Ran: (All in safe mode)
Ewido 3.5
Adaware 1.06r2
Spybot Search and Destroy 1.3
MS Beta anti-spyware
Restarted computer and got this log.
Ewido (good tool) caught the proxy.lager.aq when I fired up my browser.
This is a tough one one get rid of..
Log...
TIA Jay
Logfile of HijackThis v1.99.1
Scan saved at 8:59:55 PM, on 6/26/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\taskdir.exe
C:\Program Files\Sandboxie\Control.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/p?v&k=pf_1
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D0CFB9D-434D-A3BE-555C-A5AE311EC007} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {68EC5AD5-CCCC-F445-69AE-ADD6FE9398BE} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {8827364E-F3CC-608A-CF26-9D4382F31CCC} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Sandboxie - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - C:\Program Files\Sandboxie\SandboxieToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Sandboxie - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - C:\Program Files\Sandboxie\SandboxieToolbar.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mw28Rge4X] ncx_hook.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O4 - HKCU\..\Run: [SandboxieControl] C:\Program Files\Sandboxie\Control.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Sandboxie Toolbar - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (HKCU)
O9 - Extra 'Tools' menuitem: Sandboxie - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://ac4.anthem.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102471511827
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} (STConnectivityAgent Control) - https://ac4.anthem.com/sametime/javaconnect...o29yw5Tx-9,SSL+
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
Full Version: SafeMode/CCLeaner/Ewido/AdAware/Spybot/MS Beta
Hi Jay , Welcome to the forum 
you do have a malware infection showing but we should be able to remove it without problems,
You may want to copy and paste this reply to notepad and save it to your desktop as all browser windows need to be closed when fixing the entries in HijackThis
Run Hijack This and choose Do A System Scan then place a check next to these entries
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4D0CFB9D-434D-A3BE-555C-A5AE311EC007} - (no file)
O2 - BHO: (no name) - {68EC5AD5-CCCC-F445-69AE-ADD6FE9398BE} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {8827364E-F3CC-608A-CF26-9D4382F31CCC} - (no file)
O4 - HKCU\..\Run: [Mw28Rge4X] ncx_hook.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Next download the Trojan Abwiz removal tool from Symantec Here and save it to your desktop.
Please reboot your computer into Safe Mode. (Tap F8 on reboot and select Safe Mode)
In safe mode run the Abwiz removal tool by double clicking FixAbwiz.exe
When the tool has finished running, you will see a message indicating the number of files scanned and if it was able to remove the infection. if your able to , save the report and post it back into your next reply.
Reboot back to Normal Mode
Goto Start Menu > Search > Click All Files and Folders, scroll down to the More Advanced Options which is the last option, click that and then make sure there is a check next to Search System Folders, Search Hidden Files and Folders & Search Subfolders
Once they are enabled scroll back up to the All or part of the filename: area and enter this
ncx_hook.exe
Press Search and make a note of where the file is located, probably System32 but its worth checking
Then visit VirusTotal and have the ncx_hook.exe file scanned:
Open the scan site and press Browse, locate the file and double click it to load the path into the Virus scan window then press Send, please copy and paste the results back and let us know if you have any problems finding the file. (if the results show its infected then remove it from the system, if your unsure post the results back first)
Then update Ewido as they have a new Version available and post back the scan results.
Download Ewido Anti-Spyware
Cheers
Andy
you do have a malware infection showing but we should be able to remove it without problems,
You may want to copy and paste this reply to notepad and save it to your desktop as all browser windows need to be closed when fixing the entries in HijackThis
Run Hijack This and choose Do A System Scan then place a check next to these entries
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4D0CFB9D-434D-A3BE-555C-A5AE311EC007} - (no file)
O2 - BHO: (no name) - {68EC5AD5-CCCC-F445-69AE-ADD6FE9398BE} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {8827364E-F3CC-608A-CF26-9D4382F31CCC} - (no file)
O4 - HKCU\..\Run: [Mw28Rge4X] ncx_hook.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Next download the Trojan Abwiz removal tool from Symantec Here and save it to your desktop.
