CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

$9736.22 of $21422.68
left sidedonated so farneed $11686.46 donated to reach our goalright side, our goal
Help CastleCops serve the community on new servers, Donate Here to reach our goal.

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
Survey
spacer
Was 2007 a good year?

Yes it was a wonderful year
Yes, but there is always room for improvement
Status quo
It was a challenge
Other (leave comment)



Results
Polls

Votes: 934
Comments: 25
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

Freeprod Toolbar HELP I need to uninstall?
Goto page 1, 2  Next
 
Post new topic   Reply to topic       All -> FavForums -> Trend Micro HijackThis Logs [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
karinkanzuki

Trooper
Trooper


Joined: Oct 16, 2005
Posts: 10
Location: USA
PostPosted: Sun Oct 16, 2005 5:38 pm    Post subject: Freeprod Toolbar HELP I need to uninstall?
Reply with quote

I noticed from [a href=" CastleCops Link/t135029-HELP_PLEASE_Freeprod_Toolbar_Problem.html"]another topic[/url] like this, the user in question had the same problem I'm having.

I installed AdAware, Ewido, as well as HijackThis. Here's my Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 3:21:06 PM, on 10/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Fellowes Proxy] C:\WINNT\System32\r3proxy.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [strtas] lockx.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [System service75] C:\WINNT\etb\pokapoka75.exe
O4 - HKLM\..\Run: [System service76] C:\WINNT\etb\pokapoka76.exe
O4 - HKLM\..\RunServices: [strtas] lockx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [strtas] lockx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0297a479c3041c11d300/netzip/RdxIE601.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instantservice.com/jars/customerxsigned34.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE



=====================

Can someone help me about this weirdo problem? lol ^_^;; Thanks for the help :3[url][/url]
Back to top
View users profile Send private message Visit posters website
Omerr

1st Responder


Joined: Jul 05, 2005
Posts: 1155

1st Responders

PostPosted: Sun Oct 16, 2005 5:41 pm    Post subject:
Reply with quote

Hello and welcome to CaslteCops.

I am currently reviewing your log. Please understand that in order to give you the best answer to your problem, I must dedicate time and thought to your log, so please be patient with me.

I will come back to you with an answer as soon as possible.

Omer.


_________________
image
Back to top
View users profile Send private message Visit posters website MSN Messenger
karinkanzuki

Trooper
Trooper


Joined: Oct 16, 2005
Posts: 10
Location: USA
PostPosted: Sun Oct 16, 2005 5:46 pm    Post subject:
Reply with quote

^_^ Thanks for the welcome--Wow, thank you very much, and I appreciate the help! :*)
Back to top
View users profile Send private message Visit posters website
Omerr

1st Responder


Joined: Jul 05, 2005
Posts: 1155

1st Responders

PostPosted: Sun Oct 16, 2005 6:19 pm    Post subject:
Reply with quote

Hello and welcome to CastleCops.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.Please do NOT change any of those settings until we finish the fixing process.

ViewMgr.exe is an advertising program by Viewpoint. This process monitors your browsing habits and distributes the data back to the author's.

Download LQfix and save it to your desktop. Extract the file to your desktop but do not use it yet!

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Doubleclick LQfix.bat that you saved on your desktop earlier.
A dos window will open and close again, this is normal.

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

Viewpoint Manager
Freeprod Toolbar
Gateway or Do More or Gateway Do More


Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [strtas] lockx.exe
O4 - HKLM\..\Run: [System service75] C:\WINNT\etb\pokapoka75.exe
O4 - HKLM\..\Run: [System service76] C:\WINNT\etb\pokapoka76.exe
O4 - HKLM\..\RunServices: [strtas] lockx.exe
O4 - HKCU\..\Run: [strtas] lockx.exe
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab


Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Folders indicated in BLUE if they still exist:

C:\Program Files\Viewpoint
C:\Program Files\Freeprod Toolbar
C:\Program Files\Gateway


Delete the following Files indicated in RED if they still exist:

lockx.exe >>> Search for this file


Reboot your system in Normal Mode.

Please use Panda ActiveScan at http://www.pandasoftware.com/products/activescan. Give us the scan’s log.

Now give us a new HijackThis log, along with Panda ActiveScan’s log, so we can make sure your system is clean.


