminated Location: C:\Program Files\ProSiteFinder\ekbbmfq4.DLL
Spyware detected: Spyware/ClearSearch 08/09/05 20:10:59 Eliminated Location: C:\Program Files\ProSiteFinder\422hb7c2.DLL
Suspicious operation 08/09/05 20:10:55 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 20:09:55 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 20:08:55 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 20:07:55 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 20:06:54 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 20:05:54 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 20:04:54 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 20:03:54 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 20:02:54 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 20:01:54 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 20:00:53 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 19:59:53 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 19:58:52 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 19:57:52 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 19:56:52 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 19:55:51 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 19:54:51 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Adware detected: Adware/PurityScan 08/09/05 19:54:34 Eliminated Location: c:\windows\system32\shex.exe
Suspicious operation 08/09/05 19:53:51 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 19:52:51 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 19:51:50 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 19:50:50 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Adware detected: Adware/AdLogix 08/09/05 19:50:22 Eliminated Location: c:\windows\system32\oemzuf.exe
Suspicious operation 08/09/05 19:49:49 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 19:48:49 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 19:47:49 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 19:46:49 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 19:45:48 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 19:44:48 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 19:43:48 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 19:42:48 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 19:41:48 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Adware detected: Adware/PurityScan 08/09/05 19:41:08 Eliminated Location: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AV6D6DMN\!update-2264[1].0000
Suspicious operation 08/09/05 19:40:48 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Suspicious operation 08/09/05 19:39:48 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Spyware detected: Spyware/BargainBuddy 08/09/05 19:38:00 Eliminated Location: C:\Documents and Settings\michael valalik\Desktop\backups\backup-20050804-162947-690
Adware detected: Adware/Imibar 08/09/05 19:37:59 Eliminated Location: C:\Documents and Settings\michael valalik\Desktop\backups\backup-20050804-162947-340.dll
Suspicious operation 08/09/05 19:37:47 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Spyware detected: Spyware/SurfSideKick 08/09/05 19:37:30 Eliminated Location: Windows Registry
Adware detected: Adware/PowerSearch 08/09/05 19:37:17 Eliminated Location: C:\WINDOWS\system32\stlb2.xml
Adware detected: Adware/E2Give 08/09/05 19:37:09 Eliminated Location: Windows Registry
Adware detected: Adware/ExactSearch 08/09/05 19:36:54 Eliminated Location: Windows Registry
Suspicious operation 08/09/05 19:36:47 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Adware detected: Adware/AdLogix 08/09/05 19:36:38 Eliminated Location: Windows Registry
Adware detected: Adware/Look2Me 08/09/05 19:36:25 Eliminated Location: C:\WINDOWS\system32\guard.tmp
Adware detected: Adware/MediaTickets 08/09/05 19:36:08 Eliminated Location: Windows Registry
Spyware detected: Cookie/MyWay 08/09/05 19:36:00 Eliminated Location: C:\Documents and Settings\Guest\Cookies\guest@www.xzoomy[1].txt
Spyware detected: Cookie/Rightmedia 08/09/05 19:36:00 Eliminated Location: C:\Documents and Settings\Guest\Cookies\guest@rightmedia[1].txt
Adware detected: Adware/Sqwire 08/09/05 19:35:59 Eliminated Location: Windows Registry
Adware detected: Adware/AdDestroyer 08/09/05 19:35:53 Eliminated Location: C:\Documents and Settings\michael valalik\Start Menu\Programs\AdDestroyer
Suspicious operation 08/09/05 19:35:47 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Adware detected: Adware/Apropos 08/09/05 19:35:44 Eliminated Location: C:\Program Files\Aprps
Hacking tool detected: Hacktool/Processor 08/09/05 19:35:36 Eliminated Location: C:\Documents and Settings\All Users\Desktop\nailfix\Process.exe
Adware detected: Adware/BookedSpace 08/09/05 19:35:34 Eliminated Location: C:\WINDOWS\cfgmgr52.ini
Adware detected: Adware/FunWeb 08/09/05 19:35:28 Eliminated Location: Windows Registry
Adware detected: Adware/nCase 08/09/05 19:35:11 Eliminated Location: C:\Program Files\flashtalk
