Technology Adware problems.

[Bobby Sands]

Im having problems with adware.Ive ran anti-spyware programs and the anti-virus on numerous occasions but there is still adware there.When i go on the internet,the page im viewing keeps getting re-directed to these adware pages.Its driving me nuts.I cant get rid of it.

 

[Illuminattile]

Post up a HijackThis log.

 

[Bobby Sands]

I will do that during the week.I have to download hijack this log first.The problem is with my windows host files.There is aload of spyware website addresses there.i cant remove or block them.

 

[Bobby Sands]

Logfile of HijackThis v1.99.1
Scan saved at 18:54:04, on 27/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\iPod\bin\iPodManager.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\nfomon\nfomon.exe
C:\WINDOWS\System32\vidmon\vidmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\FIRST USER\My Documents\Program Installers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.eircom.ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.eircom.ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.eircom.ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.eircom.ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.eircom.ie
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.eircom.ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by eircom net
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: (no name) - {780524C3-0A97-1169-73EF-F9B2AED4AE6F} - slamm.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Shaitan1678] zantu.exe
O4 - HKLM\..\Run: [StatusCheck] teqq32.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\System32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\System32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [cdman.exe] "C:\Program Files\Paragon Software\Paragon CD-ROM Emulator\cdman.exe" /startup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [dmiog.exe] C:\WINDOWS\System32\dmiog.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MSTCPDLL] runload32.exe
O4 - HKCU\..\Run: [dePloy] barint.exe
O4 - HKCU\..\Run: [Shaitan1678] Kargo.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{188B7511-604E-45B9-86FC-7B9529B8BB99}: NameServer = 85.255.114.89 85.255.112.88
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\hrnm0551e.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\System32\ghpodoep.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Hope ive done that right.

 

[Illuminattile]

You might want to copy all this into a Word/Notepad document before you start.

* * *

You have a Trojan. Your Anti-Virus and Anti-Spyware software probably won't help, you'll need an Anti-Trojan program. Check the Knowledge Base. I suggest ewido. Download it, install it, run it.

Go into Control Panel > Add/Remove Programs and look for 'WareOut'. Uninstall it.

Go to C:\Program Files\WareOut and delete it if it exists.

Move HijackThis! into a folder on the C: drive (i.e. C:\HijackThis) and scan again. Put a check next to the following entries and hit 'fix'.

C:\WINDOWS\System32\nfomon\nfomon.exe
C:\WINDOWS\System32\vidmon\vidmon.exe

**NOTE**
Do you get your broadband connection from Eircom? If so, you can leave these. If not, remove them. If unsure, remove them.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.eircom.ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.eircom.ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.eircom.ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.eircom.ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.eircom.ie
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.eircom.ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by eircom net

**NOTE**

R3 - URLSearchHook: (no name) - {780524C3-0A97-1169-73EF-F9B2AED4AE6F} - slamm.dll (file missing)

O4 - HKLM\..\Run: [Shaitan1678] zantu.exe
O4 - HKLM\..\Run: [StatusCheck] teqq32.exe
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\System32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\System32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [dmiog.exe] C:\WINDOWS\System32\dmiog.exe
O4 - HKCU\..\Run: [MSTCPDLL] runload32.exe
O4 - HKCU\..\Run: [dePloy] barint.exe
O4 - HKCU\..\Run: [Shaitan1678] Kargo.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{188B7511-604E-45B9-86FC-7B9529B8BB99}: NameServer = 85.255.114.89 85.255.112.88
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\hrnm0551e.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\System32\ghpodoep.dll

Download CoolWebShredder. Click 'Check For Updates' and then 'Fix'.

Run your anti-virus and anti-spyware programs.

Post a fresh HijackThis! log and we'll see what's left.

 

[Bobby Sands]

Ill do all this when i get home this eveining.Thanx for the help.

 

[Bobby Sands]

Heres my ewido scan results:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 20:46:09, 28/11/2005
+ Report-Checksum: 3EF3BF2

+ Scan result:

