Member Avatar for daruk

Hello

I was wondering if I could get some help with a virus.

My internet explorer constantly wants to close, saying "microsoft internet explorer has encountered a problem and needs to close" usually after I get a pop up that reads "you may have been infected with the blackworm virus..." or "... Lupar A virus..." or I get pop ups for Winantivirus 2006.

This happenes after about 2-5 minutes online.

I have several virus fix programs on my computer from fixing a previous virus... and when I run Spybot, it fixes programs: Hitbox, Advertising.com, Avenue A Inc, CoreMetrics, Double CLick, DSO Exploit MediaPlex, and WebTrends Live.

Please let me know if there's a path I can take to fix these.

Thank you

-D. Scott

  • 3 Contributors
  • 8 Replies
  • 257 Views
  • 1 Week Discussion Span
  • Latest Post Latest Post by daruk
Member Avatar for tayspen

Hmm, you are no doubt infected.

Download hijackThis. Extract it to its own folder. Then run it and select. Do system scan and save log. Post the contents of the log that pops up.

Member Avatar for daruk

Logfile of HijackThis v1.99.0
Scan saved at 11:57:14 PM, on 5/9/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Derek\Desktop\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\ssqro.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6491E7CB-F83B-4D31-8F99-6384A633FE58} (EconCVX Control) - http://www.mathxl.com/applets/EconCVX.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

-D. Scott

Member Avatar for DMR

Hi daruk,

You do show signs of infection, but you are using an outdated version (1.99.0) of HijackThis. Please download the current version (1.99.1) and post the new log.

Member Avatar for daruk

Logfile of HijackThis v1.99.1
Scan saved at 1:05:16 PM, on 5/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Derek\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\ssqro.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6491E7CB-F83B-4D31-8F99-6384A633FE58} (EconCVX Control) - http://www.mathxl.com/applets/EconCVX.cab
O20 - Winlogon Notify: ssqro - C:\WINDOWS\System32\ssqro.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

-D. Scott

Member Avatar for tayspen

Please run HJt again and place a check next to these items.

R3 - Default URLSearchHook is missing

O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\ssqro.dll

O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/tes...enXInstall.cab

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O20 - Winlogon Notify: ssqro - C:\WINDOWS\System32\ssqro.dll

Click Fix Checked.

________________________________________________

Please download Pocket Killbox by O^E.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\System32\ssqro.dll

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

_________________________________________________

Please download ewido anti-malware it is a free version of the program.

  1. Install ewido anti-malware
  2. When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  3. Launch ewido, there should be an icon on your desktop, double-click it.
  4. The program will now open to the main screen.
  5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  6. You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  7. The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful" )

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

  • Open up Ewido
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
  • Close ewido anti-malware.

Reboot.

_______________________________________________

Post a new HJT log, and the ewido log.

Member Avatar for daruk 
Logfile of HijackThis v1.99.1
Scan saved at 10:14:26 AM, on 5/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Derek\Desktop\HijackThis.exe

O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\ssqro.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - [url]http://www.mathxl.com/applets/PearsonInstallAsst.cab[/url]
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - [url]http://upload.facebook.com/controls/FacebookPhotoUploader.cab[/url]
O16 - DPF: {6491E7CB-F83B-4D31-8F99-6384A633FE58} (EconCVX Control) - [url]http://www.mathxl.com/applets/EconCVX.cab[/url]
O20 - Winlogon Notify: ssqro - C:\WINDOWS\System32\ssqro.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:          2:33:21 PM, 5/17/2006
 + Report-Checksum:     A0106B8D

 + Scan result:

