AIM virus/pictures.pif

Unknown
edited January 2006 in Spyware & Virus Removal
i got a virus from a friend that sent me an IM with a link to look at pictures from new years. aim will randomly open itself, and i cannot open task manager unless i'm in safe mode. windows update is current, i have norton, ad-aware and spybot. norton caught the virus when it was downloaded but i guess didn't prevent it from getting into my system. i didnt notice it until my aim started to switch my screenname to away by itself and began autoresponding the same link message to anyone that IMed me. i know of at least one person that got infected from me. norton isnt detecting anything and neither is spybot or ad-aware.

hjt log follows:

Logfile of HijackThis v1.99.1
Scan saved at 12:10:33 AM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\SERVICESMS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\Common Files\AOL\1133842516\ee\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\mllmn.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Services Messenger] SERVICESMS.EXE
O4 - HKCU\..\RunOnce: [Services Messenger] SERVICESMS.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: mllmn - C:\WINDOWS\system32\mllmn.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Service 8 (Service Filter) - Unknown owner - C:\WINDOWS\smncs.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe



any help is appreciated thanx a bunch!

Comments

  • TroganTrogan London, UK
    edited January 2006
    Welcome to Short-Media :)

    Lets remove the Vundo Infection first.


    Please print these instructions out for use in Safe Mode.

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to extract the files
    • This will create a VundoFix folder on your desktop.
    • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
    • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
    • You will first be presented with a warning and a list of forums to seek help at.
      it should look like this
      VundoFix V2.1 by Atri
      By pressing enter you agree that you are using this at your own risk
    • At this point press enter one time.
    • Next you will see:
      Type in the filepath as instructed by the forum staff
      Then Press Enter, Then F6, Then Enter Again to continue with the fix.
    • At this point please type the following file path (make sure to enter it exactly as below!):

        C:\WINDOWS\system32\mllmn.dll


      [*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
      [*] Next you will see:
      Please type in the second filepath as instructed by the forum staff
      Then Press Enter, Then F6, Then Enter Again to continue with the fix.
      [*]At this point please type the following file path (make sure to enter it exactly as below!):

        C:\WINDOWS\system32\nmllm.*



        [*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

        [*]The fix will run then HijackThis will open.
        [*]In HijackThis, please place a check next to the following items and click FIX CHECKED:

          O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
          O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\mllmn.dll
          O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

          O20 - Winlogon Notify: mllmn - C:\WINDOWS\system32\mllmn.dll




          [*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
          [*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
          [*]Once your machine reboots please continue with the instructions below.


          Then, please run this online virus scan: ActiveScan

          Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
        • tattooedmind
          edited January 2006
          hey i had a few issues runnin everything the enter-f6-enter never came up so i just used enter. here are my logs.

          VUNDO:

          VundoFix V2.15 by Atri

          Listing files contained in the vundofix folder.

          killvundo.bat
          process.exe
          ReadMe.txt
          vundo.reg
          vundofix.txt

          Filepaths entered

          The filepath entered was C:\windows\system32\mllmn.dll

          The second filepath entered was C:\windows\system32\nmllm.*

          Log from Process


          Killing PID 132 'smss.exe'

          Killing PID 728 'explorer.exe'
          Killing PID 728 'explorer.exe'
          Killing PID 728 'explorer.exe'


          Killing PID 208 'winlogon.exe'

          C:\windows\system32\mllmn.dll Deleted sucessfully.
          C:\windows\system32\nmllm.* Deleted sucessfully.

          Fixing Registry


          ACTIVESCAN:


          Incident Status Location

          Virus:Trj/Moli.CN Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ZCPN0SKI\raser[1].exe
          Virus:Bck/Sdbot.GBY Not disinfected C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\Cache\BD112732d01
          Virus:W32/Gaobot.batch Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\r.bat
          Virus:W32/IRCBot.RC.worm Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U17S9G3A\di[1].exe
          Virus:Bck/Sdbot.GBY Not disinfected C:\Documents and Settings\Owner\My Documents\pictures.pif
          Virus:W32/IRCBot.RC.worm Not disinfected C:\fhjirhj.exe
          Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\drsmartload.dat
          Virus:W32/IRCBot.RC.worm Not disinfected C:\WINDOWS\NITEAIM.EXE
          Virus:Bck/Sdbot.GBY Not disinfected C:\WINDOWS\system32\CdROM Drivers
          Virus:Trj/Moli.CN Not disinfected C:\WINDOWS\system32\ddccc.dll
          Virus:Trj/Moli.CN Not disinfected C:\WINDOWS\system32\pmnnk.dll
          Virus:Trj/Moli.CN Not disinfected C:\WINDOWS\system32\vtsqp.dll
          Adware:adware/popupsandbannersNot disinfected C:\WINDOWS\teller2.chk

