# Solved: Yet another Trojan-Spy.HTML.Smitfraud.c infection



## jweiss (Jun 29, 2005)

My machine is infected with Trojan-Spy.HTML.Smitfraud.c. I've tried using the fixes posted for other users (i.e., using a new registry file, killbox, ccleaner, etc.) but it's a persistent little bugger and still prevents my computer for starting in a normal mode; that is, I still get the OS (Win XP)warning that I'm infected.

Below is my HJT log. I would be endlessly appreciative of some guidance about how to get rid of this virus.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\dhcpclient.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\phqg.EXE
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\upaa\atan.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\fxvdxo.exe
C:\temp\180SAPack.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
c:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINDOWS\System32\msxct.exe
C:\Program Files\180searchassistant\sais.exe
C:\WINDOWS\System32\9pdoi0io.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\phqg.EXE
C:\WINDOWS\System32\1hq0riat.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\System32\9pdoi0io.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\phqg.EXE
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\temp\180SAPack.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com
R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\ipreg32.dll
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\saishook.dll
O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: Pop Class - {A9AEE0DD-89E1-40EE-8749-A18650CC2175} - C:\WINDOWS\winsx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll (file missing)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\webdlg32.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Hmg.exe] C:\WINDOWS\SYSTEM32\Hmg.exe
O4 - HKLM\..\Run: [VCXD Settings] phqg.EXE
O4 - HKLM\..\Run: [csvwPsW] C:\WINDOWS\vxrimxt.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [rafov] C:\WINDOWS\rafov.exe
O4 - HKLM\..\Run: [1hq0riat] C:\WINDOWS\System32\1hq0riat.exe
O4 - HKLM\..\Run: [aEDDlqI7c] C:\WINDOWS\fxvdxo.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "c:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [sais] c:\program files\180searchassistant\sais.exe
O4 - HKLM\..\Run: [9pdoi0io] C:\WINDOWS\System32\9pdoi0io.exe
O4 - HKLM\..\Run: [wfwrgrot] C:\WINDOWS\wfwrgrot.exe
O4 - HKLM\..\RunServices: [VCXD Settings] phqg.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [VCXD Settings] phqg.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/Bridge-c139.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_ringtones.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/joysaver.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=4678
O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\System32\dhcpclient.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


----------



## tj416 (Nov 18, 2004)

Hi jweiss,

Since HijackThis does not scan the entire system and only certain areas are scanned to help diagnose the presence of undetected malware in some of the telltale places it hides. *It is extremely important that you run a full system scan tool like an online virus scan, Ad-aware SE and Spybot S&D.* I would like to START with those steps and finish the cleanup of strays or undetected items with HJT. I have provided instructions on how to run scans with a Online virus scanner, Ad-aware SE and Spybot S&D in this post.

1) *Run one of these Online virus scanners:*
Housecall
Panda
RAV Anti-virus Online
eTrust Anti-virus Scanner
2) *Download, install, update and run a scan with Spybot S&D:*
*Download and Install* *Spybot S&D*, accepting the Default Settings.
In the Menu Bar at the top of the Spybot window you will see *'Mode'*. Make certain that *'default mode' *has a check mark beside it.
*Close ALL windows except Spybot S&D*
Click the button to* Search for Updates* and then *download and install* all available Updates.
Next click the button* Check for Problems *
When Spybot is complete, it will be showing *RED* entries bold *'Black' *entries and *GREEN * entries in the window.
Make certain there is a *check mark* beside all of the *RED* entries *ONLY*.
Choose *Fix Selected Problems* and allow Spybot to fix the *RED * entries.
*REBOOT* to complete the scan and clear memory.
3) *Download, install, update, configure and run a scan with Ad-aware SE:*
*Download and Install* * Ad-Aware SE*, keeping the default options. *However, some of the settings will need to be changed before your first scan*.
*Close ALL windows* except Ad-Aware SE.
Click on the*world * icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
Once the update is finished click on the* Gear* icon (second from the left at the top of the window) to access the preferences/settings window:
In the *General * window make sure the following are selected in *green*:
Under *Safety*:
Automatically save log-file
Automatically quarantine objects prior to removal
Safe Mode (always request confirmation)

