Any cd game I try to play has now become unplayable ever since I installed windows sp2.
I'm not sure if it 's the update that did this or maybe my lack of anti-spyware/antivirus protection.
In any case, can anyone check out my HT log? Much thanks.
Logfile of HijackThis v1.99.1
Scan saved at 20:40:21, on 2006-3-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Elaine\LOCALS~1\Temp\Rar$EX00.125\HijackThis.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\admparsel.dll
O2 - BHO: (no name) - {11111111-2222-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\netdde.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {621D36CC-09F4-44F6-BA4C-C8FBEAA00207} - C:\WINDOWS\adsldpbk.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: (no name) - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - C:\WINDOWS\adsldpbj.dll (file missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O8 - Extra context menu item: Google 搜索(&G) - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: 使用网际快车下载 - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: 反向链接 - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: 类似网页 - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: 缓存的网页快照 - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: 翻译英文字词(&T) - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/g...GameManager.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CA550E9-E5FC-4DDF-931C-E689CAAF9EAF}: NameServer = 85.255.116.150,85.255.112.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A53EEF7-E8D3-4B0F-A062-9CB21A13ABFA}: NameServer = 85.255.116.150,85.255.112.202
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CA550E9-E5FC-4DDF-931C-E689CAAF9EAF}: NameServer = 85.255.116.150,85.255.112.202
O17 - HKLM\System\CS2\Services\Tcpip\..\{0CA550E9-E5FC-4DDF-931C-E689CAAF9EAF}: NameServer = 85.255.116.150,85.255.112.202
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Thanks in advance.
1
Can't play installed games.
Started by LoganX, Mar 15 2006 01:41 AM
18 replies to this topic
#2 OFFLINE
-
- Members
-
- 1,339 posts
Dial-a-fix author
Posted 15 March 2006 - 02:14 AM
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
That would be bad. You're only going to be able to delete that from outside of Windows, such as a bootable CD-ROM with NTFS write support (like NTFSDOS Pro), BartPE, ERD Commander, or some other NTFS-writable bootable disc (Knoppix maybe?). You could even mount your hard drive as a slave in someone else's machine and use their system to delete windows\system32\st3.dll. Once you've deleted it, you can return to Windows and delete that entry using HJT, and then scan with Ad-Aware, Spybot, etc etc.
That would be bad. You're only going to be able to delete that from outside of Windows, such as a bootable CD-ROM with NTFS write support (like NTFSDOS Pro), BartPE, ERD Commander, or some other NTFS-writable bootable disc (Knoppix maybe?). You could even mount your hard drive as a slave in someone else's machine and use their system to delete windows\system32\st3.dll. Once you've deleted it, you can return to Windows and delete that entry using HJT, and then scan with Ad-Aware, Spybot, etc etc.
Click here if CCleaner Issues are re-appearing
DjLizard.net
DjLizard.net wiki
Dial-a-fix
Dial-a-fix tips
DjLizard.net software support forum
Do you live in Bradenton, Sarasota, Tampa, or St. Petersburg, Florida? Visit Digital Doctors where I work :)
DjLizard.net
DjLizard.net wiki
Dial-a-fix
Dial-a-fix tips
DjLizard.net software support forum
Do you live in Bradenton, Sarasota, Tampa, or St. Petersburg, Florida? Visit Digital Doctors where I work :)
#3 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 15 March 2006 - 09:03 AM
Hi LoganX
Although DjLizard is right that its sometimes very difficult to remove entries running from the Winlogon/Notify key it is possible and doesnt require you to use Bart PE methods at this stage, Winlogon can be stopped without it crashing the machine by stopping its protecting file first (smss.exe) but its not something you need to worry about as there is tools that will attempt to do that for you.
Ive not checked the log in any detail but thought Id try provide an easier solution than you having to delete it from outside of Windows, You have Trojan Delf and Trojan Wareout showing so lets attempt to remove them first.
You also need to get some Anti-Virus,/Anti-spy and Firewall software installed but we can discuss that abit later.
You may want to print out these instructions or copy and paste them to notepad and save them to your desktop for reference, since you will have to restart your computer during the fixes.
Download win32delfkil.exe.
Save it on your desktop.
Double click on win32delfkil.exe and install it (*Note The author isnt English so you need to press Installeren). This creates a new folder on your desktop: win32delfkil.
Close all windows, open the win32delfkil folder and double click on fix.bat.
The computer will reboot automatically.
Post the contents of the logfile c:\windelf.txt back into your next reply
Please download FixWareout from one of these sites:
FixWareout Link 1
FixWareout Link 2
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the contents of the text that will open (report.txt), the c:\windelf.txt and a new Hijackthis log.
If you have any Internet Problems after removing Wareout follow this:
Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
Andy
Although DjLizard is right that its sometimes very difficult to remove entries running from the Winlogon/Notify key it is possible and doesnt require you to use Bart PE methods at this stage, Winlogon can be stopped without it crashing the machine by stopping its protecting file first (smss.exe) but its not something you need to worry about as there is tools that will attempt to do that for you.
Ive not checked the log in any detail but thought Id try provide an easier solution than you having to delete it from outside of Windows, You have Trojan Delf and Trojan Wareout showing so lets attempt to remove them first.
You also need to get some Anti-Virus,/Anti-spy and Firewall software installed but we can discuss that abit later.
You may want to print out these instructions or copy and paste them to notepad and save them to your desktop for reference, since you will have to restart your computer during the fixes.
Download win32delfkil.exe.
Save it on your desktop.
Double click on win32delfkil.exe and install it (*Note The author isnt English so you need to press Installeren). This creates a new folder on your desktop: win32delfkil.
Close all windows, open the win32delfkil folder and double click on fix.bat.
The computer will reboot automatically.