HKLM\SOFTWARE\Classes\Updater.BHO\CLSID\\ -> Spyware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\GIANTCompany\AntiSpyware\CleanerExe\DelRegValues\\1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar -> Spyware.SBSoft : Cleaned with backup
HKLM\SOFTWARE\GIANTCompany\AntiSpyware\CleanerExe\DelRegValues\\4 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar -> Spyware.MyWay : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKU\S-1-5-21-299502267-2049760794-839522115-1004\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{BF69DF00-2734-477F-8257-27CD04F88779} -> TrojanDownloader.Wareout : Cleaned with backup
HKU\S-1-5-21-299502267-2049760794-839522115-1004\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} -> Spyware.MyWay : Cleaned with backup
HKU\S-1-5-21-299502267-2049760794-839522115-1004\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{08BEC6AA-49FC-4379-3587-4B21E286C19E} -> Spyware.SBSoft : Cleaned with backup
[1648] C:\WINDOWS\system32\sqdocvw.dll -> Spyware.Look2Me : Error during cleaning
[3104] C:\WINDOWS\system32\guard.tmp -> Spyware.Look2Me : Error during cleaning
:mozilla.8:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.9:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.13:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.14:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.15:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.16:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.17:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.18:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.49:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.50:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.51:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.52:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.53:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.54:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.55:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.71:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.80:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.81:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.82:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.83:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.94:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.108:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.114:C:\Documents and Settings\FIRST USER\Application Data\Mozilla\Firefox\Profiles\8zoil9i8.default\cookies.txt -> Spyware.Cookie.Epilot : Cleaned with backup
C:\Documents and Settings\FIRST USER\Cookies\first user@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\FIRST USER\Cookies\first user@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\FIRST USER\Cookies\first user@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\FIRST USER\Cookies\first user@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\FIRST USER\Cookies\first user@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\FIRST USER\Cookies\first user@buycom.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\FIRST USER\Cookies\first user@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\FIRST USER\Cookies\first user@e-2dj6wfkospdjgcp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\FIRST USER\Cookies\first user@e-2dj6wfkygmcjmeo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\FIRST USER\Cookies\first user@e-2dj6wflisjczaao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\FIRST USER\Cookies\first user@e-2dj6wgkiqhc5mao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\FIRST USER\Cookies\first user@e-2dj6wjkyumdjefq.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\FIRST USER\Cookies\first user@e-2dj6wjliskdzebp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\FIRST USER\Cookies\first user@e-2dj6wjnywjajoao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\FIRST USER\Cookies\first user@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\FIRST USER\Cookies\first user@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\FIRST USER\Local Settings\Temp\Cookies\first user@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\FIRST USER\Local Settings\Temp\Cookies\first user@e-2dj6wfkookd5adp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\installer.exe -> Spyware.Look2Me : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\15C709E5-8F64-47FC-A3BF-7B376A\54C404B5-D54E-4B71-86B5-EE7806 -> Spyware.MyWay : Cleaned with backup
C:\RECYCLER\S-1-5-21-299502267-2049760794-839522115-500\Dc2\myBar\1.bin\MY2NS.EXE -> Spyware.MyWay : Cleaned with backup
C:\RECYCLER\S-1-5-21-299502267-2049760794-839522115-500\Dc2\myBar\1.bin\MYBAR.DLL -> Spyware.MyWay : Cleaned with backup
C:\RECYCLER\S-1-5-21-299502267-2049760794-839522115-500\Dc2\myBar\1.bin\MYWAYPLUGINPROXY.CLASS -> Spyware.MyWay : Cleaned with backup
C:\RECYCLER\S-1-5-21-299502267-2049760794-839522115-500\Dc2\myBar\1.bin\NPMYWAY.DLL -> Spyware.MyWay : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP358\A0141643.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP372\A0147955.exe -> Spyware.WebRebates : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP372\A0147956.exe -> Spyware.WebRebates : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP372\A0147959.exe -> Spyware.WebRebates : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP422\A0164650.dll -> Spyware.SpywareNo : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP422\A0164651.dll -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP422\A0164658.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP422\A0164673.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP422\A0165793.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP423\A0165835.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP423\A0165862.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP424\A0165907.exe -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP424\A0165908.exe -> Spyware.WebRebates : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP424\A0165909.exe -> Spyware.WebRebates : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP424\A0165910.exe -> Spyware.WebRebates : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP424\A0165915.ocx -> Spyware.Delfin : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP424\A0165916.DLL -> Spyware.MyWay : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP425\A0167265.EXE -> Spyware.MyWay : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP425\A0167266.DLL -> Spyware.MyWay : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP427\A0167445.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP427\A0167469.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP427\A0167479.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP429\A0167499.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP429\A0167501.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{ACDF2A85-7A4E-4349-BFAC-FA8041251D3C}\RP429\A0167519.exe -> Spyware.Delfin : Cleaned with backup
C:\WINDOWS\2.exe -> TrojanSpy.Goldun.bk : Cleaned with backup
C:\WINDOWS\system32\e002lado1d0c.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\fp4m03h1e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\hwiper.exe -> Trojan.Qhost.dv : Cleaned with backup
C:\WINDOWS\system32\pnd.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wkfeman.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__guard.tmp -> Spyware.Look2Me : Cleaned with backup