Under *Definitions*:
Prompt to update outdated definitions - set the *number of days*


Click on the* Scanning *button on the left and select in *green* :
Under *Driver, Folders & Files*:
Scan Within Archives

Under *Select drives & folders to scan*:
choose all hard drives

Under *Memory & Registry*: all* green*
Scan Active Processes
Scan Registry
Deep Scan Registry
Scan my IE favorites for banned URLs
Scan my Hosts file


Click on the *Advanced *button on the left and select in * green*:
Under *Shell Integration*:
Move deleted files to recycle bin

Under *Logfile Detail Level*: (all green)
include addtional object information
*DESELECT* - include negligible objects information
include environment information

Under *Alternate Data Streams*:
Don't log streams smaller than *0* bytes
Don't log ADS with the following names: *CA_INOCULATEIT*


Click the* Tweak *button and select in *green*:
Under *Scanning Engine:*
Unload recognized processes during scanning
Scan registry for all users instead of current user only

Under *Cleaning Engine:*
Let Windows remove files in use at next reboot

Under *Log Files*:
Include basic Ad-aware SE settings in logfile
Include additional Ad-aware SE settings in logfile
Please *do not check*: Include Module list in logfile



Click on* Proceed * to save the settings.
Click *Start*
Choose *'Perform Full System Scan'*
*DESELECT "Search for negligible risk entries"*, as negligible risk entries (MRU's) are not considered to be a threat.
Click* Next *and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically. 
If Ad-Aware SE finds bad entries, you will receive a *list of what it found* in the window
*Save* the log file when it asks and then click* Finish*
*REBOOT* to complete the removal of what Ad-Aware SE found.
4) *Prepare in your reply:*
A fresh HijackThis log.


----------



## jweiss (Jun 29, 2005)

I should have mentioned that I have repeatedly run McAfeee Virus scan, Spybot S&D, and Ad-Aware 1.06 on this machine in an attempt to cure this virus. I will try again using the instructions you posted and then post my new HJT file. Thanks much for your prompt reply.


----------



## jweiss (Jun 29, 2005)

OK, I ran the eTrust Anti-virus Scanner, Spybot R&D, and Ad-Aware SE and cleaned as much as I could off of the machine (and there was plenty, as every time I start up again, a bunch of adware and other junk somehow reappears).

Here is my new HJT log. A thousand thank yous if you can help me get rid of this badboy.

Logfile of HijackThis v1.99.1
Scan saved at 8:35:38 AM, on 6/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\dhcpclient.exe
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\phqg.EXE
C:\WINDOWS\System32\1hq0riat.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\System32\Hjiipv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\oimf\oimfm.exe
C:\PROGRA~1\COMMON~1\oimf\oimfa.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\ipreg32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Hmg.exe] C:\WINDOWS\SYSTEM32\Hmg.exe
O4 - HKLM\..\Run: [VCXD Settings] phqg.EXE
O4 - HKLM\..\Run: [csvwPsW] C:\WINDOWS\vxrimxt.exe
O4 - HKLM\..\Run: [rafov] C:\WINDOWS\rafov.exe
O4 - HKLM\..\Run: [1hq0riat] C:\WINDOWS\System32\1hq0riat.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [9pdoi0io] C:\WINDOWS\System32\9pdoi0io.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Hjiipv.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\RunServices: [VCXD Settings] phqg.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [VCXD Settings] phqg.EXE
O4 - HKCU\..\Run: [oimf] C:\PROGRA~1\COMMON~1\oimf\oimfm.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/Bridge-c139.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\System32\dhcpclient.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


----------



## tj416 (Nov 18, 2004)

Hi jweiss,

_You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet._

*Prepare Ewido Security Suite for use*:
Download the trial version of Ewido Security Suite.
Install the Program.
Click on the "update" button on the left hand side of the window.
Click on "Start Update".
You should not run the program yet so Exit the program.

*Prepare Nailfix for use*:
Download Nailfix.
Unzip the contents of the zip file to your Desktop.
Do not run it yet.

Reboot into *Safe mode*. To reboot in Safe mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

*Run Nailfix*:
Double-click on Nailfix.cmd.
Your desktop and icons will disappear and reappear, and a window should open and close very quickly. Don't be alarmed, this is normal.