Post the contents of the logfile c:\windelf.txt back into your next reply
Please download FixWareout from one of these sites:
FixWareout Link 1
FixWareout Link 2
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the contents of the text that will open (report.txt), the c:\windelf.txt and a new Hijackthis log.
If you have any Internet Problems after removing Wareout follow this:
Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
Andy
#4 OFFLINE
-
- Members
-
- 72 posts
Advanced Member
Posted 15 March 2006 - 09:50 PM
Thanks for helping me out guys, but can you explain to me how i could mount my hard drive onto another persons computer?
#5 OFFLINE
-
- Members
-
- 72 posts
Advanced Member
Posted 15 March 2006 - 10:05 PM
Here's the windelf file:
************************
* WIN32DELFKIL LOGFILE *
************************
by Marckie
BEFORE RUNNING WIN32DELFKIL
***************************
File(s) found in Windows directory
----------------------------------
adsldpbg.dll
adsldpbl.dll
adsldpbg.dll
netdde.dll
alt.exe
File(s) found in system32 folder
--------------------------------
st3.dll
SharedTaskScheduler key
-----------------------
SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman ?2005
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} REG_SZ st3
{0B5F7FDF-0717-45BF-B49D-695F3168C7FE} REG_SZ Master Browseui
Notify key
----------
subkey st3 is present!
AFTER RUNNING WIN32DELFKIL
**************************
File(s) found in Windows directory
----------------------------------
File(s) found in system32 folder
--------------------------------
SharedTaskScheduler key
-----------------------
SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman ?2005
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{0B5F7FDF-0717-45BF-B49D-695F3168C7FE} REG_SZ Master Browseui
Notify key
----------
Here's the report file from fixwareout
Fixwareout ver 1.003
Last edited march/15/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
...
Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
换换?Search by size and names...
C:\WINDOWS\SYSTEM32\DMYOD.EXE
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
C:\WINDOWS\SYSTEM32\CSLOU.EXE
* csr.exe C:\WINDOWS\System32\CSLOU.EXE
换换?Misc files
换换?Checking for older varients covered by the Rem3 tool
And here is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 17:16:28, on 2006-3-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Quan\Desktop\HijackThis.exe
R3 - URLSearchHook: (no name) - {716C236B-D68B-3D34-D0ED-0EB96DA51E04} - bhoserv.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\admparsel.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {621D36CC-09F4-44F6-BA4C-C8FBEAA00207} - C:\WINDOWS\adsldpbk.dll (file missing)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: (no name) - {DF00FFA0-AEA9-4EA8-A10F-8BB9A7F8508C} - C:\WINDOWS\adsldpbl.dll (file missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TemplateDongle] Shaitan1678.exe
O4 - HKCU\..\Run: [MsNetHelper] bingo9.exe
O4 - HKCU\..\Run: [cmon14] avpmondll.exe
O8 - Extra context menu item: 使用影音传送带下载 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音传送带下载全部链接 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 使用网际快车下载 - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\PROGRA~1\FlashGet\jc_all.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/g...GameManager.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CA550E9-E5FC-4DDF-931C-E689CAAF9EAF}: NameServer = 85.255.116.150,85.255.112.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A53EEF7-E8D3-4B0F-A062-9CB21A13ABFA}: NameServer = 85.255.116.150,85.255.112.202
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CA550E9-E5FC-4DDF-931C-E689CAAF9EAF}: NameServer = 85.255.116.150,85.255.112.202
O17 - HKLM\System\CS2\Services\Tcpip\..\{0CA550E9-E5FC-4DDF-931C-E689CAAF9EAF}: NameServer = 85.255.116.150,85.255.112.202
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
************************
* WIN32DELFKIL LOGFILE *
************************
by Marckie
BEFORE RUNNING WIN32DELFKIL
***************************
File(s) found in Windows directory
----------------------------------
adsldpbg.dll
adsldpbl.dll
adsldpbg.dll
netdde.dll
alt.exe
File(s) found in system32 folder
--------------------------------
st3.dll
SharedTaskScheduler key
-----------------------
SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman ?2005
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} REG_SZ st3
{0B5F7FDF-0717-45BF-B49D-695F3168C7FE} REG_SZ Master Browseui
Notify key
----------
subkey st3 is present!
AFTER RUNNING WIN32DELFKIL
**************************
File(s) found in Windows directory
----------------------------------
File(s) found in system32 folder
--------------------------------
SharedTaskScheduler key
-----------------------
SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman ?2005
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{0B5F7FDF-0717-45BF-B49D-695F3168C7FE} REG_SZ Master Browseui
Notify key
----------
Here's the report file from fixwareout
Fixwareout ver 1.003
Last edited march/15/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
...
Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
换换?Search by size and names...