          HJT:

          Logfile of HijackThis v1.99.1
          Scan saved at 1:11:54 PM, on 1/3/2006
          Platform: Windows XP SP2 (WinNT 5.01.2600)
          MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

          Running processes:
          C:\WINDOWS\System32\smss.exe
          C:\WINDOWS\system32\winlogon.exe
          C:\WINDOWS\system32\services.exe
          C:\WINDOWS\system32\lsass.exe
          C:\WINDOWS\system32\Ati2evxx.exe
          C:\WINDOWS\system32\svchost.exe
          C:\WINDOWS\System32\svchost.exe
          C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
          C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
          C:\WINDOWS\Explorer.EXE
          C:\WINDOWS\system32\spoolsv.exe
          C:\Program Files\Norton AntiVirus\navapsvc.exe
          C:\Program Files\Norton AntiVirus\SAVScan.exe
          C:\WINDOWS\System32\wltrysvc.exe
          C:\WINDOWS\System32\bcmwltry.exe
          C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
          C:\Program Files\Common Files\Symantec Shared\ccApp.exe
          C:\Program Files\Winamp\winampa.exe
          C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
          C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
          C:\Program Files\iTunes\iTunesHelper.exe
          C:\WINDOWS\system32\SERVICESMS.EXE
          C:\Program Files\iPod\bin\iPodService.exe
          C:\Program Files\Internet Explorer\IEXPLORE.EXE
          C:\Program Files\Common Files\AOL\1133842516\ee\aolsoftware.exe
          C:\Program Files\Mozilla Firefox\firefox.exe
          C:\HJT\HijackThis.exe

          O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
          O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
          O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\mllmn.dll (file missing)
          O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
          O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
          O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
          O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
          O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
          O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
          O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
          O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
          O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
          O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
          O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
          O4 - HKLM\..\Run: [Services Messenger] SERVICESMS.EXE
          O4 - HKCU\..\RunOnce: [Services Messenger] SERVICESMS.EXE
          O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
          O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
          O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
          O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
          O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
          O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
          O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
          O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
          O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
          O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
          O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
          O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
          O20 - Winlogon Notify: mllmn - C:\WINDOWS\system32\mllmn.dll (file missing)
          O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
          O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
          O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
          O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
          O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
          O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
          O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
          O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
          O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
          O23 - Service: Service 8 (Service Filter) - Unknown owner - C:\WINDOWS\smncs.exe (file missing)
          O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
          O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
          O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
        • TroganTrogan London, UK
          edited January 2006
          Download Ewido Security Suite
          1. Install ewido security suite
          2. When installing the program, under "Additonal Options" uncheck..
            • Install background guard
            • Install scan via context menu
          3. Launch ewido, there should now be an icon on your desktop, double-click it.
          4. The program will now open to the main screen.
          5. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
          6. You will need to update ewido to the latest definition files:
            • On the left hand side of the main screen click update.
            • Then click on Start Update.
          7. The update will start and a progress bar will show the updates being installed.
            (the status bar at the bottom will display "Update successful")
          8. EXIT for now
          --


          You may want to print these instructions or save them as you'll have no internet connection once in Safe Mode

          View hidden files and folders - explained here

          Go into Safe Mode - explained here
          --


          Run HiJackThis then:

          1. Click "Open the Misc Tools Section"
          2. Click "Open Process manager"

          -

          Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

          C:\windows\adtech2005.exe

          Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain
          --


          Check the following in HJT and click 'Fix Checked' - Close ALL open Browsers first

          O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
          O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\mllmn.dll (file missing)
          O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

          O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe

          O4 - HKLM\..\Run: [Services Messenger] SERVICESMS.EXE
          O4 - HKCU\..\RunOnce: [Services Messenger] SERVICESMS.EXE

          O20 - Winlogon Notify: mllmn - C:\WINDOWS\system32\mllmn.dll (file missing)

          O23 - Service: Service 8 (Service Filter) - Unknown owner - C:\WINDOWS\smncs.exe (file missing)
          --