Please reboot your computer into Safe Mode. (Tap F8 on reboot and select Safe Mode)
In safe mode run the Abwiz removal tool by double clicking FixAbwiz.exe
When the tool has finished running, you will see a message indicating the number of files scanned and if it was able to remove the infection. if your able to , save the report and post it back into your next reply.
Reboot back to Normal Mode
Goto Start Menu > Search > Click All Files and Folders, scroll down to the More Advanced Options which is the last option, click that and then make sure there is a check next to Search System Folders, Search Hidden Files and Folders & Search Subfolders
Once they are enabled scroll back up to the All or part of the filename: area and enter this
ncx_hook.exe
Press Search and make a note of where the file is located, probably System32 but its worth checking
Then visit VirusTotal and have the ncx_hook.exe file scanned:
Open the scan site and press Browse, locate the file and double click it to load the path into the Virus scan window then press Send, please copy and paste the results back and let us know if you have any problems finding the file. (if the results show its infected then remove it from the system, if your unsure post the results back first)
Then update Ewido as they have a new Version available and post back the scan results.
Download Ewido Anti-Spyware
- Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
- After the update finishes (the status bar at the bottom will display "Update successful")
- Click on the Scanner tab at the top and then click on Complete System Scan
- Ewido will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will then display "All actions have been applied" on the right.
- Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back
Cheers
Andy
Andy:
Thanks, here are the results...
Selected the noted items...
Downlaoded abwiz, it found one, but i did not see a 'Save report option'
Searched for ncx_hook.exe, no luck.. Had open the system and all the folders you noted (?)
I own (Purchased a while ago) ewido, and tried to update, but is noted I had the most current version.
ewido cleaned what it found and here is the log from the clean..
...ewido log...
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 8:49:34 PM, 6/28/2006
+ Report-Checksum: 86AE7DDA
+ Scan result:
:mozilla.13:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.159:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.160:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.161:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.163:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.164:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.202:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.203:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.204:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.205:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.206:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.213:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup
:mozilla.246:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.255:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.256:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.257:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.287:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.288:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.289:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.290:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.299:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.326:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.327:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.328:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.335:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.336:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.337:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.338:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.339:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.340:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.341:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.342:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.348:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.349:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.350:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.351:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.352:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.353:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.354:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.355:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.356:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.357:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.358:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.359:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.360:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.361:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.362:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.363:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.364:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.365:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Cookies\rebecca@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Cookies\rebecca@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Cookies\rebecca@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
::Report End
....................
......And as requested New Hijackthis.log.....
Logfile of HijackThis v1.99.1
Scan saved at 8:50:13 PM, on 6/28/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Sandboxie\Control.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/p?v&k=pf_1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D0CFB9D-434D-A3BE-555C-A5AE311EC007} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {68EC5AD5-CCCC-F445-69AE-ADD6FE9398BE} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8827364E-F3CC-608A-CF26-9D4382F31CCC} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Sandboxie - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - C:\Program Files\Sandboxie\SandboxieToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Sandboxie - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - C:\Program Files\Sandboxie\SandboxieToolbar.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [SandboxieControl] C:\Program Files\Sandboxie\Control.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Sandboxie Toolbar - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (HKCU)
O9 - Extra 'Tools' menuitem: Sandboxie - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://ac4.anthem.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102471511827
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} (STConnectivityAgent Control) - https://ac4.anthem.com/sametime/javaconnect...o29yw5Tx-9,SSL+
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
..........
Hope it worked.. sort of odd I did not find the ncx_hook.exe under the folders....
This is a tough one to get rid of.....
Thanks,
Jay Swan
Hi Jay , Welcome to the forum
you do have a malware infection showing but we should be able to remove it without problems,
You may want to copy and paste this reply to notepad and save it to your desktop as all browser windows need to be closed when fixing the entries in HijackThis
Run Hijack This and choose Do A System Scan then place a check next to these entries
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4D0CFB9D-434D-A3BE-555C-A5AE311EC007} - (no file)
O2 - BHO: (no name) - {68EC5AD5-CCCC-F445-69AE-ADD6FE9398BE} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {8827364E-F3CC-608A-CF26-9D4382F31CCC} - (no file)
O4 - HKCU\..\Run: [Mw28Rge4X] ncx_hook.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Next download the Trojan Abwiz removal tool from Symantec Here and save it to your desktop.