_________________
image
Back to top
View users profile Send private message Visit posters website MSN Messenger
karinkanzuki

Trooper
Trooper


Joined: Oct 16, 2005
Posts: 10
Location: USA
PostPosted: Sun Oct 16, 2005 8:33 pm    Post subject:
Reply with quote

Okay. Here's my Hijack This --second log file:

Logfile of HijackThis v1.99.1
Scan saved at 11:45:11 AM, on 10/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Fellowes Proxy] C:\WINNT\System32\r3proxy.exe
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [strtas] lockx.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [strtas] lockx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [strtas] lockx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0297a479c3041c11d300/netzip/RdxIE601.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instantservice.com/jars/customerxsigned34.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE


Here's my Hijack This third log file:
Logfile of HijackThis v1.99.1
Scan saved at 12:02:50 PM, on 10/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Fellowes Proxy] C:\WINNT\System32\r3proxy.exe
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0297a479c3041c11d300/netzip/RdxIE601.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instantservice.com/jars/customerxsigned34.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE

Unfortunately, I wasn't able to find these files you told me to "check and fix":
O4 - HKLM\..\Run: [System service75] C:\WINNT\etb\pokapoka75.exe
O4 - HKLM\..\Run: [System service76] C:\WINNT\etb\pokapoka76.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab

For some reason I had two files named:
O4 - HKCU\..\Run: [strtas] lockx.exe

Also, I deleted those folders you mentioned; I was NOT able to find a lockx.exe on my computer.


I did a Panda scan, and here's the log for that:

Incident Status Location

Adware:Adware/Maxifiles No disinfected C:\Documents and Settings\Administrator\mc-99-829-0000156.exe
Hacktool:HackTool/Rootkit.C No disinfected C:\Documents and Settings\Administrator\msdirectx.sys
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\InetGet\mc-99-829-0000156.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\InetGet2\mc-99-829-0000156.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\mc-99-829-0000156.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\services.exe
Adware:adware/maxifiles No disinfected C:\Program Files\Common Files\system32.dll
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[cwebpage.dll]
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\Windows\mc-99-829-0000156.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\cwebpage.dll
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\gui.exe
Adware:Adware/BrilliantDigitalNo disinfected C:\Program Files\Kazaa\bdcore.dll.updpnd
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP312\A0147487.bat
Hacktool:HackTool/Rootkit.C No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP312\A0147493.sys
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP312\A0147494.bat
Hacktool:HackTool/Rootkit.C No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP312\A0147508.sys
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP312\A0147509.bat
Hacktool:HackTool/Rootkit.C No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP312\A0148508.sys
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP312\A0148509.bat
Hacktool:HackTool/Rootkit.C No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP312\A0148515.sys
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP312\A0148517.bat
Hacktool:HackTool/Rootkit.C No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP312\A0149515.sys
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP312\A0149516.bat
Hacktool:HackTool/Rootkit.C No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP312\A0149522.sys
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP312\A0149523.bat
Hacktool:HackTool/Rootkit.C No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP312\A0149541.sys
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP312\A0149542.bat
Hacktool:HackTool/Rootkit.C No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150541.sys
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150542.bat
Hacktool:HackTool/Rootkit.C No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150548.sys
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150549.bat
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150552.dll
Hacktool:HackTool/Rootkit.C No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150568.sys
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150569.bat
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150572.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150574.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150576.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150577.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150578.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150579.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150580.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150580.dll[cwebpage.dll]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150583.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150584.dll
Hacktool:HackTool/Rootkit.C No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150626.sys
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150628.bat
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150630.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150633.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150634.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150635.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150636.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150637.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150638.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150638.dll[cwebpage.dll]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150640.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150641.dll
Hacktool:HackTool/Rootkit.C No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150665.sys
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150666.bat
Hacktool:HackTool/Rootkit.C No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150674.sys
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150675.bat
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150676.exe
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150681.dll
Adware:Adware/WUpd No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150688.exe
Hacktool:HackTool/Rootkit.C No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150742.sys
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP313\A0150743.bat
Hacktool:HackTool/Rootkit.C No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP314\A0150767.sys
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP314\A0150768.bat
Hacktool:HackTool/Rootkit.C No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP314\A0150777.sys
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP314\A0150778.bat
Hacktool:HackTool/Rootkit.C No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP314\A0150784.sys
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP314\A0150785.bat
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP314\A0150892.dll
Hacktool:HackTool/Rootkit.C No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP314\A0150893.sys
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP314\A0150896.bat
Hacktool:HackTool/Rootkit.C No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP314\A0151893.sys
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP314\A0151896.bat
Adware:Adware/EliteBar No disinfected C:\System Volume Information\_restore{DA33509F-C788-4475-973D-E4BFEF54F620}\RP314\A0151904.exe
Virus:W32/Sdbot.EFG.worm Disinfected C:\WINNT\system32\lockx.exe
Hacktool:HackTool/Rootkit.C No disinfected C:\WINNT\system32\msdirectx.sys
Virus:W32/Sdbot.EFG.worm Disinfected C:\xz.bat
Back to top
View users profile Send private message Visit posters website
Omerr