::Report End

Im still havin problems with my web page bein changed.This removed alot of stuff though

 

[Bobby Sands]

Heres the result of my ad-aware scan:

Ad-Aware SE Build 1.06r1
Logfile Created on:28 November 2005 20:47:33
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R76 22.11.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):12 total references
Tracking Cookie(TAC index:3):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


28-11-2005 20:47:33 - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 356
ThreadCreationTime : 28-11-2005 18:35:46
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 436
ThreadCreationTime : 28-11-2005 18:35:49
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 480
ThreadCreationTime : 28-11-2005 18:35:49
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 492
ThreadCreationTime : 28-11-2005 18:35:49
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 656
ThreadCreationTime : 28-11-2005 18:35:51
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 700
ThreadCreationTime : 28-11-2005 18:35:51
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1000
ThreadCreationTime : 28-11-2005 18:35:53
BasePriority : Normal
FileVersion : 8.29
ProductVersion : 8.29
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : (C) 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:8 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1028
ThreadCreationTime : 28-11-2005 18:35:53
BasePriority : Normal
FileVersion : 8.29
ProductVersion : 8.29
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : (C) 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:9 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1036
ThreadCreationTime : 28-11-2005 18:35:53
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:10 [avgamsvr.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1180
ThreadCreationTime : 28-11-2005 18:35:54
BasePriority : Normal
FileVersion : 7,1,0,357
ProductVersion : 7.1.0.357
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:11 [avgupsvc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1216
ThreadCreationTime : 28-11-2005 18:35:54
BasePriority : Normal
FileVersion : 7,1,0,349
ProductVersion : 7.1.0.349
ProductName : AVG 7.0 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:12 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1260
ThreadCreationTime : 28-11-2005 18:35:54
BasePriority : Normal
FileVersion : 6.14.10.5672
ProductVersion : 6.14.10.5672
ProductName : NVIDIA Driver Helper Service, Version 56.72
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 56.72
InternalName : NVSVC
LegalCopyright : (C) NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:13 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1324
ThreadCreationTime : 28-11-2005 18:35:54
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:14 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1648
ThreadCreationTime : 28-11-2005 18:35:57
BasePriority : Normal
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:15 [lxbkbmgr.exe]
FilePath : C:\Program Files\Lexmark X1100 Series\
ProcessID : 2004
ThreadCreationTime : 28-11-2005 18:36:03
BasePriority : Normal
FileVersion : 0.1.1.1
ProductVersion : 0.1.1.1
ProductName : Button Manager Executable
CompanyName : Lexmark International, Inc.
FileDescription : Lexmark X1100 Series Button Manager
InternalName : lxbkbmgr.exe
LegalCopyright : (C) 2002 Lexmark International, Inc.
OriginalFilename : lxbkbmgr.exe

#:16 [ipodmanager.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 120
ThreadCreationTime : 28-11-2005 18:36:03
BasePriority : Normal
FileVersion : 1.0.30.0
ProductVersion : 2.0.1?0
ProductName : iPodManager Module
FileDescription : iPodManager Module
InternalName : iPodManager
LegalCopyright : Copyright © 2003 Apple Computer, Inc
OriginalFilename : iPodManager.EXE

#:17 [lxbkbmon.exe]
FilePath : C:\Program Files\Lexmark X1100 Series\
ProcessID : 152
ThreadCreationTime : 28-11-2005 18:36:03
BasePriority : Normal
FileVersion : 0.1.1.1
ProductVersion : 0.1.1.1
ProductName : Button Monitor Executable
CompanyName : Lexmark International, Inc.
FileDescription : Lexmark X1100 Series Button Monitor
InternalName : lxbkbmon.exe
LegalCopyright : (C) 2002 Lexmark International, Inc.
OriginalFilename : lxbkbmon.exe

#:18 [mm_tray.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ProcessID : 176
ThreadCreationTime : 28-11-2005 18:36:04
BasePriority : Normal
FileVersion : 10.00.4015
ProductVersion : 10.00.4015
ProductName : Musicmatch Jukebox
CompanyName : Musicmatch, Inc.
FileDescription : mm_tray
InternalName : mm_tray
LegalCopyright : Copyright © Musicmatch 1998-2004
LegalTrademarks :
OriginalFilename : mm_tray.exe