*Run Ewido Security Suite*:
Open Ewido Security Suite.
Click on the "scanner" button on the left hand side of the window. 
Click on "Start".
After the scan is completed, save the logfile from the scan.

*Run HijackThis*:
Open HijackThis, run a scan and check this item:

*F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe*

Close *all *windows and browsers, except HijackThis, and have HijackThis fix them by clicking on *Fix Checked*.

*Restart your computer normally to return to normal mode.*
*Prepare in your reply:*
Please post a fresh HijackThis log.
Please post the Ewido Security Suite log.


----------



## jweiss (Jun 29, 2005)

TJ,
I performed the tasks you suggested. I wasn't able to produce a Ewido Security Suite log because the program closed when it was done, before it allowed me to select any "create a log" function. Nevertheless, my fresh HJT log is below. Notice, that nail.exe is still there (as it smitfraud), despite several attempts to delete it.

Thank you once again.

Logfile of HijackThis v1.99.1
Scan saved at 11:39:49 AM, on 6/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\System32\nlhelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\mscys.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\ipreg32.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Hmg.exe] C:\WINDOWS\SYSTEM32\Hmg.exe
O4 - HKLM\..\Run: [csvwPsW] C:\WINDOWS\vxrimxt.exe
O4 - HKLM\..\Run: [rafov] C:\WINDOWS\rafov.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [jKhRZj.exe] C:\documents and settings\jstagen\local settings\temp\jKhRZj.exe
O4 - HKLM\..\Run: [XfD.exe] c:\windows\system32\XfD.exe
O4 - HKLM\..\Run: [2r.exe] C:\windows\system32\2r.exe
O4 - HKLM\..\Run: [o62T36U] nlhelper.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Zxt3RWYpU] mscys.exe
O4 - HKCU\..\Run: [VIEW POINT DRIVERS] phqghum.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/Bridge-c139.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\System32\dhcpclient.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe


----------



## jweiss (Jun 29, 2005)

TJ (or anyone else): Any thoughts about how to resolve this?

Thanks.


----------



## cybertech (Apr 16, 2002)

* *Click here* to download smitRem.zip. 
Save the file to your desktop. 
Unzip smitRem.zip to extract the two files it contains. 
Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.

* Go *here* to download CCleaner.
Install CCleaner
Launch CCleaner and look in the upper right corner and click on the "Options" button. 
Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours". 
Click OK
Do not run CCleaner yet. You will run it later in safe mode.

*Click here* to download *Nailfix.zip*
Unzip it to the desktop but *do NOT run it yet. *

* Download the trial version of Ewido Security Suite *here*.
Install ewido.
During the installation, under "Additional Options" *uncheck* "Install background guard" and "Install scan via context menu".
Launch ewido
It will prompt you to update click the OK button and it will go to the main screen
On the left side of the main screen click *update*
Click on *Start* and let it update.
*DO NOT* run a scan yet. You will do that later in safe mode.

* *Click here* for info on how to boot to safe mode if you don't already know how.

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\ipreg32.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Hmg.exe] C:\WINDOWS\SYSTEM32\Hmg.exe
O4 - HKLM\..\Run: [csvwPsW] C:\WINDOWS\vxrimxt.exe
O4 - HKLM\..\Run: [rafov] C:\WINDOWS\rafov.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [jKhRZj.exe] C:\documents and settings\jstagen\local settings\temp\jKhRZj.exe
O4 - HKLM\..\Run: [XfD.exe] c:\windows\system32\XfD.exe
O4 - HKLM\..\Run: [2r.exe] C:\windows\system32\2r.exe
O4 - HKLM\..\Run: [o62T36U] nlhelper.exe
O4 - HKCU\..\Run: [Zxt3RWYpU] mscys.exe
O4 - HKCU\..\Run: [VIEW POINT DRIVERS] phqghum.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...Bridge-c139.cab
O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\System32\dhcpclient.exe (file missing)
*

* Open the *smitRem* folder, then double click the *RunThis.bat* file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Run Ewido:
Click on *scanner*
Put a check by the following before you scan:
*Binder
[*]Crypter
[*]Archives*

Click the *Start Scan* button to start the scan.
During the scan it will prompt you to clean files, click *OK*
When the scan is finished, look at the bottom of the screen and click the *Save report* button.
Save the report to your desktop

* Double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

* Start Ccleaner and click *Run Cleaner*

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.