1st Responder


Joined: Jul 05, 2005
Posts: 1155

1st Responders

PostPosted: Sun Oct 16, 2005 9:37 pm    Post subject:
Reply with quote

OK mate that looks so much better...
Let's continue.

Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. Do NOT run it yet.

Download KillBox. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\Documents and Settings\Administrator\mc-99-829-0000156.exe
C:\Documents and Settings\Administrator\msdirectx.sys
C:\Program Files\Common Files\InetGet\mc-99-829-0000156.exe
C:\Program Files\Common Files\InetGet2\mc-99-829-0000156.exe
C:\Program Files\Common Files\mc-99-829-0000156.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Common Files\system32.dll
C:\Program Files\Common Files\Windows\mc-99-829-0000156.exe
C:\Program Files\DNS\cwebpage.dll
C:\Program Files\DNS\gui.exe
C:\Program Files\Kazaa\bdcore.dll.updpnd
C:\WINNT\system32\lockx.exe
C:\WINNT\system32\msdirectx.sys
C:\xz.bat


Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

Earase the following folder indicated in blue:
C:\Program Files\Common Files\InetGet

Next run a [b]full scan in Ewido. Save the log from the scan, and post in here on your next reply.

Reboot your system in Normal Mode.

Please use Panda ActiveScan at http://www.pandasoftware.com/products/activescan. Give us the scan’s log.

Now give us a new HijackThis log, along with Panda ActiveScan’s log and Ewido's log, so we can make sure your system is clean.


_________________
image
Back to top
View users profile Send private message Visit posters website MSN Messenger
karinkanzuki

Trooper
Trooper


Joined: Oct 16, 2005
Posts: 10
Location: USA
PostPosted: Fri Oct 21, 2005 5:52 am    Post subject:
Reply with quote

Hello again; Sorry I'm so late on the reply--I'm SO busy while at school--and I want to fix this ;___;

Anyway, I'm not exactly sure what you're talking about

Quote:
Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot)


What do you mean, "for each of the following files below, check the box that says 'unregister .dll before deleting"? Do I copy and paste each file, and if so, what do I click on next (click on the "X")?

Sorry, I just wasn't exactly clear on that... ^_^;;;
Back to top
View users profile Send private message Visit posters website
karinkanzuki

Trooper
Trooper


Joined: Oct 16, 2005
Posts: 10
Location: USA
PostPosted: Fri Oct 21, 2005 5:56 am    Post subject:
Reply with quote

Hello again; Sorry I'm so late on the reply--I'm SO busy while at school--and I want to fix this ;___;

Anyway, I'm not exactly sure what you're talking about

Quote:
Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot)


What do you mean, "for each of the following files below, check the box that says 'unregister .dll before deleting"? Do I copy and paste each file, and if so, what do I click on next (click on the "X")?

Sorry, I just wasn't exactly clear on that... ^_^;;;
Back to top
View users profile Send private message Visit posters website
Omerr

1st Responder


Joined: Jul 05, 2005
Posts: 1155

1st Responders

PostPosted: Fri Oct 21, 2005 10:17 am    Post subject:
Reply with quote

Ok, let's put it this way:

1) Open KillBox.
2) Check the box that says 'End Explorer Shell While Killing File'
3) You paste the file's address+name into the box.
4) IF the "unregister .dll" is available - check it.
5) You press that X.

Steps 3-5 come over and over again till the end of the files' list.