C:\WINDOWS\SYSTEM32\DMYOD.EXE
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
C:\WINDOWS\SYSTEM32\CSLOU.EXE
* csr.exe C:\WINDOWS\System32\CSLOU.EXE
换换?Misc files
换换?Checking for older varients covered by the Rem3 tool
And here is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 17:16:28, on 2006-3-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Quan\Desktop\HijackThis.exe
R3 - URLSearchHook: (no name) - {716C236B-D68B-3D34-D0ED-0EB96DA51E04} - bhoserv.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\admparsel.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {621D36CC-09F4-44F6-BA4C-C8FBEAA00207} - C:\WINDOWS\adsldpbk.dll (file missing)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: (no name) - {DF00FFA0-AEA9-4EA8-A10F-8BB9A7F8508C} - C:\WINDOWS\adsldpbl.dll (file missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TemplateDongle] Shaitan1678.exe
O4 - HKCU\..\Run: [MsNetHelper] bingo9.exe
O4 - HKCU\..\Run: [cmon14] avpmondll.exe
O8 - Extra context menu item: 使用影音传送带下载 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音传送带下载全部链接 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 使用网际快车下载 - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\PROGRA~1\FlashGet\jc_all.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/g...GameManager.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CA550E9-E5FC-4DDF-931C-E689CAAF9EAF}: NameServer = 85.255.116.150,85.255.112.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A53EEF7-E8D3-4B0F-A062-9CB21A13ABFA}: NameServer = 85.255.116.150,85.255.112.202
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CA550E9-E5FC-4DDF-931C-E689CAAF9EAF}: NameServer = 85.255.116.150,85.255.112.202
O17 - HKLM\System\CS2\Services\Tcpip\..\{0CA550E9-E5FC-4DDF-931C-E689CAAF9EAF}: NameServer = 85.255.116.150,85.255.112.202
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
#6 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 16 March 2006 - 12:17 AM
Good work, thats looking much better, Still alot left to do 
Can you download the attached zip file to your desktop (Loganfix.zip) and extract the file by right clicking it and choosing Extract All, then double click Loganfix.bat which is inside the folder, It will only take a few seconds to run then open notepad showing what it found and if anything remains, please post that back.
Install some Antivirus software, CA EZ Antivirus provides great protection and is a one year free trial for all Microsoft users. (Ive just posted the link on your other post here so install it on both machines)
http://www.my-etrust...ft/Default.aspx
After that is installed carry on with the steps below.
Run Hijack This and choose Do A system Scan then place checks next to these entries:
R3 - URLSearchHook: (no name) - {716C236B-D68B-3D34-D0ED-0EB96DA51E04} - bhoserv.dll (file missing)
O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\admparsel.dll
O2 - BHO: (no name) - {621D36CC-09F4-44F6-BA4C-C8FBEAA00207} - C:\WINDOWS\adsldpbk.dll (file missing)
O2 - BHO: (no name) - {DF00FFA0-AEA9-4EA8-A10F-8BB9A7F8508C} - C:\WINDOWS\adsldpbl.dll (file missing)
O4 - HKCU\..\Run: [TemplateDongle] Shaitan1678.exe
O4 - HKCU\..\Run: [MsNetHelper] bingo9.exe
O4 - HKCU\..\Run: [cmon14] avpmondll.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http:// static.zangocash.com/cab/Zango/ie/bridge-c18.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CA550E9-E5FC-4DDF-931C-E689CAAF9EAF}: NameServer = 85.255.116.150,85.255.112.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A53EEF7-E8D3-4B0F-A062-9CB21A13ABFA}: NameServer = 85.255.116.150,85.255.112.202
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CA550E9-E5FC-4DDF-931C-E689CAAF9EAF}: NameServer = 85.255.116.150,85.255.112.202
O17 - HKLM\System\CS2\Services\Tcpip\..\{0CA550E9-E5FC-4DDF-931C-E689CAAF9EAF}: NameServer = 85.255.116.150,85.255.112.202
Close all open browser and other windows making sure only Hijack This remains open then press the Fix Checked button.
Run Fixwareout again and post back the log it produces to confirm the infection has been removed.
Run CA EZ Antivirus on a full system scan.
Finally run Panda Activescan from Here.
Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.
All The Best
Andy
Can you download the attached zip file to your desktop (Loganfix.zip) and extract the file by right clicking it and choosing Extract All, then double click Loganfix.bat which is inside the folder, It will only take a few seconds to run then open notepad showing what it found and if anything remains, please post that back.
Install some Antivirus software, CA EZ Antivirus provides great protection and is a one year free trial for all Microsoft users. (Ive just posted the link on your other post here so install it on both machines)
http://www.my-etrust...ft/Default.aspx
After that is installed carry on with the steps below.
Run Hijack This and choose Do A system Scan then place checks next to these entries:
R3 - URLSearchHook: (no name) - {716C236B-D68B-3D34-D0ED-0EB96DA51E04} - bhoserv.dll (file missing)
O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\admparsel.dll
O2 - BHO: (no name) - {621D36CC-09F4-44F6-BA4C-C8FBEAA00207} - C:\WINDOWS\adsldpbk.dll (file missing)
O2 - BHO: (no name) - {DF00FFA0-AEA9-4EA8-A10F-8BB9A7F8508C} - C:\WINDOWS\adsldpbl.dll (file missing)
O4 - HKCU\..\Run: [TemplateDongle] Shaitan1678.exe
O4 - HKCU\..\Run: [MsNetHelper] bingo9.exe
O4 - HKCU\..\Run: [cmon14] avpmondll.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http:// static.zangocash.com/cab/Zango/ie/bridge-c18.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CA550E9-E5FC-4DDF-931C-E689CAAF9EAF}: NameServer = 85.255.116.150,85.255.112.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A53EEF7-E8D3-4B0F-A062-9CB21A13ABFA}: NameServer = 85.255.116.150,85.255.112.202
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CA550E9-E5FC-4DDF-931C-E689CAAF9EAF}: NameServer = 85.255.116.150,85.255.112.202
O17 - HKLM\System\CS2\Services\Tcpip\..\{0CA550E9-E5FC-4DDF-931C-E689CAAF9EAF}: NameServer = 85.255.116.150,85.255.112.202
Close all open browser and other windows making sure only Hijack This remains open then press the Fix Checked button.
Run Fixwareout again and post back the log it produces to confirm the infection has been removed.
Run CA EZ Antivirus on a full system scan.
Finally run Panda Activescan from Here.
Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.
All The Best
Andy
#7 OFFLINE
-
- Members
-
- 72 posts
Advanced Member
Posted 16 March 2006 - 01:30 AM
Thanks for all the help Andy. Here's the report:
Fixwareout ver 1.003
Last edited march/15/2006
Post this report in the forums please
Reg Entries that were deleted
...
Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
换换?Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
换换?Misc files
换换?Checking for older varients covered by the Rem3 tool
Fixwareout ver 1.003
Last edited march/15/2006
Post this report in the forums please
Reg Entries that were deleted
...
Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
换换?Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
换换?Misc files
换换?Checking for older varients covered by the Rem3 tool
#8 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 16 March 2006 - 05:36 AM
Hi LoganX
Thats looking fine but I'd still like to see a Pandascan log if possible. The Loganfix.bat file you run will create some results in notepad and open them and also save the results to C:\Drive named files.txt, can you open that and check it, It should show about 5 or 6 files detected on the File Check part and then show no files in the File Remaining area, If it doesnt show any files remaining then I do not need to see it and you can delete the file.
You will find that most scanners we use will find different files so we cannot run one and say everything is fine, I appreciate you wanted to know about your installed games and what Im asking you to do takes alot of time but at this stage we need to be sure the system is clean before looking at the game problem incase its the malware thats causing it. Installing Ewido on your machine would also help in that as it finds alot of junk that some others miss and it's free (Shows a 14 day trial but performs fine after that expires as a 'On-Demand' scanner and remover). Here's the setup instructions for Ewido if its needed.
Download, install, update and scan your system with the free version of Ewido Anti-Malware from HERE
If ewido finds anything, it will pop up a notification. You can select Remove and check the boxes Perform action with all infections and Create encrypted backup before clicking on OK.
When the scan finishes, click on Save Report. This will create a text file that you can save to the desktop and post back.
A good example of the way malware can interfere is your 017 entries that we just fixed, All your search requests on the Internet have been going through the Ukraine before getting to the sites you want which can lead to pages you have never heard about being served instead of the one's you wanted. Here's details on where they were being sent so we cannot look at any technical problems untill we are sure there is no malware left on the system.
Chat to you later
Andy
Thats looking fine but I'd still like to see a Pandascan log if possible. The Loganfix.bat file you run will create some results in notepad and open them and also save the results to C:\Drive named files.txt, can you open that and check it, It should show about 5 or 6 files detected on the File Check part and then show no files in the File Remaining area, If it doesnt show any files remaining then I do not need to see it and you can delete the file.
You will find that most scanners we use will find different files so we cannot run one and say everything is fine, I appreciate you wanted to know about your installed games and what Im asking you to do takes alot of time but at this stage we need to be sure the system is clean before looking at the game problem incase its the malware thats causing it. Installing Ewido on your machine would also help in that as it finds alot of junk that some others miss and it's free (Shows a 14 day trial but performs fine after that expires as a 'On-Demand' scanner and remover). Here's the setup instructions for Ewido if its needed.
Download, install, update and scan your system with the free version of Ewido Anti-Malware from HERE
- 1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. From the main ewido screen, click on update in the left menu, then click the Start update button.
3. After the update finishes (the status bar at the bottom will display "Update successful"),
If ewido finds anything, it will pop up a notification. You can select Remove and check the boxes Perform action with all infections and Create encrypted backup before clicking on OK.
When the scan finishes, click on Save Report. This will create a text file that you can save to the desktop and post back.
A good example of the way malware can interfere is your 017 entries that we just fixed, All your search requests on the Internet have been going through the Ukraine before getting to the sites you want which can lead to pages you have never heard about being served instead of the one's you wanted. Here's details on where they were being sent so we cannot look at any technical problems untill we are sure there is no malware left on the system.
Chat to you later
Andy
#9 OFFLINE
-
- Members
-
- 72 posts
Advanced Member
Posted 16 March 2006 - 05:50 PM
Here's the ewido report that you asked for:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 12:47:40, 2006-3-16
+ Report-Checksum: 69AEA6CD
+ Scan result:
HKU\S-1-5-21-1078081533-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-2222-408A-9842-CDBE1C6D37EB} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-1078081533-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} -> Downloader.Delf : Cleaned with backup
HKU\S-1-5-21-1078081533-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EA0D26BD-9029-431A-86E0-83152D67828A} -> Adware.180Solutions : Cleaned with backup
HKU\S-1-5-21-1078081533-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} -> Trojan.CWSMeup.b : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@sel.as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Elaine\Local Settings\Temp\Cookies\elaine@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Elaine\Local Settings\Temp\Cookies\elaine@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Elaine\Local Settings\Temp\Cookies\elaine@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Elaine\Local Settings\Temp\Cookies\elaine@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Elaine\Local Settings\Temp\Cookies\elaine@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Elaine\Local Settings\Temp\Cookies\elaine@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Elaine\Local Settings\Temp\Cookies\elaine@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Elaine\Local Settings\Temp\Cookies\elaine@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@bfast[1].txt -> TrackingCookie.Bfast : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@c.enhance[2].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@c.goclick[1].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@cnetasiapacific.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@counter2.hitslink[1].txt -> TrackingCookie.Hitslink : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@e-2dj6wjk4emdjecq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@e-2dj6wjk4khazoeo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@e-2dj6wjlokoazeho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@ehg-bestbuy.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@ehg-idg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@gulliver.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@hg1.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@msnchinajv.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@ogilvyshanghai.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@site.x10[2].txt -> TrackingCookie.X10 : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@sonycorporate.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@xxxcounter[2].txt -> TrackingCookie.Xxxcounter : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Quan\Local Settings\Temp\Cookies\quan@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Quan\Local Settings\Temp\Cookies\quan@hg1.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Quan\Local Settings\Temp\Cookies\quan@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Quan\Local Settings\Temp\Cookies\quan@xxxcounter[1].txt -> TrackingCookie.Xxxcounter : Cleaned with backup
C:\Program Files\Aquatica Waterworlds\AQ3Helper.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\neuobafu\lrasclts\ssrtulnl.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\neuobafu\nqfserbour\fmrpumpca.exe -> Adware.Gator : Cleaned with backup
C:\RECYCLER\S-1-5-21-1078081533-2000478354-725345543-1003\Dc14.exe -> Trojan.Favadd.an : Cleaned with backup
C:\RECYCLER\S-1-5-21-1078081533-2000478354-725345543-1003\Dc15.exe -> Trojan.Qhost.df : Cleaned with backup
C:\RECYCLER\S-1-5-21-1078081533-2000478354-725345543-1003\Dc16.exe -> Adware.Msnagent : Cleaned with backup
C:\WINDOWS\1.d -> Downloader.Delf.afm : Cleaned with backup
::Report End
As for the panda report, I still have to complete that and will post the report back asap. I really appreciate your help Andy. Hopefully we can get to/fix the problem.