          Find and Delete the following if found:

          C:\windows\adtech2005.exe << this file
          C:\WINDOWS\smncs.exe << this file
          C:\WINDOWS\drsmartload.dat << this file
          C:\WINDOWS\NITEAIM.EXE << this file

          C:\WINDOWS\system32\ddccc.dll << this file
          C:\WINDOWS\system32\pmnnk.dll << this file
          C:\WINDOWS\system32\vtsqp.dll << this file

          C:\fhjirhj.exe << this file
          --

          We need to do a search. Click Start > Search > All Files and Folders.
          Expand Search Options, check Advanced Options, check Search system folders, Search hidden files and folders, and Search Subfolders.
          Paste this into the Search for files and folders named box:

          SERVICESMS.EXE

          If any of these files are found please delete them.
          --

          Clear out your Temporary internet files and other temp files.
          Go to Start > Settings > Control Panel >Internet Options.
          Under the General tab click the Delete temporary internet files,
          delete all Offline content as well. Clear out Cookies.

          Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

          Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

          C:\Documents and Settings\username\Local Settings\Temp\

          In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

          Empty the Recycle Bin.
          --

          run Ewido (Do not use the computer while Ewido is scanning as it may interrupt the scan)
          • Click on scanner
          • Click Complete System Scan and the scan will begin.
          • NOTE: During some scans with ewido it is finding cases of false positives.
          • You will need to step through the process of cleaning files one-by-one.
          • If ewido detects a file you KNOW to be legitimate, select none as the action.
          • DO NOT select "Perform action on all infections"
          • If you are unsure of any entry found select none for now.
          • When the scan is finished, click the Save report button at the bottom of the screen.
          • Save the report to your desktop
          Close Ewido
          --


          Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
        • tattooedmind
          edited January 2006
          hey so i did everything you said except i didnt catch that most of it was supposed to be done in safe mode until i finished it. i havent re-done it yet in safe mode. if i need to let me know and i'll do it again unless it worked anyway. sorry.

          Ewido:
          ewido anti-malware - Scan report

          + Created on: 1:11:24 AM, 1/4/2006
          + Report-Checksum: FE000295

          + Scan result:

          :mozilla.11:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
          :mozilla.19:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
          :mozilla.20:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
          :mozilla.21:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
          :mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
          :mozilla.47:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
          :mozilla.48:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
          :mozilla.49:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
          :mozilla.50:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
          :mozilla.51:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
          :mozilla.52:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
          :mozilla.53:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
          :mozilla.63:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
          :mozilla.64:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
          :mozilla.65:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
          :mozilla.66:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
          :mozilla.67:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
          :mozilla.68:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
          :mozilla.69:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
          :mozilla.70:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
          :mozilla.86:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
          :mozilla.87:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
          :mozilla.88:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
          :mozilla.89:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
          :mozilla.90:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
          :mozilla.91:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
          :mozilla.92:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
          :mozilla.93:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
          :mozilla.94:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
          :mozilla.97:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
          :mozilla.98:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
          :mozilla.101:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
          :mozilla.104:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
          :mozilla.113:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sextracker : Cleaned with backup
          :mozilla.114:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sextracker : Cleaned with backup
          :mozilla.117:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
          :mozilla.119:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
          :mozilla.129:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
          :mozilla.130:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
          :mozilla.131:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
          :mozilla.132:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
          :mozilla.133:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
          :mozilla.134:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
          :mozilla.135:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
          :mozilla.136:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
          :mozilla.149:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
          :mozilla.154:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.155:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.156:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.157:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.158:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.159:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.160:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.161:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.162:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.163:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.164:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.165:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.166:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.167:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.168:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.169:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.170:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.171:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.172:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.173:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.174:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.175:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.176:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.177:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.178:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.179:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.180:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.181:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.182:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.183:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.184:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.185:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.186:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.187:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.188:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.189:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.190:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.191:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.192:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.193:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.194:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.195:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
          :mozilla.196:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
          :mozilla.197:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
          :mozilla.202:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
          :mozilla.203:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
          :mozilla.204:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
          :mozilla.249:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Paycounter : Cleaned with backup
          :mozilla.256:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
          :mozilla.265:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
          :mozilla.266:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
          :mozilla.267:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
          :mozilla.268:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
          :mozilla.278:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
          :mozilla.279:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
          :mozilla.280:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
          :mozilla.281:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
          :mozilla.282:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
          :mozilla.283:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
          :mozilla.284:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
          :mozilla.306:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
          :mozilla.307:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
          :mozilla.312:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Masterstats : Cleaned with backup
          :mozilla.345:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Belstat : Cleaned with backup
          :mozilla.346:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Belstat : Cleaned with backup
          :mozilla.351:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\67z9q0tv.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
          C:\inst_0004.exe -> Downloader.Small.cam : Cleaned with backup


