Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Solved: Pop-ups/spyware, etc.,

1K views 12 replies 2 participants last post by  inn8doc 
#1 ·
HI, I had my computer 'fixed' yesterday by a local shop because of a smart failure predicted warning stating my hard drive would crash. The computer shop cleaned up my hard drive and they did indeed help the speed of the machine. However, I still get the horribly annoying sysprotect, winanti virus 2006, pop-ups and many others as well. I ran hijack this and here are the results:(I am listed as a beginner, but am closer to illiterate when computers are involved): Logfile of HijackThis v1.99.1
Scan saved at 12:33:37 PM, on 7/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.3 boards.cexx.org
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.88 www.pchell.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5556FDC8-F5E2-44F5-A248-A3AF799453B4} - C:\WINDOWS\system32\gnewiejj.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\ljjiigd.dll
O2 - BHO: (no name) - {C4910760-7F1A-4160-BBEA-7F6163BA012b} - C:\WINDOWS\system32\gnewiejj.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\ssttr.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140487436375
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
O16 - DPF: {98BFD494-F6AD-4794-9038-832C0654CC43} - http://pak02.pictures.aol.com/ygp/aol/plugin/upf/YGPUPF.en-US.9.2.2.0.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures05.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - http://www.therealyellowpageslive.net/live/ezinit.cab
O16 - DPF: {DB3991AA-5E36-428F-AB9E-7A9C613CF578} (OnlineAccess Class) - http://www.grupomarineda.net/auto/OnlineAccess.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: ljjiigd - C:\WINDOWS\SYSTEM32\ljjiigd.dll
O20 - Winlogon Notify: ssttr - C:\WINDOWS\system32\ssttr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

Any help or suggestions are greatly appreciated. Thanks. Joe
 
See less See more
#2 ·
Hi, Welcome to TSG!!

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
 
#4 ·
Logfile of HijackThis v1.99.1
Scan saved at 1:08:23 PM, on 7/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.3 boards.cexx.org
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.88 www.pchell.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5556FDC8-F5E2-44F5-A248-A3AF799453B4} - C:\WINDOWS\system32\gnewiejj.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\ljjiigd.dll (file missing)
O2 - BHO: (no name) - {C4910760-7F1A-4160-BBEA-7F6163BA012b} - C:\WINDOWS\system32\gnewiejj.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\ssttr.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140487436375
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
O16 - DPF: {98BFD494-F6AD-4794-9038-832C0654CC43} - http://pak02.pictures.aol.com/ygp/aol/plugin/upf/YGPUPF.en-US.9.2.2.0.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures05.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - http://www.therealyellowpageslive.net/live/ezinit.cab
O16 - DPF: {DB3991AA-5E36-428F-AB9E-7A9C613CF578} (OnlineAccess Class) - http://www.grupomarineda.net/auto/OnlineAccess.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: ssttr - C:\WINDOWS\system32\ssttr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

VundoFix V5.1.0

Checking Java version...

Java version is 1.4.2.3

Scan started at 12:56:33 PM 7/8/2006

Listing files found while scanning....

C:\windows\system32\ljjiigd.dll
C:\WINDOWS\qaz4.txt

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\ljjiigd.dll
C:\windows\system32\ljjiigd.dll Has been deleted!

Attempting to delete C:\WINDOWS\qaz4.txt
C:\WINDOWS\qaz4.txt Has been deleted!

Performing Repairs to the registry.
Done!

I think I was able to copy the appropriate files. You're right, I'll have to find a new service center, although they did spend 2 hours(!!) on 'fixing' the hard drive!
I did have a new pop-up appear when I got back online. I am using AVG now. Is this sufficient for blocking most pop-ups/banners or would you recommend another program? Thanks.
 
#5 ·
Run HJT again and put a check in the following:

O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.3 boards.cexx.org
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.88 www.pchell.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: (no name) - {5556FDC8-F5E2-44F5-A248-A3AF799453B4} - C:\WINDOWS\system32\gnewiejj.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\ljjiigd.dll (file missing)
O2 - BHO: (no name) - {C4910760-7F1A-4160-BBEA-7F6163BA012b} - C:\WINDOWS\system32\gnewiejj.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\ssttr.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/i...ncherSetup.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: ssttr - C:\WINDOWS\system32\ssttr.dll

Close all applications and browser windows before you click "fix checked".

You need a firewall if you are not using the Windows firewall, I use ZoneAlarm the free one.

Download Ewido anti-spyware from HERE and save that file to your desktop.

This is a 30 day trial of the program
  1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  2. Once the setup is complete you will need run ewido and update the definition files.
  3. On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  6. Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  2. Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  4. ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  5. If you have any infections you will prompted, then select "Apply all actions"
  6. Next select the "Reports" icon at the top.
  7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  8. Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.

Post a new HijackThis log and the log from Ewido.
 