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 12:47:40, 2006-3-16
+ Report-Checksum: 69AEA6CD
+ Scan result:
HKU\S-1-5-21-1078081533-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-2222-408A-9842-CDBE1C6D37EB} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-1078081533-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} -> Downloader.Delf : Cleaned with backup
HKU\S-1-5-21-1078081533-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EA0D26BD-9029-431A-86E0-83152D67828A} -> Adware.180Solutions : Cleaned with backup
HKU\S-1-5-21-1078081533-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} -> Trojan.CWSMeup.b : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@sel.as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Elaine\Cookies\elaine@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Elaine\Local Settings\Temp\Cookies\elaine@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Elaine\Local Settings\Temp\Cookies\elaine@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Elaine\Local Settings\Temp\Cookies\elaine@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Elaine\Local Settings\Temp\Cookies\elaine@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Elaine\Local Settings\Temp\Cookies\elaine@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Elaine\Local Settings\Temp\Cookies\elaine@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Elaine\Local Settings\Temp\Cookies\elaine@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Elaine\Local Settings\Temp\Cookies\elaine@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@bfast[1].txt -> TrackingCookie.Bfast : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@c.enhance[2].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@c.goclick[1].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@cnetasiapacific.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@counter2.hitslink[1].txt -> TrackingCookie.Hitslink : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@e-2dj6wjk4emdjecq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@e-2dj6wjk4khazoeo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@e-2dj6wjlokoazeho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@ehg-bestbuy.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@ehg-idg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@gulliver.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@hg1.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@msnchinajv.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@ogilvyshanghai.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@site.x10[2].txt -> TrackingCookie.X10 : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@sonycorporate.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@xxxcounter[2].txt -> TrackingCookie.Xxxcounter : Cleaned with backup
C:\Documents and Settings\Quan\Cookies\quan@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Quan\Local Settings\Temp\Cookies\quan@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Quan\Local Settings\Temp\Cookies\quan@hg1.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Quan\Local Settings\Temp\Cookies\quan@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Quan\Local Settings\Temp\Cookies\quan@xxxcounter[1].txt -> TrackingCookie.Xxxcounter : Cleaned with backup
C:\Program Files\Aquatica Waterworlds\AQ3Helper.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\neuobafu\lrasclts\ssrtulnl.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\neuobafu\nqfserbour\fmrpumpca.exe -> Adware.Gator : Cleaned with backup
C:\RECYCLER\S-1-5-21-1078081533-2000478354-725345543-1003\Dc14.exe -> Trojan.Favadd.an : Cleaned with backup
C:\RECYCLER\S-1-5-21-1078081533-2000478354-725345543-1003\Dc15.exe -> Trojan.Qhost.df : Cleaned with backup
C:\RECYCLER\S-1-5-21-1078081533-2000478354-725345543-1003\Dc16.exe -> Adware.Msnagent : Cleaned with backup
C:\WINDOWS\1.d -> Downloader.Delf.afm : Cleaned with backup
::Report End
As for the panda report, I still have to complete that and will post the report back asap. I really appreciate your help Andy. Hopefully we can get to/fix the problem.
#10 OFFLINE
-
- Members
-
- 72 posts
Advanced Member
Posted 16 March 2006 - 06:13 PM
PandaScan Report::
Incident Status Location
Spyware:spyware/media-motor Not disinfected C:\WINDOWS\unstall.exe
Adware:adware/alexa-toolbar Not disinfected Windows Registry
Spyware:Cookie/66.246.209 Not disinfected C:\Documents and Settings\Quan\Cookies\quan@66.246.209[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Quan\Cookies\quan@888[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Quan\Cookies\quan@adopt.hbmediapro[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Quan\Cookies\quan@adultfriendfinder[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Quan\Cookies\quan@belnk[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Quan\Cookies\quan@cassava[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Quan\Cookies\quan@dist.belnk[1].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Quan\Cookies\quan@fe.lea.lycos[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Quan\Cookies\quan@go[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Quan\Cookies\quan@ig.com[1].txt
Spyware:Cookie/Inet-Traffic Not disinfected C:\Documents and Settings\Quan\Cookies\quan@inet-traffic[1].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Quan\Cookies\quan@landing.domainsponsor[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Quan\Cookies\quan@offeroptimizer[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Quan\Cookies\quan@realmedia[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Quan\Cookies\quan@revenue[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Quan\Cookies\quan@xiti[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Elaine\Cookies\elaine@adopt.hbmediapro[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Elaine\Cookies\elaine@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Elaine\Cookies\elaine@dist.belnk[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Elaine\Cookies\elaine@realmedia[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Elaine\Local Settings\Temp\Cookies\elaine@realmedia[1].txt
Spyware:Cookie/66.246.209 Not disinfected C:\Documents and Settings\Quan\Cookies\quan@66.246.209[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Quan\Cookies\quan@888[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Quan\Cookies\quan@adopt.hbmediapro[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Quan\Cookies\quan@adultfriendfinder[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Quan\Cookies\quan@belnk[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Quan\Cookies\quan@cassava[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Quan\Cookies\quan@dist.belnk[1].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Quan\Cookies\quan@fe.lea.lycos[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Quan\Cookies\quan@go[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Quan\Cookies\quan@ig.com[1].txt
Spyware:Cookie/Inet-Traffic Not disinfected C:\Documents and Settings\Quan\Cookies\quan@inet-traffic[1].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Quan\Cookies\quan@landing.domainsponsor[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Quan\Cookies\quan@offeroptimizer[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Quan\Cookies\quan@realmedia[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Quan\Cookies\quan@revenue[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Quan\Cookies\quan@xiti[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Quan\Desktop\Comp Cleaner\win32delfkil\Process.exe
So there's everything. Awaiting your next instructions.
