14 replies to this topic

[mjmurphy23]

My story; I applied for a job on Craigslist and was careless when the reply came a week later informing me to click the link to fill out the online application. If I was paying attention, I would have immediately been suspicious of the address. I have McAfee SiteAdvisor on FireFox which turned red immediately, but I think I was already infected when I hit the link. I use Symantec Virus protection and Internet Security from Earthlink and a full system scan came back clean. I use Ad-Aware Personal SE religiously and never surf porn, casinos...I'm as careful as I can be. I ran a CCcleaner and in the 'Issues' I get 3 ActiveX/Issues that come up every time now, and the cleaner won't get rid of them. Spybot has picked up 6 problems that now occur each scan. With your advice to others, I installed Ewido, which came up completely clean, but Panda came up with 1 virus and 35 spyware that cannot be fixed, unless purchased. I also just tried Spyware Doctor which found 8 problems that can be fixed for $29.95. Do I need to purchase Panda or Spyware doctor? Well I ran hijack this, and I would greatly appreciate it if you would analyze and make recommendations on solutions, and if the Hijack fixes are enough, or if I should purchase one of the spyware programs. Sorry for the long version, but I thought I would tell you my security approach to make it easier on you. Thank you. Here is my Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 6:49:50 PM, on 6/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cisvc.exe
c:\Program Files\DUnetVPN\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Google\Google Updater\1.1.514.27546\GoogleUpdater.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Documents and Settings\user\Local Settings\Temp\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\System32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\1.1.514.27546\GoogleUpdater.exe
O4 - Global Startup: University of Denver DUnetVPN4.6.04.lnk = C:\Program Files\DUnetVPN\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138656075164
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebServices/...iveX/ofmctl.cab
O16 - DPF: {C1A8AF25-1257-101B-8FB0-0020AF039CA3} (Microsoft Multimedia Control, version 6.0) - http://voicemail.du....load/mciobj.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.micro...eb/ikcntrls.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\DUnetVPN\cvpnd.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

[AndyManchesta]

Hi mjmurphy23 , Welcome to the forum

There is no obvious signs of infection in your log so I would like to see what Spybot and Pandascan are finding and in what location. We do tend to only advocate the use of free programs as any problems can be removed once we know where they are, I appreciate some of the paid removers do offer great protection but I personally do not like to pay to remove junk so I wouldnt ask someone else to do that. Pandascan is an excellent scanner and one of the main reasons we use it so often is because it can generate a report and show where the problems files are. Once we have that information then there is alot of options to use to remove the files depending on how nasty they are,

Can you run Spybot again and when its finished the scan and goes to the results page right click inside the results area and choose the copy results to clipboard option , then you can right click inside a new reply here and choose Paste which will copy the report back on here.

Run Pandascan again and once its finished scanning the system click the See Report button, then Save Report and save it to a convenient location so you can post it back.

You currently have HijackThis running from your Temp folder which needs moving as HijackThis creates backups when items are fixed and if its left in it's current location you may lose the backups if you clear the temp folders anytime. Because of its current location its easier to remove HijackThis from the system by going to Start Menu > Control Panel > Add or Remove Programs and then remove HijackThis. Download it again from Here but do not run it from the download link, first save it C:\drive then extract and run the program.

Run Hijack This and choose Do A System Scan then place a check next to these entries

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

Close all open browser and other windows except for Hijack This and press the Fix Checked button

Please post back the Spybot results and the Pandascan log and we can take it from there.

Thanks

Andy

[mjmurphy23]

Thanks for the quick response. I will do as you suggested, and repost with the necessary info.

AndyManchesta, on Jun 17 2006, 08:03 PM, said:

Hi mjmurphy23 , Welcome to the forum

There is no obvious signs of infection in your log so I would like to see what Spybot and Pandascan are finding and in what location. We do tend to only advocate the use of free programs as any problems can be removed once we know where they are, I appreciate some of the paid removers do offer great protection but I personally do not like to pay to remove junk so I wouldnt ask someone else to do that. Pandascan is an excellent scanner and one of the main reasons we use it so often is because it can generate a report and show where the problems files are. Once we have that information then there is alot of options to use to remove the files depending on how nasty they are,

Can you run Spybot again and when its finished the scan and goes to the results page right click inside the results area and choose the copy results to clipboard option , then you can right click inside a new reply here and choose Paste which will copy the report back on here.

Run Pandascan again and once its finished scanning the system click the See Report button, then Save Report and save it to a convenient location so you can post it back.