#6 ·
6:10:59 PM 7/8/2006

C:\WINDOWS\system32\ati2dvaa.exe -> Adware.AdSrve : Cleaned with backup (quarantined).
C:\WINDOWS\system32\avwav915.exe.tcf -> Adware.AdSrve : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe Harris\Local Settings\Temp\__unin__.exe -> Adware.Altnet : Cleaned with backup (quarantined).
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll.tcf -> Adware.Aws : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Newnet6.zip/newdotnet4_80.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Newnet6.zip/uninstall4_80.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Newnet9.zip/NDNuninstall4_50.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Application Data\osaa.exe.tcf -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Local Settings\Temp\!update.exe.tcf -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\jаvaw.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe Harris\Local Settings\Temp\ICD3.tmp\SaveInstCm.exe/Save.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe Harris\Local Settings\Temp\ICD3.tmp\SaveInstCm.exe/SaveUninst.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe Harris\Local Settings\Temp\ICD3.tmp\SaveInstCm.exe/Sync.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe Harris\Local Settings\Temp\ICD3.tmp\SaveInstCm.exe/Uninst.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ativcoxx.exe -> Adware.VB : Cleaned with backup (quarantined).
C:\Program Files\Hijackthis\backups\backup-20060708-163205-851.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ssttr.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} -> Adware.Virtumonde : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Adware.VirtuMonde : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Adware.VirtuMonde : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Adware.VirtuMonde : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Adware.VirtuMonde : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} -> Adware.Virtumonde : Cleaned with backup (quarantined).
HKU\S-1-5-21-1390067357-1284227242-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} -> Adware.Virtumonde : Cleaned with backup (quarantined).
[208] C:\WINDOWS\system32\ssttr.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe Harris\Start Menu\Programs\ClockSync -> Adware.WhenU : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\~364376.tmp -> Downloader.Wintool.a : Error during cleaning.
C:\WINDOWS\Temp\~684835.tmp -> Downloader.Wintool.a : Error during cleaning.
C:\WINDOWS\Temp\~735291.tmp -> Downloader.Wintool.a : Error during cleaning.
C:\WINDOWS\Temp\~763776.tmp -> Downloader.Wintool.a : Error during cleaning.
C:\WINDOWS\Temp\~783005.tmp -> Downloader.Wintool.a : Error during cleaning.
C:\WINDOWS\Temp\~842410.tmp -> Downloader.Wintool.a : Error during cleaning.
C:\WINDOWS\Temp\~850154.tmp -> Downloader.Wintool.a : Error during cleaning.
C:\WINDOWS\Temp\~860369.tmp -> Downloader.Wintool.a : Error during cleaning.
C:\WINDOWS\Temp\~885876.tmp -> Downloader.Wintool.a : Error during cleaning.
:mozilla.158:C:\Documents and Settings\Joe Harris\Application :mozilla.50:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.53:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.81:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.82:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.8:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\Default User\xqh0xqfk.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.98:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.99:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.9:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\Default User\xqh0xqfk.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Ad-logics : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
:mozilla.125:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
:mozilla.126:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
:mozilla.167:C:\Documents and Settings\Joe Harris\Application C:\Documents and Settings\Joe\Cookies\joe@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Advertisingcom.zip/joe harris@servedby.advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Advertisingcom1.zip/joe harris@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\AvenueAInc.zip/joe harris@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.96:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@bfast[2].txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@bfast[1].txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\BFast.zip/joe harris@bfast[2].txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
:mozilla.172:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.32:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup (quarantined).
:mozilla.89:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.90:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\CommissionJunction1.zip/joe harris@www.commission-junction[1].txt -> TrackingCookie.Commission-junction : Cleaned with backup (quarantined).
:mozilla.110:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@twci.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\CoreMetrics.zip/joe harris@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.76:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\DoubleClick.zip/joe harris@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Enliven.zip/joe harris@ads.enliven[1].txt -> TrackingCookie.Enliven : Cleaned with backup (quarantined).
:mozilla.11:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Euniverseads : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.182:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.200:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\FastClick.zip/joe harris@fastclick[3].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\FastClick1.zip/joe harris@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
:mozilla.119:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.121:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.122:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.123:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.128:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.203:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.204:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.205:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.206:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.277:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.278:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.279:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.280:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.34:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.35:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.36:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.37:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.40:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.41:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.56:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.57:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.69:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@ehg-foxsports.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@ehg-maniatv.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@hg1.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@ehg-accuweather.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitBox.zip/joe harris@ehg-idg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitBox1.zip/joe harris@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitBox10.zip/joe harris@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitBox11.zip/joe harris@ehg-bluecross.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitBox2.zip/joe harris@hg1.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitBox3.zip/joe harris@phg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitBox4.zip/joe harris@ehg-sportsline.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitBox5.zip/joe harris@w128.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitBox6.zip/joe harris@ehg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitBox7.zip/joe harris@ehg-netapparel.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitBox8.zip/joe harris@ehg-foxsports.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitBox9.zip/joe harris@ehg-cbs.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.6:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitsLink.zip/joe harris@counter2.hitslink[2].txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitsLink1.zip/joe harris@counter.hitslink[2].txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@linksynergy[1].txt -> TrackingCookie.Linksynergy : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\LinkSynergy.zip/joe harris@linksynergy[2].txt -> TrackingCookie.Linksynergy : Cleaned with backup (quarantined).
:mozilla.152:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.243:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.244:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.166:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Lop : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.7:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\Default User\xqh0xqfk.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\MediaPlex.zip/joe harris@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\OffshoreClicks.zip/joe harris@php.offshoreclicks[2].txt -> TrackingCookie.Offshoreclicks : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.231:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Popupsponsor : Cleaned with backup (quarantined).
:mozilla.250:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Popupsponsor : Cleaned with backup (quarantined).
:mozilla.251:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Popupsponsor : Cleaned with backup (quarantined).
:mozilla.146:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Pro-market : Cleaned with backup (quarantined).
:mozilla.68:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Pro-market : Cleaned with backup (quarantined).
:mozilla.185:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\CommissionJunction.zip/joe harris@www.qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned with backup (quarantined).
:mozilla.92:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.264:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Specificpop : Cleaned with backup (quarantined).
:mozilla.18:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Specificpop : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.132:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup (quarantined).
:mozilla.262:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup (quarantined).
:mozilla.265:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.133:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Trafficvenue : Cleaned with backup (quarantined).
:mozilla.124:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\ValueClick.zip/joe harris@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup (quarantined).
:mozilla.103:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.233:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.237:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.270:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.272:C:\Documents and Settings\Joe Harris\Application Data\Phoenix\Profiles\default\2vrnrqcy.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Joe\Cookies\joe@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\Documents and Settings\Leisa\Cookies\leisa@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\Install.exe/kans.reg -> Trojan.LowZones.f : Cleaned with backup (quarantined).
C:\Install.exe/kansup.reg -> Trojan.LowZones.f : Cleaned with backup (quarantined).
C:\Install.exe/x.bat -> Trojan.LowZones.f : Cleaned with backup (quarantined).
C:\x.bat -> Trojan.LowZones.f : Cleaned with backup (quarantined).