* Restart back into Windows normally now.

* Run ActiveScan online virus scan *here*

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

*Post a new HiJackThis log along with the results from ActiveScan and the ewido scan*


----------



## jweiss (Jun 29, 2005)

Dude, I think it worked. I don't see the smitfraud warnings when Windows is booting anymore. Unbelievable. I can't possibly express how appreciative I am for your generous help.

The logs are below. Let me know if I need to take anymore action to finally exterminate this problem once and for all.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:36:25 PM, 7/1/2005
+ Report-Checksum: CF4F3E28

+ Date of database: 7/2/2005
+ Version of scan engine:	v3.0

+ Duration: 38 min
+ Scanned Files: 36285
+ Speed: 15.90 Files/Second
+ Infected files: 179
+ Removed files: 179
+ Files put in quarantine: 179
+ Files that could not be opened:	0
+ Files that could not be cleaned:	0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\WINDOWS\SYSTEM32\auto_update_uninstall.exe -> Spyware.Apropos -> Cleaned with backup
C:\Program Files\AutoUpdate\AutoUpdate.exe -> TrojanDownloader.Apropo.g -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000572.exe/ransy.reg -> Trojan.WinREG.LowZones.f -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000572.exe/rany.reg -> Trojan.WinREG.LowZones.f -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000573.exe -> Spyware.SAHA -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000574.exe -> Spyware.SAHA -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000575.exe -> Backdoor.Codbot.ag -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000576.dll -> Spyware.SBSoft.g -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000577.exe -> Spyware.DealHelper.ac -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000578.exe -> Trojan.Popmon.a -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000579.exe -> TrojanDownloader.VB.em -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000580.exe -> TrojanDownloader.VB.em -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000581.exe -> TrojanDownloader.VB.em -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000582.exe -> Spyware.DealHelper.ac -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000583.exe -> TrojanDownloader.VB.em -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000584.exe -> TrojanDownloader.VB.em -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000585.exe -> TrojanDownloader.VB.em -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000586.exe -> Trojan.Popmon.a -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000587.exe -> TrojanDownloader.VB.em -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000596.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000597.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000598.exe -> TrojanDownloader.TSUpdate.l -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000599.exe -> TrojanDownloader.TSUpdate.k -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000600.exe -> Spyware.Xupiter.m -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000601.exe -> Spyware.WeirWeb -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000602.exe -> Spyware.180Solutions -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000603.exe -> Spyware.180Solutions -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000604.dll -> Spyware.180Solutions -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000605.exe -> Spyware.PurityScan -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000606.exe/ransy.reg -> Trojan.WinREG.LowZones.f -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000606.exe/rany.reg -> Trojan.WinREG.LowZones.f -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000609.dll -> Trojan.Agent.eq -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000610.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000617.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000618.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000619.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000620.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000622.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000628.exe -> Trojan.Nail -> Cleaned with backup
C:\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
D:\IE Files\Cookies\julie [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\julie [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\jst3[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected]_9m6h[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected] 0014-01-2-16-217494-54117[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected]_1j8l[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected]_2c7p[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][5].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