#:19 [rundll32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 196
ThreadCreationTime : 28-11-2005 18:36:04
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:20 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 236
ThreadCreationTime : 28-11-2005 18:36:08
BasePriority : Normal
FileVersion : 1.0.0.85
ProductVersion : 2.0.1?0
ProductName : iPodService Module
CompanyName : Apple Computer, Inc
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : Copyright 2002 Apple Computer, Inc
LegalTrademarks : Copyright 2002 Apple Computer, Inc
OriginalFilename : iPodService.EXE

#:21 [avgcc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 340
ThreadCreationTime : 28-11-2005 18:36:10
BasePriority : Normal
FileVersion : 7,1,0,355
ProductVersion : 7.1.0.355
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:22 [avgemc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 280
ThreadCreationTime : 28-11-2005 18:36:10
BasePriority : Normal
FileVersion : 7,1,0,362
ProductVersion : 7.1.0.362
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:23 [mmdiag.exe]
FilePath : C:\PROGRA~1\MUSICM~1\MUSICM~1\
ProcessID : 392
ThreadCreationTime : 28-11-2005 18:36:11
BasePriority : Normal
FileVersion : 10.00.4015
ProductVersion : 10.00.4015
ProductName : Musicmatch Jukebox
CompanyName : Musicmatch, Inc.
FileDescription : Logging and tracing manager
InternalName : MMTraceExe
LegalCopyright : Copyright © Musicmatch 1998-2004
LegalTrademarks :
OriginalFilename : MMTraceExe.EXE

#:24 [gcasserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ProcessID : 668
ThreadCreationTime : 28-11-2005 18:36:12
BasePriority : Idle
FileVersion : 1.00.0615
ProductVersion : 1.00.0615
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Service
InternalName : gcasServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet(tm) is a trademark of Microsoft Corporation.
OriginalFilename : gcasServ.exe

#:25 [mim.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ProcessID : 732
ThreadCreationTime : 28-11-2005 18:36:13
BasePriority : Normal
FileVersion : 10.00.4015
ProductVersion : 10.00.4015
ProductName : Musicmatch Jukebox
CompanyName : Musicmatch, Inc.
FileDescription : mim
InternalName : mim
LegalCopyright : Copyright © Musicmatch 1998-2004
LegalTrademarks :
OriginalFilename : mim.exe

#:26 [gcasdtserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ProcessID : 1544
ThreadCreationTime : 28-11-2005 18:36:23
BasePriority : Normal
FileVersion : 1.00.0615
ProductVersion : 1.00.0615
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Data Service
InternalName : gcasDtServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet(tm) is a trademark of Microsoft Corporation.
OriginalFilename : gcasDtServ.exe

#:27 [wkcalrem.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\Works Shared\
ProcessID : 2316
ThreadCreationTime : 28-11-2005 18:37:17
BasePriority : Normal
FileVersion : 6.00.1828.1
ProductVersion : 6.00.1828.1
ProductName : Microsoft® Works 6.0
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works Calendar Reminder Service
InternalName : WkCalRem
LegalCopyright : Copyright © Microsoft Corporation 1987-2000. All rights reserved.
OriginalFilename : WKCALREM.EXE

#:28 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3104
ThreadCreationTime : 28-11-2005 18:39:53
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:29 [wordpad.exe]
FilePath : C:\Program Files\Windows NT\Accessories\
ProcessID : 540
ThreadCreationTime : 28-11-2005 19:12:42
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WordPad MFC Application
InternalName : wordpad
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wordpad

#:30 [avgwb.dat]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 2996
ThreadCreationTime : 28-11-2005 19:42:33
BasePriority : Normal
FileVersion : 7,1,0,354
ProductVersion : 7.1.0.354
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Basic Interface
InternalName : avgwb
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : AVGWB.EXE

#:31 [ewidoguard.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 3824
ThreadCreationTime : 28-11-2005 20:09:41
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : guard
CompanyName : ewido networks
FileDescription : guard
InternalName : guard
LegalCopyright : Copyright © 2004
OriginalFilename : guard.exe

#:32 [ewidoctrl.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 3592
ThreadCreationTime : 28-11-2005 20:09:46
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:33 [securitysuite.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 3480
ThreadCreationTime : 28-11-2005 20:09:58
BasePriority : Normal
FileVersion : 3, 5, 0, 0
ProductVersion : 3, 5, 0, 0
ProductName : ewido security suite
CompanyName : ewido networks
FileDescription : security suite
InternalName : GuiLoader
LegalCopyright : © 2003 ewido networks
OriginalFilename : SecuritySuite.exe