Incident Status Location
Spyware:spyware/media-motor Not disinfected C:\WINDOWS\unstall.exe
Adware:adware/alexa-toolbar Not disinfected Windows Registry
Spyware:Cookie/66.246.209 Not disinfected C:\Documents and Settings\Quan\Cookies\quan@66.246.209[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Quan\Cookies\quan@888[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Quan\Cookies\quan@adopt.hbmediapro[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Quan\Cookies\quan@adultfriendfinder[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Quan\Cookies\quan@belnk[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Quan\Cookies\quan@cassava[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Quan\Cookies\quan@dist.belnk[1].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Quan\Cookies\quan@fe.lea.lycos[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Quan\Cookies\quan@go[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Quan\Cookies\quan@ig.com[1].txt
Spyware:Cookie/Inet-Traffic Not disinfected C:\Documents and Settings\Quan\Cookies\quan@inet-traffic[1].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Quan\Cookies\quan@landing.domainsponsor[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Quan\Cookies\quan@offeroptimizer[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Quan\Cookies\quan@realmedia[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Quan\Cookies\quan@revenue[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Quan\Cookies\quan@xiti[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Elaine\Cookies\elaine@adopt.hbmediapro[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Elaine\Cookies\elaine@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Elaine\Cookies\elaine@dist.belnk[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Elaine\Cookies\elaine@realmedia[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Elaine\Local Settings\Temp\Cookies\elaine@realmedia[1].txt
Spyware:Cookie/66.246.209 Not disinfected C:\Documents and Settings\Quan\Cookies\quan@66.246.209[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Quan\Cookies\quan@888[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Quan\Cookies\quan@adopt.hbmediapro[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Quan\Cookies\quan@adultfriendfinder[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Quan\Cookies\quan@belnk[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Quan\Cookies\quan@cassava[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Quan\Cookies\quan@dist.belnk[1].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Quan\Cookies\quan@fe.lea.lycos[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Quan\Cookies\quan@go[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Quan\Cookies\quan@ig.com[1].txt
Spyware:Cookie/Inet-Traffic Not disinfected C:\Documents and Settings\Quan\Cookies\quan@inet-traffic[1].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Quan\Cookies\quan@landing.domainsponsor[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Quan\Cookies\quan@offeroptimizer[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Quan\Cookies\quan@realmedia[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Quan\Cookies\quan@revenue[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Quan\Cookies\quan@xiti[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Quan\Desktop\Comp Cleaner\win32delfkil\Process.exe
So there's everything. Awaiting your next instructions.
#11 OFFLINE
-
- Members
-
- 72 posts
Advanced Member
Posted 16 March 2006 - 06:19 PM
added a extra post my bad
#12 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 16 March 2006 - 08:24 PM
I loganX
things are looking good, just afew files left to remove, I will check the logs over now and reply abit later, can you explain abit more about your games and what is going wrong with them ?
Cheers
Andy
things are looking good, just afew files left to remove, I will check the logs over now and reply abit later, can you explain abit more about your games and what is going wrong with them ?
Cheers
Andy
#13 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 16 March 2006 - 08:42 PM
Hi Again
There's only one file to remove there, Ccleaner will take care of all your cookies and temp files so run that and press the Run Cleaner button.
Delete this file
C:\WINDOWS\unstall.exe
You can also delete the win32delfkil folder from this location as its not required now:
C:\Documents and Settings\Quan\Desktop\Comp Cleaner\win32delfkil
Just for info' Panda has detected one of the delfkil files as a Potentially unwanted tool, Its Process.exe and its a great little tool to add to fixes as you can use it to stop any file, In that fixtool it was used to stop winlogon.exe and smss.exe and then some Trojan Delf files as it needed to stop winlogon to be able to remove the Trojan files, Its not a threat but isnt needed now so you can remove the folder from your system.
Try give as much information as possible about the Game issue and I will try help with that if I can.
Andy
There's only one file to remove there, Ccleaner will take care of all your cookies and temp files so run that and press the Run Cleaner button.
Delete this file
C:\WINDOWS\unstall.exe
You can also delete the win32delfkil folder from this location as its not required now:
C:\Documents and Settings\Quan\Desktop\Comp Cleaner\win32delfkil
Just for info' Panda has detected one of the delfkil files as a Potentially unwanted tool, Its Process.exe and its a great little tool to add to fixes as you can use it to stop any file, In that fixtool it was used to stop winlogon.exe and smss.exe and then some Trojan Delf files as it needed to stop winlogon to be able to remove the Trojan files, Its not a threat but isnt needed now so you can remove the folder from your system.
Try give as much information as possible about the Game issue and I will try help with that if I can.