Please reboot your computer into Safe Mode. (Tap F8 on reboot and select Safe Mode)
In safe mode run the Abwiz removal tool by double clicking FixAbwiz.exe
When the tool has finished running, you will see a message indicating the number of files scanned and if it was able to remove the infection. if your able to , save the report and post it back into your next reply.
Reboot back to Normal Mode
Goto Start Menu > Search > Click All Files and Folders, scroll down to the More Advanced Options which is the last option, click that and then make sure there is a check next to Search System Folders, Search Hidden Files and Folders & Search Subfolders
Once they are enabled scroll back up to the All or part of the filename: area and enter this
ncx_hook.exe
Press Search and make a note of where the file is located, probably System32 but its worth checking
Then visit VirusTotal and have the ncx_hook.exe file scanned:
Open the scan site and press Browse, locate the file and double click it to load the path into the Virus scan window then press Send, please copy and paste the results back and let us know if you have any problems finding the file. (if the results show its infected then remove it from the system, if your unsure post the results back first)
Then update Ewido as they have a new Version available and post back the scan results.
Download Ewido Anti-Spyware
Cheers
Andy
Thanks, here are the results...
Selected the noted items...
Downlaoded abwiz, it found one, but i did not see a 'Save report option'
Searched for ncx_hook.exe, no luck.. Had open the system and all the folders you noted (?)
I own (Purchased a while ago) ewido, and tried to update, but is noted I had the most current version.
ewido cleaned what it found and here is the log from the clean..
...ewido log...
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 8:49:34 PM, 6/28/2006
+ Report-Checksum: 86AE7DDA
+ Scan result:
:mozilla.13:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.159:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.160:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.161:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.163:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.164:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.202:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.203:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.204:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.205:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.206:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.213:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup
:mozilla.246:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.255:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.256:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.257:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.287:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.288:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.289:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.290:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.299:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.326:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.327:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.328:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.335:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.336:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.337:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.338:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.339:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.340:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.341:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.342:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.348:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.349:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.350:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.351:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.352:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.353:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.354:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.355:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.356:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.357:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.358:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.359:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.360:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.361:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.362:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.363:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.364:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.365:C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Application Data\Mozilla\Firefox\Profiles\77xiqdcg.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Cookies\rebecca@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Cookies\rebecca@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Rebecca.SWANSOFT-VMCYMV\Cookies\rebecca@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
::Report End
....................
......And as requested New Hijackthis.log.....
Logfile of HijackThis v1.99.1
Scan saved at 8:50:13 PM, on 6/28/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Sandboxie\Control.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/p?v&k=pf_1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D0CFB9D-434D-A3BE-555C-A5AE311EC007} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {68EC5AD5-CCCC-F445-69AE-ADD6FE9398BE} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8827364E-F3CC-608A-CF26-9D4382F31CCC} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Sandboxie - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - C:\Program Files\Sandboxie\SandboxieToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Sandboxie - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - C:\Program Files\Sandboxie\SandboxieToolbar.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [SandboxieControl] C:\Program Files\Sandboxie\Control.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Sandboxie Toolbar - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (HKCU)
O9 - Extra 'Tools' menuitem: Sandboxie - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://ac4.anthem.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102471511827
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} (STConnectivityAgent Control) - https://ac4.anthem.com/sametime/javaconnect...o29yw5Tx-9,SSL+
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
..........
Hope it worked.. sort of odd I did not find the ncx_hook.exe under the folders....
This is a tough one to get rid of.....