Spyware detected: Cookie/QuestionMarket 08/09/05 19:34:55 Eliminated Location: C:\Documents and Settings\michael valalik\cookies\michael [email]valalik@questionmarket[1].txt[/email]
Spyware detected: Cookie/RealMedia 08/09/05 19:34:55 Eliminated Location: C:\Documents and Settings\michael valalik\cookies\michael [email]valalik@realmedia[2].txt[/email]
Spyware detected: Cookie/Zedo 08/09/05 19:34:55 Eliminated Location: C:\Documents and Settings\michael valalik\cookies\michael [email]valalik@zedo[2].txt[/email]
Spyware detected: Cookie/Reliablestats 08/09/05 19:34:55 Eliminated Location: C:\Documents and Settings\michael valalik\cookies\michael [email]valalik@stats1.reliablestats[1].txt[/email]
Spyware detected: Cookie/Overture 08/09/05 19:34:54 Eliminated Location: C:\Documents and Settings\michael valalik\cookies\michael [email]valalik@overture[1].txt[/email]
Spyware detected: Cookie/Errorguard 08/09/05 19:34:54 Eliminated Location: C:\Documents and Settings\michael valalik\cookies\michael [email]valalik@errorguard[1].txt[/email]
Spyware detected: Cookie/Belnk 08/09/05 19:34:54 Eliminated Location: C:\Documents and Settings\michael valalik\cookies\michael [email]valalik@dist.belnk[1].txt[/email]
Spyware detected: Cookie/BurstNet 08/09/05 19:34:54 Eliminated Location: C:\Documents and Settings\michael valalik\cookies\michael [email]valalik@burstnet[1].txt[/email]
Spyware detected: Cookie/Belnk 08/09/05 19:34:54 Eliminated Location: C:\Documents and Settings\michael valalik\cookies\michael [email]valalik@ath.belnk[1].txt[/email]
Spyware detected: Cookie/PointRoll 08/09/05 19:34:54 Eliminated Location: C:\Documents and Settings\michael valalik\cookies\michael [email]valalik@ads.pointroll[2].txt[/email]
Spyware detected: Cookie/Adrevolver 08/09/05 19:34:54 Eliminated Location: C:\Documents and Settings\michael valalik\cookies\michael [email]valalik@adrevolver[3].txt[/email]
Spyware detected: Cookie/Adrevolver 08/09/05 19:34:54 Eliminated Location: C:\Documents and Settings\michael valalik\cookies\michael [email]valalik@adrevolver[1].txt[/email]
Spyware detected: Cookie/Banner 08/09/05 19:34:54 Eliminated Location: C:\Documents and Settings\michael valalik\cookies\michael [email]valalik@banner[1].txt[/email]
Spyware detected: Cookie/Com.com 08/09/05 19:34:54 Eliminated Location: C:\Documents and Settings\michael valalik\cookies\michael [email]valalik@com[2].txt[/email]
Spyware detected: Cookie/Hbmediapro 08/09/05 19:34:53 Eliminated Location: C:\Documents and Settings\michael valalik\cookies\michael [email]valalik@adopt.hbmediapro[2].txt[/email]
Spyware detected: Cookie/YieldManager 08/09/05 19:34:53 Eliminated Location: C:\Documents and Settings\michael valalik\cookies\michael [email]valalik@ad.yieldmanager[2].txt[/email]
Suspicious operation 08/09/05 19:34:47 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Spyware detected: Spyware/SurfSideKick 08/09/05 19:34:27 Eliminated Location: Windows Registry
Adware detected: Adware/PowerSearch 08/09/05 19:34:22 Eliminated Location: C:\WINDOWS\system32\stlb2.xml
Adware detected: Adware/E2Give 08/09/05 19:34:19 Eliminated Location: C:\Program Files\E2G
Adware detected: Adware/ExactSearch 08/09/05 19:34:14 Eliminated Location: Windows Registry
Adware detected: Adware/AdLogix 08/09/05 19:34:06 Eliminated Location: Windows Registry
Adware detected: Adware/Look2Me 08/09/05 19:34:04 Eliminated Location: C:\WINDOWS\system32\guard.tmp
Adware detected: Adware/MediaTickets 08/09/05 19:33:55 Eliminated Location: Windows Registry
Adware detected: Adware/Sqwire 08/09/05 19:33:54 Eliminated Location: Windows Registry
Adware detected: Adware/AdDestroyer 08/09/05 19:33:51 Eliminated Location: C:\Documents and Settings\michael valalik\Start Menu\Programs\AdDestroyer
Adware detected: Adware/Apropos 08/09/05 19:33:49 Eliminated Location: C:\Program Files\Aprps
Suspicious operation 08/09/05 19:33:46 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Adware detected: Adware/BookedSpace 08/09/05 19:33:45 Eliminated Location: C:\WINDOWS\cfgmgr52.ini
Adware detected: Adware/FunWeb 08/09/05 19:33:44 Eliminated Location: Windows Registry
Adware detected: Adware/nCase 08/09/05 19:33:31 Eliminated Location: C:\Program Files\flashtalk
Adware detected: Adware/Gator 08/09/05 19:33:28 Eliminated Location: C:\WINDOWS\FT*_GEPFAH.EXE
Adware detected: Adware/SaveNow 08/09/05 19:33:25 Eliminated Location: Windows Registry
Suspicious operation 08/09/05 19:32:46 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Update 08/09/05 19:32:31 OK New virus signatures: 9020
Suspicious operation 08/09/05 19:32:11 Blocked Application: C:\WINDOWS\SYSTEM32\PRISDE.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Scan started 08/09/05 19:31:44 Scan: All My Computer
Suspicious operation 08/09/05 19:31:12 Blocked Application: C:\DOCUMENTS AND SETTINGS\MICHAEL VALALIK\LOCAL SETTINGS\TEMP\EI.EXE - Operation: These CLSID are installed by Spyware. We deny all Applications to create these registry entries.
Connection attempt 08/09/05 19:29:56 Blocked Source IP address: 192.168.1.1
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!