::Report End


----------



## jweiss (Jun 29, 2005)

ACTIVESCAN
Incident Status Location 
Adware:Adware/ImGiant No disinfected C:\WINDOWS\INF\adrmimg.inf 
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\SYSTEM32\wininet.dll 
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\SYSTEM32\dsmanager.dll Adware:Adware/Sqwire No disinfected C:\WINDOWS\SYSTEM32\tsuninst.exe 
Adware:Adware/SBSoft No disinfected C:\WINDOWS\SYSTEM32\webdlg32.inf 
Adware:Adware/Envolo No disinfected C:\WINDOWS\SYSTEM32\auto_update_uninstall.log 
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\HKDSK~1.EXE 
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\Shex.exe 
Adware:Adware/SBSoft No disinfected C:\WINDOWS\webdlg32.inf 
Adware:Adware/Popup.pop No disinfected C:\WINDOWS\winsx.inf 
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\msxct1.ini 
Spyware:Spyware/AdClicker No disinfected C:\WINDOWS\usta33.ini 
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\unstall.exe 
Adware:Adware/Transponder No disinfected C:\WINDOWS\aypiwj.exe 
Spyware:Spyware/Lowzones No disinfected C:\WINDOWS\r.bat 
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\update-sp1.html 
Adware:Adware/SideSearch No disinfected C:\WINDOWS\sepsd.bin 
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\update-sp2.html 
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\update-sp3.html 
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\update-sp4.html 
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\update-sp5.html 
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.inf

Spyware:Spyware/Iehelp No disinfected C:\WINDOWS\Downloaded Program Files\ipreg32.inf 
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\MediaTicketsInstaller.INF 
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf 
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\oimf\oimfd\oimfc.dll  Possible Virus. No disinfected C:\Program Files\SurfAccuracy\SAccU.exe 
Virus:W32/Sdbot.EEX.worm Disinfected C:\nvidea.exe Virus:Trj/Multidropper.QW Disinfected C:\iMeshInst.exe Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\jstagen\Start Menu\WEB-Search.url 
Adware:Adware/Weirdontheweb No disinfected C:\Documents and Settings\jstagen\Favorites\WeirdOnTheWeb.url 
Adware:Adware/WUpd No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0DKN4H0P\MediaAccC[1].dll 
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0DKN4H0P\MediaTicketsInstaller[1].cab[MediaTicketsInstaller.INF] 
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0DKN4H0P\webservice[2].htm 
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0DKN4H0P\webservice[4].htm 
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0DKN4H0P\webservice[5].htm 
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0DKN4H0P\webservice[6].htm 
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0DKN4H0P\webservice[7].htm 
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0DKN4H0P\webservice[8].htm 
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0DKN4H0P\webservice[9].htm 
Spyware:Spyware/Media-motor No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\unstall[1].exe 
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\mtrslib2[1].js 
Adware:Adware/Apropos No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\weirdontheweb_ideal[1].exe 
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\webservice[1].htm 
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\webservice[3].htm 
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\webservice[4].htm 
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\webservice[5].htm 
Adware:Adware/Apropos No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\auto_update[1] 
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\webservice[6].htm 
Spyware:Spyware/Iehelp No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\help[1].chm 
Spyware:Spyware/Iehelp No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\help[1].chm[ipreg32.cab] 
Spyware:Spyware/Iehelp No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\help[1].chm[ipreg32.cab][ipreg32.inf]  
Spyware:Spyware/Iehelp No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\help[1].chm[ipreg32.cab][ipreg32.dll] 
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\ysb_ringtones[1].cab[YSBactivex.dll] 
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CDIR89YZ\0006_regular[1].cab[istactivex.dll] 
Adware:Adware/DownloadWare No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CDIR89YZ\1[1].txt 
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CDIR89YZ\webservice[4].htm 
Virus:Trj/Joiner.AB Disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CDIR89YZ\48[1].exe 
Spyware:Spyware/Media-motor No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CDIR89YZ\joysaver[1].cab[m67m.inf] 
Spyware:Spyware/Media-motor No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CDIR89YZ\joysaver[1].cab[m67m.ocx] 
Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CDIR89YZ\ysb[1].dll 
Possible Virus. No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CDIR89YZ\sacc_remove[1].exe 
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CDIR89YZ\webservice[5].htm 
Adware:Adware/WUpd No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GD2JWTYV\Bridge-c139[1].cab[MediaAccX.dll] 
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GD2JWTYV\webservice[5].htm  
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GD2JWTYV\package_MARKETING27[1].exe

HJT
Logfile of HijackThis v1.99.1
Scan saved at 10:52:24 PM, on 7/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\mscys.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Zxt3RWYpU] mscys.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\System32\dhcpclient.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Thanks.


----------



## cybertech (Apr 16, 2002)

*You need to print out these instructions or save them to your desktop as a text file with Notepad.*

Click here to download *KillBox*.
Save it to your desktop.