Thanks,
Jay Swan
QUOTE(AndyManchesta @ Jun 27 2006, 03:06 AM) [snapback]41587[/snapback]
Hi Jay , Welcome to the forum
you do have a malware infection showing but we should be able to remove it without problems,
You may want to copy and paste this reply to notepad and save it to your desktop as all browser windows need to be closed when fixing the entries in HijackThis
Run Hijack This and choose Do A System Scan then place a check next to these entries
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4D0CFB9D-434D-A3BE-555C-A5AE311EC007} - (no file)
O2 - BHO: (no name) - {68EC5AD5-CCCC-F445-69AE-ADD6FE9398BE} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {8827364E-F3CC-608A-CF26-9D4382F31CCC} - (no file)
O4 - HKCU\..\Run: [Mw28Rge4X] ncx_hook.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Next download the Trojan Abwiz removal tool from Symantec Here and save it to your desktop.
Please reboot your computer into Safe Mode. (Tap F8 on reboot and select Safe Mode)
In safe mode run the Abwiz removal tool by double clicking FixAbwiz.exe
When the tool has finished running, you will see a message indicating the number of files scanned and if it was able to remove the infection. if your able to , save the report and post it back into your next reply.
Reboot back to Normal Mode
Goto Start Menu > Search > Click All Files and Folders, scroll down to the More Advanced Options which is the last option, click that and then make sure there is a check next to Search System Folders, Search Hidden Files and Folders & Search Subfolders
Once they are enabled scroll back up to the All or part of the filename: area and enter this
ncx_hook.exe
Press Search and make a note of where the file is located, probably System32 but its worth checking
Then visit VirusTotal and have the ncx_hook.exe file scanned:
Open the scan site and press Browse, locate the file and double click it to load the path into the Virus scan window then press Send, please copy and paste the results back and let us know if you have any problems finding the file. (if the results show its infected then remove it from the system, if your unsure post the results back first)
Then update Ewido as they have a new Version available and post back the scan results.
Download Ewido Anti-Spyware
- Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
- After the update finishes (the status bar at the bottom will display "Update successful")
- Click on the Scanner tab at the top and then click on Complete System Scan
- Ewido will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will then display "All actions have been applied" on the right.
- Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back
Cheers
Andy
Hi Jay
Its not really that tough to remove this, I have the files myself, it drops 3 files into system32, one is a harmless compression dll and the others are taskdir.exe and taskdir.dll, it uses rootkit features to hide any files named taskdir but once the main executable is out of the way its easy to remove the taskdir.dll as it then becomes visible,
If you are having alot of problems then it probably means something else you have installed is interfering with the fixes. Sandboxie could be getting in the way if you cannot remove malware but Ive never used it so cannot really comment, If it really is placing things into a sandboxed environment then you really shouldnt be having malware issues
Quote Sandboxie
Sandboxie intercepts changes to both your files and registry settings, making it virtually impossible for any software to reach outside the sandbox.
Sandboxie traps cached browser items into the sandbox as a by-product of normal operation, so when you throw away the sandbox, all the history records and other side-effects of your browsing disappear as well.
Anti-Virus Software, Anti-Spyware Tools
These tools scan your computer files and registry settings looking for known viruses and unsolicited software (spyware). Such tools can only remove viruses and spyware they can identify, and usually only after that software has made its way into your computer
Contrast this with the Sandboxie approach, which keeps the viruses and spyware trapped in the sandbox, and makes them disappear when you throw away the sandbox.
So Im not sure whats gone wrong there
Ewido is now called Ewido Anti-Spyware and not Ewido Anti-Malware which gives the impression you do not have the latest version, You will probably have to install the new version rather than just check for updates but Ewido didnt find any problems as it only detected cookies
You still have the BHO entries in HijackThis so fix them again
Run Hijack This and choose Do A System Scan then place a check next to these entries
O2 - BHO: (no name) - {4D0CFB9D-434D-A3BE-555C-A5AE311EC007} - (no file)
O2 - BHO: (no name) - {68EC5AD5-CCCC-F445-69AE-ADD6FE9398BE} - (no file)
O2 - BHO: (no name) - {8827364E-F3CC-608A-CF26-9D4382F31CCC} - (no file)
Close all open browser and other windows except for Hijack This and press the Fix Checked button
If you cannot find ncx_hook.exe then it may of already been removed and left its run key behind, set Windows to show hidden files and folders then check the Windows and Windows\System32 folder, also check the system32 folder for taskdir.exe and taskdir.dll and remove them if found.
Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.
Click Yes to confirm then OK
Set this back once you have removed the files by opening the same page and pressing the Restore Defaults button the click Apply and OK.
Download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.
Run Kaspersky WebScanner
Post back the Blacklight log if it finds hidden files, Kaspersky's log and a new HijackThis log
Please use the
button at the bottom of the page when you reply as that doesn't quote my response back
Thanks
Andy
Its not really that tough to remove this, I have the files myself, it drops 3 files into system32, one is a harmless compression dll and the others are taskdir.exe and taskdir.dll, it uses rootkit features to hide any files named taskdir but once the main executable is out of the way its easy to remove the taskdir.dll as it then becomes visible,
If you are having alot of problems then it probably means something else you have installed is interfering with the fixes. Sandboxie could be getting in the way if you cannot remove malware but Ive never used it so cannot really comment, If it really is placing things into a sandboxed environment then you really shouldnt be having malware issues
Quote Sandboxie
QUOTE
Sandboxie intercepts changes to both your files and registry settings, making it virtually impossible for any software to reach outside the sandbox.
Sandboxie traps cached browser items into the sandbox as a by-product of normal operation, so when you throw away the sandbox, all the history records and other side-effects of your browsing disappear as well.
Anti-Virus Software, Anti-Spyware Tools
These tools scan your computer files and registry settings looking for known viruses and unsolicited software (spyware). Such tools can only remove viruses and spyware they can identify, and usually only after that software has made its way into your computer
Contrast this with the Sandboxie approach, which keeps the viruses and spyware trapped in the sandbox, and makes them disappear when you throw away the sandbox.
So Im not sure whats gone wrong there
Ewido is now called Ewido Anti-Spyware and not Ewido Anti-Malware which gives the impression you do not have the latest version, You will probably have to install the new version rather than just check for updates but Ewido didnt find any problems as it only detected cookies
You still have the BHO entries in HijackThis so fix them again
Run Hijack This and choose Do A System Scan then place a check next to these entries
O2 - BHO: (no name) - {4D0CFB9D-434D-A3BE-555C-A5AE311EC007} - (no file)
O2 - BHO: (no name) - {68EC5AD5-CCCC-F445-69AE-ADD6FE9398BE} - (no file)
O2 - BHO: (no name) - {8827364E-F3CC-608A-CF26-9D4382F31CCC} - (no file)
Close all open browser and other windows except for Hijack This and press the Fix Checked button
If you cannot find ncx_hook.exe then it may of already been removed and left its run key behind, set Windows to show hidden files and folders then check the Windows and Windows\System32 folder, also check the system32 folder for taskdir.exe and taskdir.dll and remove them if found.
Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.
Click Yes to confirm then OK
Set this back once you have removed the files by opening the same page and pressing the Restore Defaults button the click Apply and OK.
Download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.
Run Kaspersky WebScanner
- Please go HERE and click Kaspersky Online Scanner
- Read and Accept the Agreement
- You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- If you see a Windows dialog asking if you want to install this software, click the Install button.
- The program will launch and then begin downloading the latest definition files,
- When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
- Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
- Under "Please select a target to scan:", click My Computer to start the scan.
- When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
Post back the Blacklight log if it finds hidden files, Kaspersky's log and a new HijackThis log
Please use the
button at the bottom of the page when you reply as that doesn't quote my response back Thanks
Andy
Andy.. Thanks... I had auto update on, but was worried about sp2 getting installed so I selected no...
Away for a while, i'll be back this weekend...
Thank you for your time on this, I appriciate it.
Jay
Away for a while, i'll be back this weekend...
Thank you for your time on this, I appriciate it.
Jay
No Problem
SP2 is a needed upgrade so once we are sure the system is clean it would be a good idea to upgrade to that and get all the security patches and updates once its installed as your current version is well out of date.
Have a good week and we can continue when you return,
Andy
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.