    HKLM\SOFTWARE\Classes\CLSID\{008A49EF-1F4A-59F9-2873-E623FDFB2AEC} -> Adware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{271363C4-4477-FB41-7906-D3C2C7F0D6BE} -> Adware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{46306F43-25AC-5BDC-CDF9-597FEDDF51F2} -> Adware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{49E652D3-2793-9D17-4C68-C71233622800} -> Adware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{4A5C6E2E-5A48-2941-6259-E5B9D79F9B78} -> Adware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{5437D1E0-FA38-41EF-816B-D9F299E767CA} -> Adware.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{6D29CBB6-4199-42AC-DD7B-C150601204D2} -> Adware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{73365377-B100-0528-36A2-364509405595} -> Adware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{B5F3970B-745E-46AC-B890-E08F69777D80} -> Adware.Searchforit : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{B85FFBF7-B2D8-D30A-8289-46564A899064} -> Adware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{CAF4D771-8A18-BC86-F551-A768543394E9} -> Adware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{FD064786-0540-EDEF-EB58-211A5DA521D0} -> Adware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\drs.n -> Adware.Searchforit : Cleaned with backup
    HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Adware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rotue -> Adware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\picsvr -> Adware.Delfin : Cleaned with backup
    HKLM\SOFTWARE\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\SearchRelevancy -> Adware.SearchRelevancy : Cleaned with backup
    HKLM\SOFTWARE\SearchRelevancy\Update -> Adware.SearchRelevancy : Cleaned with backup
    HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
    HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
    HKLM\SOFTWARE\Windows ServeAd -> Adware.BlazeFind : Cleaned with backup
    HKU\S-1-5-21-4208801959-960248212-150712343-1007\Software\NavExcel Ltd -> Adware.NavExcel : Cleaned with backup
    HKU\S-1-5-21-4208801959-960248212-150712343-1007\Software\picsvr -> Adware.Delfin : Cleaned with backup
    HKU\S-1-5-21-4208801959-960248212-150712343-1007\Software\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
    HKU\S-1-5-21-4208801959-960248212-150712343-1007\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
    HKU\S-1-5-21-4208801959-960248212-150712343-1007\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
    HKU\S-1-5-21-4208801959-960248212-150712343-1007\Software\WinUpdt -> Adware.SecondThought : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@abetterinternet[2].txt -> TrackingCookie.Abetterinternet : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@abetterinternet[3].txt -> TrackingCookie.Abetterinternet : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@adorigin[2].txt -> TrackingCookie.Adorigin : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@as.casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@blp.valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@c.enhance[2].txt -> TrackingCookie.Enhance : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@cbs.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@cliks[1].txt -> TrackingCookie.Cliks : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@com[2].txt -> TrackingCookie.Com : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@coxhsi.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@data1.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@ehg-nestleusainc.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@ehg-sportingbet.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@epilot[1].txt -> TrackingCookie.Epilot : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@finishline.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@gettyimages.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@giftscom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@goldenpalace[1].txt -> TrackingCookie.Goldenpalace : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@ivwbox[2].txt -> TrackingCookie.Ivwbox : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@login.tracking101[1].txt -> TrackingCookie.Tracking101 : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@twci.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@www.adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@www.epilot[1].txt -> TrackingCookie.Epilot : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@www.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
    C:\Documents and Settings\Derek\Cookies\derek@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
    C:\Documents and Settings\Derek\Local Settings\Temp\cln8.tmp -> Downloader.Dyfuca.dx : Cleaned with backup
    C:\Documents and Settings\Derek\Local Settings\Temp\Cookies\derek@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Derek\Local Settings\Temp\Cookies\derek@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup
    C:\Documents and Settings\Derek\Local Settings\Temp\Cookies\derek@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
    C:\Documents and Settings\Derek\Local Settings\Temp\Cookies\derek@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Derek\Local Settings\Temp\Cookies\derek@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\Derek\Local Settings\Temp\Cookies\derek@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\Derek\Local Settings\Temp\Cookies\derek@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\Derek\Local Settings\Temp\Cookies\derek@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
    C:\Documents and Settings\Derek\Local Settings\Temp\Cookies\derek@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\Derek\Local Settings\Temp\Cookies\derek@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
    C:\Documents and Settings\Derek\Local Settings\Temp\Cookies\derek@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
    C:\Documents and Settings\Derek\Local Settings\Temp\Cookies\derek@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
    C:\Documents and Settings\Derek\Local Settings\Temp\Cookies\derek@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
    C:\Documents and Settings\Derek\Local Settings\Temp\Cookies\derek@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup
    C:\Documents and Settings\Derek\Local Settings\Temp\ei.exe -> Downloader.Small.bgl : Cleaned with backup
    C:\Documents and Settings\Derek\Local Settings\Temp\i10.tmp -> Adware.SurfSide : Cleaned with backup
    C:\Documents and Settings\Derek\Local Settings\Temp\i17.tmp -> Adware.SurfSide : Cleaned with backup
    C:\Documents and Settings\Derek\Local Settings\Temp\ptf_0002.exe -> Adware.Pacer : Cleaned with backup
    C:\Documents and Settings\Derek\Local Settings\Temp\ptf_0003.exe -> Adware.Pacer : Cleaned with backup
    C:\Documents and Settings\Derek\Local Settings\Temp\tsinstall_4_0_3_8_b17.exe -> Downloader.TSUpdate.k : Cleaned with backup
    C:\Program Files\Aprps -> Adware.Apropos : Cleaned with backup
    C:\Program Files\Aprps\ace.dll -> Adware.Apropos : Cleaned with backup
    C:\Program Files\Aprps\AI_10-06-2005.log -> Adware.Apropos : Cleaned with backup
    C:\Program Files\Aprps\atl.dll -> Adware.Apropos : Cleaned with backup
    C:\Program Files\Aprps\CxtPls.dll -> Adware.Apropos : Cleaned with backup
    C:\Program Files\Aprps\CxtPls.exe -> Adware.Apropos : Cleaned with backup
    C:\Program Files\Aprps\data.bin -> Adware.Apropos : Cleaned with backup
    C:\Program Files\Aprps\libexpat.dll -> Adware.Apropos : Cleaned with backup
    C:\Program Files\Aprps\ProxyStub.dll -> Adware.Apropos : Cleaned with backup
    C:\Program Files\Aprps\uninstaller.exe -> Adware.Apropos : Cleaned with backup
    C:\Program Files\Aprps\WinGenerics.dll -> Adware.Apropos : Cleaned with backup
    C:\WINDOWS\Blue Lace 16.bmp:yccqo -> Downloader.Agent.bc : Cleaned with backup
    C:\WINDOWS\bsx32 -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\ASI2.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\ASI50.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\ASICLRE.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\ASICLV.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\ASIEPRE.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\ASIEZ.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\ASIMBC.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\ASIRCPRE.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\ASISS2RE.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\ASISSRE.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\bspace.html -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\TMPC.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\TMPD.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\TMPE.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\TMPF.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\TMPFAM.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\TMPFI.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\TMPFIN.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\TMPG.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\TMPH.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\TMPHL.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\TMPJ.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\TMPM.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\TMPMTV.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\TMPN.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\TMPR.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\TMPS.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\TMPSHOP.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\TMPSP.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\TMPW.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\WEBS1.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\WEBS2.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\bsx32\ZNETGP.bsx -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\clock.avi:qdveq -> Downloader.Agent.al : Cleaned with backup
    C:\WINDOWS\comsetup.log:jenjk -> Downloader.Agent.ap : Cleaned with backup
    C:\WINDOWS\control.ini:xhwjv -> Downloader.Agent.al : Cleaned with backup
    C:\WINDOWS\DirectX.log:hhpop -> Downloader.Agent.ap : Cleaned with backup
    C:\WINDOWS\KB823182.log:oizwu -> Downloader.Agent.ap : Cleaned with backup
    C:\WINDOWS\LUINSTALL.LOG:qcfvg -> Downloader.Agent.ap : Cleaned with backup
    C:\WINDOWS\ocmsn.log:xdphn -> Downloader.Agent.ap : Cleaned with backup
    C:\WINDOWS\orun32.isu:pdjie -> Downloader.Agent.bc : Cleaned with backup
    C:\WINDOWS\Q813347.log:aitto -> Downloader.Agent.bc : Cleaned with backup
    C:\WINDOWS\Q814995.log:afmta -> Downloader.Agent.al : Cleaned with backup
    C:\WINDOWS\setuplog.txt:lcmmm -> Downloader.Agent.bc : Cleaned with backup
    C:\WINDOWS\SynthCoreA.Dll:rgnzr -> Downloader.Agent.bc : Cleaned with backup
    C:\WINDOWS\system32\bbdmmxr.exe -> Downloader.Qoologic.q : Cleaned with backup
    C:\WINDOWS\system32\ca.dll -> Adware.SearchIt : Cleaned with backup
    C:\WINDOWS\system32\Cache\876004.exe -> Adware.Mirar : Cleaned with backup
    C:\WINDOWS\system32\Cache\bs51-egihsg51-va.exe -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\system32\Cache\dist006.exe -> Downloader.VB.eu : Cleaned with backup
    C:\WINDOWS\system32\Cache\e121307.Stub.exe -> Downloader.Delmed.a : Cleaned with backup
    C:\WINDOWS\system32\Cache\InstallAPS.exe -> Dropper.Agent.lu : Cleaned with backup
    C:\WINDOWS\system32\Cache\optimize.exe -> Downloader.Dyfuca.ei : Cleaned with backup
    C:\WINDOWS\system32\Cache\optimize7.exe -> Downloader.Dyfuca.ei : Cleaned with backup
    C:\WINDOWS\system32\Cache\pi1_60.exe -> Downloader.Small.aal : Cleaned with backup
    C:\WINDOWS\system32\Cache\s030109.Stub.exe -> Dropper.Agent.hl : Cleaned with backup
    C:\WINDOWS\system32\Cache\setup1024.exe -> Dropper.Agent.hl : Cleaned with backup
    C:\WINDOWS\system32\Cache\stlb2_dist41.exe -> Dropper.Agent.hl : Cleaned with backup
    C:\WINDOWS\system32\WinNB57.dll -> Adware.Mirar : Cleaned with backup
    C:\WINDOWS\TASKMAN.EXE:anpam -> Downloader.Agent.al : Cleaned with backup
    C:\WINDOWS\twain_32.dll:loigp -> Downloader.Agent.ap : Cleaned with backup
    C:\WINDOWS\vbaddin.ini:nijxq -> Downloader.Agent.al : Cleaned with backup
    C:\WINDOWS\vmmreg32.dll:qnkam -> Downloader.Agent.al : Cleaned with backup
    C:\WINDOWS\Windows Update.log:lwfmv -> Downloader.Agent.al : Cleaned with backup
    C:\WINDOWS\winhlp32.exe:ewyzp -> Downloader.Agent.ap : Cleaned with backup