::Report end

I didn't see this report that I posted yesterday, so I updated it and sent out again.
 
#7 ·
Logfile of HijackThis v1.99.1
Scan saved at 11:45:22 AM, on 7/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\ssttr.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140487436375
O16 - DPF: {98BFD494-F6AD-4794-9038-832C0654CC43} - http://pak02.pictures.aol.com/ygp/aol/plugin/upf/YGPUPF.en-US.9.2.2.0.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures05.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - http://www.therealyellowpageslive.net/live/ezinit.cab
O16 - DPF: {DB3991AA-5E36-428F-AB9E-7A9C613CF578} (OnlineAccess Class) - http://www.grupomarineda.net/auto/OnlineAccess.cab
O20 - Winlogon Notify: ssttr - C:\WINDOWS\system32\ssttr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

I didn't realize that my post never was sent yesterday due to the length of the report having exceeding the allowable amount. I had to delet 8000 characters from the ewido report- mostly tracking cookies thta were sucessfully quarantined.
 
#8 ·
Spybot - Search & Destroy 1.1 is old, you should remove that and download version 1.4

Run HJT again and put a check in the following:

O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\ssttr.dll
O20 - Winlogon Notify: ssttr - C:\WINDOWS\system32\ssttr.dll

Close all applications and browser windows before you click "fix checked".

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\ssttr.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log
 
#9 ·
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\thfqxcye

*******************

Script file located at: \??\C:\WINDOWS\ucymalgb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\ssttr.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
Logfile of HijackThis v1.99.1
Scan saved at 8:25:45 PM, on 7/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\ssttr.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140487436375
O16 - DPF: {98BFD494-F6AD-4794-9038-832C0654CC43} - http://pak02.pictures.aol.com/ygp/aol/plugin/upf/YGPUPF.en-US.9.2.2.0.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures05.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - http://www.therealyellowpageslive.net/live/ezinit.cab
O16 - DPF: {DB3991AA-5E36-428F-AB9E-7A9C613CF578} (OnlineAccess Class) - http://www.grupomarineda.net/auto/OnlineAccess.cab
O20 - Winlogon Notify: ssttr - C:\WINDOWS\system32\ssttr.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

Home for good now. Ran the programs and here are the results.
 
#10 ·
Run HJT again and put a check in the following:

O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\ssttr.dll (file missing)
O20 - Winlogon Notify: ssttr - C:\WINDOWS\system32\ssttr.dll (file missing)

Close all applications and browser windows before you click "fix checked".

Now you should create a new System Restore point.
Click here to see how.
 
#11 ·
Cybertech,
Performed the last instruction. I have ewido in place and was wondering how often I should run the ATF cleaner, hijack this, avenger or other recommended programs? I have had a number of people have access to the computer, but fortunately that has changed and access is limited greatly now. This will hopefully limit the threat of all the crap that accumulated in my registry and slowed the performance down so much. I appreciate the help you've provided and made the donation. Thanks again.
 
#12 ·
You should discard/remove Avenger now, that is used for a specific script and could be dangerous if not used properly.

HJT is used to review what is on a machine and it also can be dangerous if not used properly, so I would remove that too.

ATF cleaner you can use as often as you desire. If you have a regular scheduled maintenance day I would use it then. Maybe once a week or every two weeks along with defrag.

Spybot is good and I see you have that.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top