Andy
#14 OFFLINE
-
- Members
-
- 72 posts
Advanced Member
Posted 17 March 2006 - 07:56 AM
Thanks again for helping me out. Anyways, like everytime i install a game, it works perfectly, I mean the installation. But then when i run it, it starts to load, but then the computer automatically reboots itself. I tried to run it on safe mode and the games actually worked. So I believe it could be the windows service pack 2 that is causing the problem, but i can't manage to find it at the add/remove program. It shows all the windows update but it doesn't show Windows XP SP2. So yea that's pretty much it. So hopefully that was of some use to figure out how to solve the problem. Thanks so much.
#15 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 17 March 2006 - 08:26 AM
Hi LoganX
A few questions Have you tried re-installing them now we have cleaned up the pc ? , Does it do this with all the games you have or just one or two ? , when the machine reboots does it go to a blue error screen first with some writing displayed ?
Can you try this :
Goto Start Menu > Run > type
eventvwr
Press OK
When the Event Viewer screen opens you will see three sections listed on the left menu (Application, Security and System) can you delete all the events that are saved in each section. Right click Application and choose 'Clear All Events' (no need to save them when it asks) , do the same for Security and System so there is no events showing.
This way if it reboots the system next time you play a game the information should be written back into this area on either the System or Application tab, If we do not reset it first then it will be difficult to know if the event is connected to the system crash but once its reset it should be easier to see whats causing it.
After removing all the events run one of your games and if it crashes again let me know and we can have a loog at the event viewer again.
I will post info' on removing Service Pack 2 but its really not recommended as it will leave your system open to infections, SP2 closes alot of security holes that malware writers exploit so it is going to be alot easier for them to infect you if you remove the Service Pack. Its not possible to remove SP2 in some cases but that depends if the $ntservicepackuninstall$\spuninst folder exists.
Here's removal instructions for SP2 but please try the event viewer option first to see if that shows something usefull next time it crashes and reboots.
How to remove Windows XP Service Pack 2 from your computer
Regards
Andy
A few questions
Have you tried re-installing them now we have cleaned up the pc ? , Does it do this with all the games you have or just one or two ? , when the machine reboots does it go to a blue error screen first with some writing displayed ? Can you try this :
Goto Start Menu > Run > type
eventvwr
Press OK
When the Event Viewer screen opens you will see three sections listed on the left menu (Application, Security and System) can you delete all the events that are saved in each section. Right click Application and choose 'Clear All Events' (no need to save them when it asks) , do the same for Security and System so there is no events showing.
This way if it reboots the system next time you play a game the information should be written back into this area on either the System or Application tab, If we do not reset it first then it will be difficult to know if the event is connected to the system crash but once its reset it should be easier to see whats causing it.
After removing all the events run one of your games and if it crashes again let me know and we can have a loog at the event viewer again.
I will post info' on removing Service Pack 2 but its really not recommended as it will leave your system open to infections, SP2 closes alot of security holes that malware writers exploit so it is going to be alot easier for them to infect you if you remove the Service Pack. Its not possible to remove SP2 in some cases but that depends if the $ntservicepackuninstall$\spuninst folder exists.
Here's removal instructions for SP2 but please try the event viewer option first to see if that shows something usefull next time it crashes and reboots.
How to remove Windows XP Service Pack 2 from your computer
Regards
Andy
#16 OFFLINE
-
- Members
-
- 72 posts
Advanced Member
Posted 17 March 2006 - 05:40 PM
Hi Andy. I've tried your method of erasing all the events but it still crashed and no it did not go to a blue error screen first before it crashed. It turned black and then it just rebooted itself. Also I've tried to look for the SP2 folder to uninstall it but I still couldn't find it.
#17 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 17 March 2006 - 06:07 PM
I cannot remove SP2 on myown pc as its included on the disk so it's possible you cannot either, resetting the events was just so if it did crash you can check it again to see if it showed what caused the system to reboot. If you cleared them and it crashed after that can you open Event Viewer again (start menu > run > type eventvwr and press OK) then check the system and application tab for Red circles with white X's as they would indicate error's. If you find any double click the logged event on the right pane to open details in a new window, then left click and cover all the text and press Control & C to copy it , you can then right click into a reply here and choose Paste to post them back. If you do find errors on Event Viewer also include the Event ID's which will be displayed when you open the event details into a new window as that will make it easier to help.
Are these games downloaded from the Internet as I could test them out if they are or do you have them all on disk, does it also do that with any of the games or is it just one that you play often ?
Andy
Are these games downloaded from the Internet as I could test them out if they are or do you have them all on disk, does it also do that with any of the games or is it just one that you play often ?
Andy
#18 OFFLINE
-
- Members
-
- 72 posts
Advanced Member
Posted 18 March 2006 - 05:42 PM
Eventvwr logs ::
Application::
Type Date Time Source Category Event User Computer
Information 2006-3-18 12:04:21 SecurityCenter None 1800 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:16 ATI Smart None 105 N/A QUAN-2C1F23D4B3
Security::
Type Date Time Source Category Event User Computer
Success Audit 2006-3-18 11:59:22 Security System Event 517 SYSTEM QUAN-2C1F23D4B3
System::
Type Date Time Source Category Event User Computer
Information 2006-3-18 12:14:13 Tcpip None 4201 N/A QUAN-2C1F23D4B3
Error 2006-3-18 12:04:48 System Error (102) 1003 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:40 Service Control Manager None 7036 N/A QUAN-2C1F23D4B3
Error 2006-3-18 12:04:35 System Error (102) 1003 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:33 Service Control Manager None 7036 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:33 Service Control Manager None 7035 SYSTEM QUAN-2C1F23D4B3
Information 2006-3-18 12:04:32 Service Control Manager None 7036 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:32 Service Control Manager None 7035 LOCAL SERVICE QUAN-2C1F23D4B3
Information 2006-3-18 12:04:29 Service Control Manager None 7036 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:29 Service Control Manager None 7035 SYSTEM QUAN-2C1F23D4B3
Information 2006-3-18 12:04:23 Service Control Manager None 7036 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:23 Service Control Manager None 7035 SYSTEM QUAN-2C1F23D4B3
Information 2006-3-18 12:04:23 Service Control Manager None 7036 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:23 Service Control Manager None 7036 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:23 Service Control Manager None 7035 SYSTEM QUAN-2C1F23D4B3
Information 2006-3-18 12:04:23 Service Control Manager None 7036 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:23 Service Control Manager None 7036 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:23 Service Control Manager None 7035 SYSTEM QUAN-2C1F23D4B3
Information 2006-3-18 12:04:23 Service Control Manager None 7035 SYSTEM QUAN-2C1F23D4B3
Information 2006-3-18 12:04:23 Service Control Manager None 7036 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:08 Tcpip None 4201 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:03:53 Tcpip None 4202 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:03:48 Save Dump None 1001 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:03:48 eventlog None 6005 N/A QUAN-2C1F23D4B3
Well the specific game I want to play comes in cd. It's called Starcraft BroodWars. However, I had tested other cds as well and all of them crash as well. I tried reinstalling the games and playing them again, but the second the game starts to run, the screen goes black and the computer restarts. It's almost like a ghost pressing the restart button RIGHT when I click on the game icon =/
Whats even more frustrating is that not only does running a cd make my computer crash... Changing the screen resolution without the cd ALSO crashes my computer... well causes an unwanted restart.