::Report End

I am still getting popups under the names winantivirus pro, sysprotect, and errorsafe which i think are all one program.

Thanks

Edited by mike_2000_17 because: Fixed formatting
Member Avatar for tayspen

It is a Vundo Infection...

Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Let me know if that stops them :)

Member Avatar for daruk

VundoFix V4.2.74

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.3

Scan started at 1:57:15 PM 5/20/2006

Listing files found while scanning....

C:\WINDOWS\System32\ssqro.dll
C:\WINDOWS\System32\orqss.ini
C:\WINDOWS\System32\orqss.bak1
C:\WINDOWS\System32\orqss.bak2
C:\WINDOWS\System32\orqss.ini2
C:\WINDOWS\System32\orqss.tmp

C:\WINDOWS\system32\orqss.bak1
C:\WINDOWS\system32\orqss.bak2
C:\WINDOWS\system32\orqss.tmp
C:\WINDOWS\system32\orqss.ini
C:\WINDOWS\system32\orqss.ini2
C:\WINDOWS\system32\ssqro.dll
C:\WINDOWS\system32\orqss.ini2
C:\WINDOWS\system32\orqss.bak2
C:\WINDOWS\system32\orqss.tmp
C:\WINDOWS\system32\orqss.ini
C:\WINDOWS\system32\orqss.ini2
C:\WINDOWS\system32\ssqro.dll
Attempting to delete C:\WINDOWS\System32\ssqro.dll
C:\WINDOWS\System32\ssqro.dll Has been deleted!

Logfile of HijackThis v1.99.1
Scan saved at 8:10:23 PM, on 5/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Derek\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6491E7CB-F83B-4D31-8F99-6384A633FE58} (EconCVX Control) - http://www.mathxl.com/applets/EconCVX.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = FIRSTPROPERTY.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = FIRSTPROPERTY.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = FIRSTPROPERTY.LOCAL
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = FIRSTPROPERTY.LOCAL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Thank you so much for your help.

-D.Scott

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.