_________________
image
Back to top
View users profile Send private message Visit posters website MSN Messenger
karinkanzuki

Trooper
Trooper


Joined: Oct 16, 2005
Posts: 10
Location: USA
PostPosted: Fri Oct 21, 2005 11:24 pm    Post subject: Closer and closer to a clean compy
Reply with quote

Okay, here's the Ewido Report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:24:05 PM, 10/21/2005
+ Report-Checksum: E8952B98

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9} -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9}\TypeLib\\ -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
C:\!Submit\gui.exe -> TrojanDownloader.Agent.rv : Cleaned with backup
C:\!Submit\msdirectx.sys -> Trojan.Rootkit.h : Cleaned with backup
C:\!Submit\services.exe -> Spyware.Maxifiles : Cleaned with backup
C:\!Submit\system32.dll/gui.exe -> TrojanDownloader.Agent.rv : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@-1shz2prbmdj6wvny-1sez2pra2dj6wjmysidjefpq-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ad.adition[3].txt -> Spyware.Cookie.Adition : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ad1.clickhype[1].txt -> Spyware.Cookie.Clickhype : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adorigin[2].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ads18.bpath[1].txt -> Spyware.Cookie.Bpath : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfkiupczkfp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfl4olcpgbo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjkogkdpkbo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjkyehdpcco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjkysndzico.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjkyuncjshp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjliqhczcap.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjlowmcjmgp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjmiagcpslo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjmicgcpklo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjmiohd5aeo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjmisld5cao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjnyekcjcap.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjnywld5kfp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-idg.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@entrepreneur.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@image.masterstats[2].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@orf.oewabox[1].txt -> Spyware.Cookie.Oewabox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@specificpop[1].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@spms.bpath[2].txt -> Spyware.Cookie.Bpath : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@srv1.ad.adition[1].txt -> Spyware.Cookie.Adition : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@vip.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@www2.enigmasoftwaregroup[1].txt -> Spyware.Cookie.Enigmasoftwaregroup : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkoumd5mhqqidj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4qod5ocogmdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlieocjocpqydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@y-1shz2prbmdj6wvny-1sez2pra2dj6wjloelajshoaydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlokocpcaqaydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlyciajigqqydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ilead.itrack[1].txt -> Spyware.Cookie.Itrack : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\res17.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Administrator\My Documents\My Pictures\BACKUPFORSITE.zip/WINDOWS/Desktop/Rocky's stuff/Natalie's crap/encounters.txt -> Trojan.WindowBomb.a : Cleaned with backup
C:\Documents and Settings\Administrator\My Documents\My Pictures\BACKUPFORSITE.zip/WINDOWS/Desktop/Rocky's stuff/Natalie's crap/submit.txt -> Trojan.WindowBomb.a : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\Common Files\Windows\services32.exe -> Spyware.Maxifiles : Cleaned with backup
C:\WINNT\IFinst25.exe -> Backdoor.Ifinst : Cleaned with backup
C:\WINNT\SoftwareDistribution\Download\464ff1fc477d74c6820da4f114404e4c75de8f78/mrt.exe -> Heuristic.Win32.AVKiller : Error during cleaning
C:\WINNT\SoftwareDistribution\Download\464ff1fc477d74c6820da4f114404e4c75de8f78/mrt.exe -> Heuristic.Win32.AVKiller : Error during cleaning
C:\WINNT\wt\wtupdates\webd\4.1.1\files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINNT\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINNT\wt\wtupdates\wtwebdriver\files\3.3.1.001\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINNT\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup


::Report End



Here's the Panda ActiveScan Report:


Incident Status Location

Adware:adware/wupd No disinfected C:\PROGRAM FILES\Media Gateway
Adware:adware/maxifiles No disinfected C:\PROGRAM FILES\COMMON FILES\Windows
Spyware:spyware/altnet No disinfected C:\WINNT\TEMP\Adware
Adware:adware/elitebar No disinfected C:\Documents and Settings\Administrator\Favorites\Casino & Carrers
Adware:adware/ncase No disinfected Windows Registry
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bdcore.dll.updpnd
Adware:Adware/Maxifiles No disinfected C:\!Submit\cwebpage.dll
Adware:Adware/Maxifiles No disinfected C:\!Submit\mc-99-829-0000156.exe
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\3342608_2924_268_3616_76.41.tmp

And here's the HiJack Report:

Logfile of HijackThis v1.99.1
Scan saved at 4:24:05 PM, on 10/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Fellowes Proxy] C:\WINNT\System32\r3proxy.exe
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"