You currently have HijackThis running from your Temp folder which needs moving as HijackThis creates backups when items are fixed and if its left in it's current location you may lose the backups if you clear the temp folders anytime. Because of its current location its easier to remove HijackThis from the system by going to Start Menu > Control Panel > Add or Remove Programs and then remove HijackThis. Download it again from Here but do not run it from the download link, first save it in a convenient permanent folder such as C:\HJT\.

Run Hijack This and choose Do A System Scan then place a check next to these entries

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

Close all open browser and other windows except for Hijack This and press the Fix Checked button

Please post back the Spybot results and the Pandascan log and we can take it from there.

Thanks

Andy

[AndyManchesta]

Let us know if you have any problems

Please use the button at the bottom of the page when you reply as that doesn't quote my response back

Thanks

[mjmurphy23]

Here are the results for Spybot. Although I chose to copy results to clipboard, it also included old findings. The top 9 are what keeps reoccuring, but I'll leave the others in case they may help you. I will post Panda and the new Hijack log soon. Thanks.


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Avenue A, Inc.: Tracking cookie (Firefox: default) (Cookie, nothing done)


DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-08-23 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-06-02 Includes\Cookies.sbi (*)
2006-06-02 Includes\Dialer.sbi (*)
2006-06-02 Includes\Hijackers.sbi (*)
2006-06-02 Includes\Keyloggers.sbi (*)
2006-06-02 Includes\Malware.sbi (*)
2006-06-02 Includes\PUPS.sbi (*)
2006-06-02 Includes\Revision.sbi (*)
2006-06-02 Includes\Security.sbi (*)
2006-06-02 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-06-02 Includes\Trojans.sbi (*)

[AndyManchesta]

So far thats fine, If you log into hotmail it will add a cookie from DoubleClick/ FastClick so they are not a threat. Cookies are just text files, and many sites use them. They store everything from user preferences, last post read at forums, language preference, or even the items you order at a site on-line (your "shopping basket"). Other sites use them to track what ads you've already seen, or pages you selected, to try to deliver you similar ads. They are more of a privacy concern as the ones being detected are being added by a company that has banner ads on the site you visit and not by the site itself but you can use Ccleaner to remove them, these companies have banners ads on alot of sites so they will return after browsing for awhile.

you can restrict cookies by opening a IE browser window and goto Tools on the top bar then Internet Options > Click The Privacy Tab and you can adjust your cookie settings. You could even click Advanced on that page and restrict third party cookies getting onto your system which is the ones that get detected in scans but do not block first party cookies if you use that option as you would then have to keep logging into sites you use and resetting your preferences

Let us know how Panda gets on.

Cheers

[mjmurphy23]

And here are the Panda Results we have all been waiting for...Thanks



Incident Status Location

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.go.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.doubleclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.mediaplex.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.atdmt.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[a.as-us.falkag.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.as-us.falkag.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[a.as-us.falkag.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.questionmarket.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.microsofteup.112.2o7.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.statcounter.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[ad.yieldmanager.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.tribalfusion.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.burstnet.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.tribalfusion.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.hitbox.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.serving-sys.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.trafficmp.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.atwola.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.advertising.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.zedo.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[statse.webtrendslive.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.realmedia.com/]
Spyware:Cookie/Bilbo.counted Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[bilbo.counted.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.247realmedia.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.ads.pointroll.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.com.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[server.iad.liveperson.net/hc/91238938]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[server.iad.liveperson.net/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.clickbank.net/]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[.targetnet.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies-1.txt[www.burstbeacon.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies.txt[.go.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies.txt[.com.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies.txt[.2o7.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\mcu5jpc8.default\cookies.txt[.advertising.com/]
Virus:Eicar.Mod Not disinfected C:\Program Files\PestPatrol\Help.chm[/HowCanITestDetection.html]

[AndyManchesta]

Thanks for the log, again its looking fine which is nice to see, the virus is actually a test file so you can test the Antivirus Real Time protection so its not a threat, you can read more about that here

http://www.eicar.org...s_test_file.htm

All the main AV Vendors are aware of this file so its a great, safe way of testing the AV protection, as soon as you click one of the links at the above page the AV real time protection should alert that its blocked the Eicar test Virus which can be useful if there are any doubts about the Real Time monitoring being enabled.

You can control alot of the cookies using Ccleaner if you want, I tend to use it everyday before shutting the PC down to remove cookies and temp files from the system

EDIT: Removed Ccleaner download link after noticing you already mentioned it was installed in the first post

Run Ccleaner and press the Run Cleaner button to remove temp files then close the program.

Can you run a final scan with Ewido to be certain there is no remaining issues on the PC.

Download Ewido Anti-Malware from HERE

• When installing, under "Additional Options" uncheck "Install background guard"
  
• From the main ewido screen, click on update in the left menu, then click the Start update button.
  