          ::Report End


          HJT:

          Logfile of HijackThis v1.99.1
          Scan saved at 1:15:05 AM, on 1/4/2006
          Platform: Windows XP SP2 (WinNT 5.01.2600)
          MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

          Running processes:
          C:\WINDOWS\System32\smss.exe
          C:\WINDOWS\system32\winlogon.exe
          C:\WINDOWS\system32\services.exe
          C:\WINDOWS\system32\lsass.exe
          C:\WINDOWS\system32\Ati2evxx.exe
          C:\WINDOWS\system32\svchost.exe
          C:\WINDOWS\System32\svchost.exe
          C:\WINDOWS\Explorer.EXE
          C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
          C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
          C:\WINDOWS\system32\spoolsv.exe
          C:\Program Files\ewido anti-malware\ewidoctrl.exe
          C:\Program Files\Norton AntiVirus\navapsvc.exe
          C:\Program Files\Norton AntiVirus\SAVScan.exe
          C:\WINDOWS\System32\wltrysvc.exe
          C:\WINDOWS\System32\bcmwltry.exe
          C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
          C:\Program Files\Common Files\Symantec Shared\ccApp.exe
          C:\Program Files\Winamp\winampa.exe
          C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
          C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
          C:\Program Files\iTunes\iTunesHelper.exe
          C:\Program Files\iPod\bin\iPodService.exe
          C:\HJT\HijackThis.exe
          C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

          O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
          O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
          O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
          O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
          O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
          O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
          O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
          O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
          O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
          O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
          O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
          O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
          O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
          O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
          O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
          O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
          O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
          O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
          O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
          O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
          O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
          O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
          O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
          O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
          O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
          O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
          O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
          O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
          O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
          O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
          O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
          O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
          O23 - Service: Service 8 (Service Filter) - Unknown owner - C:\WINDOWS\smncs.exe (file missing)
          O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
          O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
          O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


          Thank you so much for all your help and patience!
        • TroganTrogan London, UK
          edited January 2006
          Congratulations! Your log looks clean - good work!

          Now that your PC is clean you need to follow these easy steps to keeping it this way:

          Secure your Internet Explorer by going here and following the instructions there.

          Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

          Use a firewall to help prevent your PC's control being usurped by undesireables.

          Install and keep updated, Ad-Aware SE, and Spybot S&D.
          Run them both on a regular basis, following the manufacturer's recommendations.

          Install and keep updated, SpywareBlaster 3.4

          Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

          Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.


          Clear your Temp folders.
          Clear out your Temporary internet files and other temp files.
          Go to Start > Settings > Control Panel >Internet Options.
          Under the General tab click the Delete temporary internet files,
          delete all Offline content as well. Clear out Cookies.

          Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

          Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

          C:\Documents and Settings\username\Local Settings\Temp\

          In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

          Empty the Recycle Bin.

          For XP users.
          After something like this it is a good idea to Flush the Restore Points and start fresh.
          To flush the XP system Restore Points.

          Go to Start>Run and type msconfig. Press enter.

          When msconfig opens, click the Launch System Restore Button.
          On the next page, click the System Restore Settings link on the left.

          Check the box labelled 'Turn off System restore'.

          Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

          Note that all previous restore points will be lost.

          ===============

          If you have any more problems, post back.


          Please consider joining the Folding@Home Project :)
          Join our Folding@Home team! Alzheimer's, Parkinson's, cancer... we're trying to cure them with our computers! You've at least read a little about it in the greeting I sent you when you signed up for the site. We're always really pleased to greet new members to the team, and it's a quick way to become an appreciated member of the community.
          MORE INFO: READ THIS
        • tattooedmind
          edited January 2006
          hey thanx so much for your help!!

          joe
        • TroganTrogan London, UK
          edited January 2006
          No problem :thumbsup:


          I'm closing this thread. If you need help again then start a new one :)
        This discussion has been closed.