I'm really hoping the pros here can help me out =/
p.s I can't unistall sp2 either =/
p.sx2 Thanks for your devoted help Andy:) You're the best.
Application::
Type Date Time Source Category Event User Computer
Information 2006-3-18 12:04:21 SecurityCenter None 1800 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:16 ATI Smart None 105 N/A QUAN-2C1F23D4B3
Security::
Type Date Time Source Category Event User Computer
Success Audit 2006-3-18 11:59:22 Security System Event 517 SYSTEM QUAN-2C1F23D4B3
System::
Type Date Time Source Category Event User Computer
Information 2006-3-18 12:14:13 Tcpip None 4201 N/A QUAN-2C1F23D4B3
Error 2006-3-18 12:04:48 System Error (102) 1003 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:40 Service Control Manager None 7036 N/A QUAN-2C1F23D4B3
Error 2006-3-18 12:04:35 System Error (102) 1003 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:33 Service Control Manager None 7036 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:33 Service Control Manager None 7035 SYSTEM QUAN-2C1F23D4B3
Information 2006-3-18 12:04:32 Service Control Manager None 7036 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:32 Service Control Manager None 7035 LOCAL SERVICE QUAN-2C1F23D4B3
Information 2006-3-18 12:04:29 Service Control Manager None 7036 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:29 Service Control Manager None 7035 SYSTEM QUAN-2C1F23D4B3
Information 2006-3-18 12:04:23 Service Control Manager None 7036 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:23 Service Control Manager None 7035 SYSTEM QUAN-2C1F23D4B3
Information 2006-3-18 12:04:23 Service Control Manager None 7036 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:23 Service Control Manager None 7036 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:23 Service Control Manager None 7035 SYSTEM QUAN-2C1F23D4B3
Information 2006-3-18 12:04:23 Service Control Manager None 7036 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:23 Service Control Manager None 7036 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:23 Service Control Manager None 7035 SYSTEM QUAN-2C1F23D4B3
Information 2006-3-18 12:04:23 Service Control Manager None 7035 SYSTEM QUAN-2C1F23D4B3
Information 2006-3-18 12:04:23 Service Control Manager None 7036 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:04:08 Tcpip None 4201 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:03:53 Tcpip None 4202 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:03:48 Save Dump None 1001 N/A QUAN-2C1F23D4B3
Information 2006-3-18 12:03:48 eventlog None 6005 N/A QUAN-2C1F23D4B3
Well the specific game I want to play comes in cd. It's called Starcraft BroodWars. However, I had tested other cds as well and all of them crash as well. I tried reinstalling the games and playing them again, but the second the game starts to run, the screen goes black and the computer restarts. It's almost like a ghost pressing the restart button RIGHT when I click on the game icon =/
Whats even more frustrating is that not only does running a cd make my computer crash... Changing the screen resolution without the cd ALSO crashes my computer... well causes an unwanted restart.
I'm really hoping the pros here can help me out =/
p.s I can't unistall sp2 either =/
p.sx2 Thanks for your devoted help Andy:) You're the best.
#19 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 18 March 2006 - 08:34 PM
Hi LoganX
It looks like the information is from the main screen and doesnt contain details about the event, If you find one with a Red circle and a white X which means its an error can you double click the error on the right pane to open it into a new window, if there is no error's then this area isnt going to help so we can try other things.
Here's a screenshot to show what I mean
I dont need to see any of the details from the security tab or any that show as Information , If it has Error in the name and its on the System or Application tab then it maybe connected. If none of them show error in the name then this isnt going to help find a solution, If there is errors I also need to see the Event ID which you can see on the pop up screen when you double click the error entry (As shown in the screen shot)
Do you have a ATI disk for your graphics card , if so can you install it again and let me know if it helps
Cheers
Andy
It looks like the information is from the main screen and doesnt contain details about the event, If you find one with a Red circle and a white X which means its an error can you double click the error on the right pane to open it into a new window, if there is no error's then this area isnt going to help so we can try other things.
Here's a screenshot to show what I mean
I dont need to see any of the details from the security tab or any that show as Information , If it has Error in the name and its on the System or Application tab then it maybe connected. If none of them show error in the name then this isnt going to help find a solution, If there is errors I also need to see the Event ID which you can see on the pop up screen when you double click the error entry (As shown in the screen shot)
Do you have a ATI disk for your graphics card , if so can you install it again and let me know if it helps
Cheers
Andy