#:34 [winhlp32.exe]
FilePath : C:\WINDOWS\
ProcessID : 2204
ThreadCreationTime : 28-11-2005 20:36:40
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft® Help
InternalName : WINHLP32.EXE
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WINHLP32.EXE

#:35 [notepad.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 456
ThreadCreationTime : 28-11-2005 20:46:31
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Notepad
InternalName : Notepad
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : NOTEPAD.EXE

#:36 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 408
ThreadCreationTime : 28-11-2005 20:46:50
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

MRU List Object Recognized!
Location: : C:\Documents and Settings\FIRST USER\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\FIRST USER\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-299502267-2049760794-839522115-1004\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-21-299502267-2049760794-839522115-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-299502267-2049760794-839522115-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-299502267-2049760794-839522115-1004\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : software\musicmatch\musicmatch jukebox\4.0\mmradio
Description : information on the last station listened to using musicmatch radio


MRU List Object Recognized!
Location: : S-1-5-21-299502267-2049760794-839522115-1004\software\nvidia corporation\global\nview\windowmanagement
Description : nvidia nview cached application window positions


MRU List Object Recognized!
Location: : S-1-5-21-299502267-2049760794-839522115-1004\software\winrar\dialogedithistory\extrpath
Description : winrar "extract-to" history



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : first user@bluestreak[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:first user@bluestreak.com/
Expires : 25-11-2015 16:15:52
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : first user@doubleclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:first user@doubleclick.net/
Expires : 27-11-2008 18:39:54
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : first user@atdmt[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:first user@atdmt.com/
Expires : 26-11-2010
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 15



Deep scanning and examining files (C
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
43 entries scanned.
New critical objects:0
Objects found so far: 15




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15

20:59:38 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:12:04.813
Objects scanned:127688
Objects identified:3
Objects ignored:0
New critical objects:3

 

[Bobby Sands]

I did a virus scan and nuthin showed up but there was a reading error 4 this file:


C:\Windows\System32\dmgtk.exe

Remember i made a thread about a reading error on a file.The file name keeps changing and this is what it showed up as on the last test.any idea what it is?

 

[Bobby Sands]

And finally my latest hijack this! log:

Logfile of HijackThis v1.99.1
Scan saved at 21:17:19, on 28/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\iPod\bin\iPodManager.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\securitysuite.exe
C:\WINDOWS\winhlp32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\FIRST USER\My Documents\Program Installers\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.eircom.ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.eircom.ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.eircom.ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.eircom.ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.eircom.ie
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.eircom.ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by eircom net
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [cdman.exe] "C:\Program Files\Paragon Software\Paragon CD-ROM Emulator\cdman.exe" /startup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [dmgtk.exe] C:\WINDOWS\System32\dmgtk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{188B7511-604E-45B9-86FC-7B9529B8BB99}: NameServer = 85.255.114.89 85.255.112.88
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\j8l40i3qe8.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Im still having the web pages im viewing bein redirected to ads.Its wreckin my head now.

 

[Illuminattile]

Did you run CWShredder and try to uninstall WareOut from Add/Remove Programs?

Try these removal instructions.

 

[Bobby Sands]

Yea^^.

Wareout isnt on the add/remove programs list and not in my program files.

I have CWShredder and it showed up nuthin.Any idea about that error reading file?

 

[Bobby Sands]

Any ideas Illuminattile?

 

[Illuminattile]

The file is part of Wareout. Did you run through the removal instructions in the link I posted?

 

[Bobby Sands]

Yea,i did.None of the files are in my windows or system 32 folders.Or nuthin in any of the other stuff.

 

[Illuminattile]

Looks like you had Wareout, and it wasn't fully removed.

First things first, update your Internet Explorer (even if you don't use it, which you shouldn't)

Remove this item:

O17 - HKLM\System\CCS\Services\Tcpip\..\{188B7511-604E-45B9-86FC-7B9529B8BB99}: NameServer = 85.255.114.89 85.255.112.88

 

[Bobby Sands]

I dont use IE.Will i still upgrade?

 

[Illuminattile]

Yeah, just run Windows Update.

 

[Bobby Sands]

OK,Im updating windows but its taking 4ever to download on this shit dial up connection.Any thing else i could be doin?

 

[Bobby Sands]

I ran the anti virus again and this file showed up as a reading error again:

C:\\Windows\System 32\dmckh.exe.


Have u any idea what it is.Its the same file i mentioned in the other thread and alraeady in this one but the last 3 letters are different every time i scan.Any Clue?

Also is this an important file:

Win2help.dll

Ewido showed that there is a trojan in this file but it cant remove it as there is an error in reading it.