• After the update finishes (the status bar at the bottom will display "Update successful"),
  
• Click on the Scanner button in the left menu, then click Complete System Scan.

If ewido finds anything, it will pop up a notification. You can select Remove and check the boxes Perform action with all infections and Create encrypted backup before clicking on OK.
When the scan finishes, click on Save Report. This will create a text file that you can save to the desktop and post back

Its worth keeping Ewido installed as it performs fine after the trial has expired as a on-demand scanner/remover and its detection rate is excellent, It just stops the Auto Updates and Real Time protection but you can still update Ewido manually and run scans anytime you want.

Please post the Ewido report back if it detects any issues but its not a problem if it only finds cookies

Thanks

Andy

[mjmurphy23]

I just wanted to thank you again for your efforts. I'm relieved that I'm clean. My computer seems to be bogged down on many occasions, and does not always perform as optimally, that is why I believed something had gotten into my computer. Well, thanks to you I have piece of mind.

I just have one more question for you. When I run the issues scan in CCleaner, I still get three ActiveX/Com issues and now 2 Missing MUI references(looks like these 2 are from a Temp folder from Hijack this). I was not able to copy the report, but the first ActiveX issue is MailFileAtt, #2) mapifvbx.object and 3)mapifvbx.object1; all with a bunch of numbers in parentheses.

Should I be concerned with any of these? This is my last inquiry, promise.

P.S. Ewido came back clean

[AndyManchesta]

This may indicate there is a permission problem on those keys, can you download This file and save it to your dekstop, right click and choose extract all then double click RunThis.cmd. It will export the keys as a backup first then adjust the permissions and attempt to remove them. When its finished it will open the results in notepad and save that into the RemKeys folder. can you post that back and let us know if CC still finds the keys after its run

Cheers

[mjmurphy23]

The three ActiveX Issues still showed up, and here are the results:

Resetting Permissions and Removing Registry Keys...


Checking if Reg Keys still Remains....

MailFileAtt FOUND!

mapifvbx.object FOUND!

mapifvbx.object.1 FOUND!

[AndyManchesta]

Your the second person who's recently had a problem with these keys so Im afraid you will have to go for them manually and take ownership of the keys first.

Download Reglite from Here

Install and run Registrar lite

on the Address bar at the top copy and paste

HKEY_CLASSES_ROOT\MailFileAtt

then press GO on the right of the address bar, this will locate the folder and highlight it on the menu to the left in blue.

Right click the MailFileAtt folder on the menu to the left and choose Properties, then click Take Ownership and press OK twice to exit the properties pane, then attempt to remove the folder by right clicking it and choosing Delete

Repeat the steps for these

HKEY_CLASSES_ROOT\mapifvbx.object
HKEY_CLASSES_ROOT\mapifvbx.object.1

The last person who had this problem was able to remove them this way but needed to delete the CLSID's first which I assume will be a subfolder to these keys, The good thing about running the last script is at least you now have a backup of these keys before you remove them.

Let us know if you can remove them after taking ownership.

Andy

[mjmurphy23]

All issues are gone from CCleaner. Wow, that was a most impressive learning experience, and your instructions were so accurate and clear. I do not need to keep reglite on my system, or do I? I hope your expertise and help are appreciated by all.

Cheers back to you!

mike

[AndyManchesta]

Hey Mike, thats good to hear

You can uninstall Reglite now using the Add/Remove screen , Its just a safer way to work with the registry as you can type the path into the address bar and easily take ownership of keys, Im not sure whats causing this issue but hopefully it will not happen to many other people as its always abit risky asking someone to edit the registry. you can keep the backup file in the remkeys folder as its only very small and even though Ccleaner shows they are not needed it will not do any harm keeping the backup on the system.

Glad I could help Mike

Even though your system didnt have any problems except for the cookies I will post afew recommended steps below to help keep the PC clean.

Keep Ewido on the system as it shows its a 14 day trial but it works fine after that has expired as a "On-Demand" scanner and remover which you can manually update and use anytime.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware
A tutorial on using Ad-Aware to remove spyware from your computer may be found Here

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found Here

keep these programs up-to-date and run them regularly as this can prevent a great deal of spyware hassle, also make sure to run your Antivirus software regularly, and to keep it up-to-date.

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

More information on how to prevent malware can be found Here (By Tony Klein) and Here

By following these steps it will lower the chances of getting any malware issues but let us know if you have any questions or problems anytime.

Happy Surfing

Andy

[mjmurphy23]

Will gladly accept your advice. CCleaner has my highest respect. Thanks.

mike