Click here and use the removal tool.

After you have done that *reboot to safe mode.*

*Now disconnect from the internet, turn off or disconnect your modem.

Close all browser windows.*

*Run HJT again and put a check in the following:*

O4 - HKCU\..\Run: [Zxt3RWYpU] mscys.exe

O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\System32\dhcpclient.exe (file missing)

*Close all applications and browser windows before you click "fix checked".*

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders" Click "Apply" then "OK".

*Run Killbox*
Select the Delete on Reboot option.
In the Full Path of File to Delete field paste each of the following paths, one at a time and click the red circle with the white X in it, when it asks you to delete the file on reboot click *Yes*, when it asks you to reboot click *No.*

*C:\WINDOWS\INF\adrmimg.inf 
C:\WINDOWS\SYSTEM32\dsmanager.dll 
C:\WINDOWS\SYSTEM32\tsuninst.exe 
C:\WINDOWS\SYSTEM32\webdlg32.inf 
C:\WINDOWS\SYSTEM32\auto_update_uninstall.log 
C:\WINDOWS\SYSTEM32\HKDSK~1.EXE 
C:\WINDOWS\SYSTEM32\Shex.exe 
C:\WINDOWS\webdlg32.inf 
C:\WINDOWS\winsx.inf 
C:\WINDOWS\msxct1.ini 
C:\WINDOWS\usta33.ini 
C:\WINDOWS\unstall.exe 
C:\WINDOWS\aypiwj.exe 
C:\WINDOWS\r.bat 
C:\WINDOWS\System32\mscys.exe
C:\WINDOWS\update-sp1.html 
C:\WINDOWS\sepsd.bin 
C:\WINDOWS\update-sp2.html 
C:\WINDOWS\update-sp3.html 
C:\WINDOWS\update-sp4.html 
C:\WINDOWS\update-sp5.html 
C:\Program Files\Common Files\oimf\oimfd\oimfc.dll
C:\Program Files\SurfAccuracy\SAccU.exe 
C:\Documents and Settings\jstagen\Start Menu\WEB-Search.url 
C:\Documents and Settings\jstagen\Favorites\WeirdOnTheWeb.url 
*

Close killbox.

Open a dos window, go to start, run and type cmd then press enter.

Type the following *bolded* lines into the dos window pressing the enter key after each line

*cd\
cd C:\WINDOWS\Downloaded Program Files
del conflict.2\.*

press *Y* to confirm the delete

*rd conflict.2
del m67m.inf
del ipreg32.inf
del WildApp.inf
exit*

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\Administrator *(Repeat for all user names)*\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5 Open the Content.IE5 folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Content.IE5 folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files".

Put a check by "Delete Offline Content" and click OK.

Empty your recycle bin.

Reboot and post another log.


----------



## jweiss (Jun 29, 2005)

Done. The only problem I have now is that McAfee tells me that my wininet.dll is infected with W32\Alemod.dll (but perhaps that's an unrelated issue).

Here's my latest HJT file:

Logfile of HijackThis v1.99.1
Scan saved at 1:34:46 PM, on 7/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\System32\dhcpclient.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Gracias.


----------



## cybertech (Apr 16, 2002)

Did you run the removal tool?


----------



## tj416 (Nov 18, 2004)

Hi jweiss,

Copy the part below into notepad and save it as searchwininet.bat
Set filetype to "All files"
*
dir %Systemdrive%\wininet.dll /a h /s > files.txt
start notepad files.txt
*

Double click the file and when it is ready it will open files.txt
Post the content of that file


----------



## jweiss (Jun 29, 2005)

No, I somehow skipped the removal tool step, but now I've run it.

I got rid of the contaminated wininet.dll file by replacing it with the one from the dllcache folder. (First I renamed it, then replaced it, then had McAfee delete the renamed version.)

My new log:

Logfile of HijackThis v1.99.1
Scan saved at 9:56:16 AM, on 7/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\wuauclt.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=2
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8/McUpdatePortal.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Thanks.


----------



## cybertech (Apr 16, 2002)

Looks good!!

Create a new System Restore point.

Good free tools and advice on how to tighten your security settings.

Security Help Tools


----------

