results from the Ewido scan.

not a clue · #1 (**permalink**) 14-09-2006, 07:38 PM

sent this as advised there is a w024d245.dll error and we are getting pop ups and viruses one after another

Logfile of HijackThis v1.99.1
Scan saved at 06:22:57, on 14/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\d@@@@ent.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\QuickTime\qttask.exe
C:\dfndrff_e2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Documents and Settings\Dawn\Local Settings\Temporary Internet Files\Content.IE5\0V8NE5GX\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.madasafish.com/
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: (no name) - {54CF2B2F-5046-4CB3-A998-91439A2B12FC} - C:\WINDOWS\system32\ssttt.dll
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [D@@@@ENTEXE] C:\Program Files\Voyager 105 ADSL Modem\d@@@@ent.exe
O4 - HKLM\..\Run: [ojdc962f] RUNDLL32.EXE w024d245.dll,n 003c962c0000000a024d245
O4 - HKLM\..\Run: [newname] C:\\nwnmff_18.exe
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_18.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Lotus SmartSuite Release 9 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1157778854921
O17 - HKLM\System\CCS\Services\Tcpip\..\{371F7D60-1D13-4B02-8299-637F67DD6C33}: NameServer = 80.189.92.2 80.189.94.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: ssttt - C:\WINDOWS\system32\ssttt.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

imported_Neal · #2 (**permalink**) 14-09-2006, 11:20 PM

Welcome,

Please download Look2Me-Remover.exe by Atribune to your desktop.

Close all windows before continuing.
Double-click Look2Me-Remover.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Remover will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Remover will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Remover.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new...b/MSWINSCK.OCX

Then...

Download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded Ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. Right click on ewido in the system tray and uncheck "Start with Windows".
Go to Start > Run and type: services.msc
Press "OK".
In Services, click the "Extended tab" and scroll down the list to find ewido anti-spyware 4.0 guard.
When you find the guard service, double-click on it.
In the Properties Window > General Tab that opens, click the "Stop" button.
From the drop-down menu next to "Startup Type", click on "Manual".
Now click "Apply", then "OK" and close the Services window.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, manually update with the Ewido Full database installer from here.

[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".[*]Under "Reports"

Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"

Close ewido anti-spyware Do Not run a scan yet.
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "BFU"

Please download Brute Force Uninstaller to your desktop.

Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not run the Uninstaller and the Remover yet.

Please reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.

Lauch ewido anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system. Make sure to remember where you save that file.

Now close ewido anti-spyware..

Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu

Press execute and let it do its job.

Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.

not a clue · #3 (**permalink**) 16-09-2006, 10:59 PM

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 9/16/2006 9:48:24 AM

Infected! C:\WINDOWS\system32\guard.tmp
Infected! C:\System Volume Information\_restore{563E9E98-9AE9-495B-B9A6-21DE97504790}\RP14\A0009812.dll

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{563E9E98-9AE9-495B-B9A6-21DE97504790}\RP14\A0009812.dll
C:\System Volume Information\_restore{563E9E98-9AE9-495B-B9A6-21DE97504790}\RP14\A0009812.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OptimalLayout

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{41B0D7A7-072E-4869-9478-2962B1119D15}"
HKCR\Clsid\{41B0D7A7-072E-4869-9478-2962B1119D15}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{3D59D28E-EF98-479D-BE20-B16527374A1D}"
HKCR\Clsid\{3D59D28E-EF98-479D-BE20-B16527374A1D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{ED65678D-D61B-4569-A846-871F39F9CBC1}"
HKCR\Clsid\{ED65678D-D61B-4569-A846-871F39F9CBC1}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{EBA7C97C-B1C0-44BE-BB38-BCD3B708C448}"
HKCR\Clsid\{EBA7C97C-B1C0-44BE-BB38-BCD3B708C448}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{622FF12E-DB21-4E9B-879D-474FA8D2344E}"
HKCR\Clsid\{622FF12E-DB21-4E9B-879D-474FA8D2344E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{B1D0D5E9-D9C3-4994-B65C-FB14A948EF37}"
HKCR\Clsid\{B1D0D5E9-D9C3-4994-B65C-FB14A948EF37}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{C9FA0547-5A19-45D5-8BF6-39CF23ADE972}"
HKCR\Clsid\{C9FA0547-5A19-45D5-8BF6-39CF23ADE972}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{A6E3244A-03E3-4343-8AA8-779CBAFEAE74}"
HKCR\Clsid\{A6E3244A-03E3-4343-8AA8-779CBAFEAE74}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{F27659A8-DDDA-475C-BEAD-6DE9095830EC}"
HKCR\Clsid\{F27659A8-DDDA-475C-BEAD-6DE9095830EC}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{2AB97C6C-4D0C-461A-A706-6F6DBE7CF63A}"
HKCR\Clsid\{2AB97C6C-4D0C-461A-A706-6F6DBE7CF63A}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{800B3488-8C9F-4620-A731-7D0B1708A6F3}"
HKCR\Clsid\{800B3488-8C9F-4620-A731-7D0B1708A6F3}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{23A7C6AF-25EF-42B7-900E-545B78D9042F}"
HKCR\Clsid\{23A7C6AF-25EF-42B7-900E-545B78D9042F}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

imported_Neal · #4 (**permalink**) 17-09-2006, 04:42 AM

Excellent, now let me see the rest of the results please. Thanks.

not a clue · #5 (**permalink**) 17-09-2006, 11:26 AM

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:13:27 16/09/2006

+ Scan result:

C:\WINDOWS\icont.exe -> Adware.AdURL : Cleaned with backup (quarantined).
C:\Installer3.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dnj2011oe.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mv22l9fo1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\warebundlenewer.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Program Files\Deskbar\deskbar.dll -> Adware.Softomate : Cleaned with backup (quarantined).
[776] C:\Program Files\Deskbar\deskbar.dll -> Adware.Softomate : Error during cleaning.
C:\Program Files\TheSearchAccelerator -> Adware.UCmore : Cleaned with backup (quarantined).
C:\ucmoreiex.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\ucmoreiex.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\ucmoreiex.exe/empty_00000001 -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\WINDOWS\system32\awtqnkh.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\DT9UACKH\xmen[1].exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\iiffeec.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\jkkliii.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
HKU\S-1-5-21-789336058-152049171-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4} -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Local Settings\Temporary Internet Files\Content.IE5\0V8NE5GX\drsmartload849a[1].exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Local Settings\Temporary Internet Files\Content.IE5\2MPZTH59\drsmartload46a[1].exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Local Settings\Temporary Internet Files\Content.IE5\6F43I9U7\drsmartload45a[1].exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Local Settings\Temporary Internet Files\Content.IE5\6F43I9U7\drsmartload849a[1].exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Local Settings\Temporary Internet Files\Content.IE5\ONQ3K3AR\loader[1].exe -> Downloader.Adload.fg : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Local Settings\Temporary Internet Files\Content.IE5\0V8NE5GX\ac3_0010[1].exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Glen\Local Settings\Temporary Internet Files\Content.IE5\5CO94XPU\ac3_0010[1].exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\nwnmff_15.exe -> Downloader.VB.amh : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Local Settings\Temporary Internet Files\Content.IE5\2MPZTH59\SS1001[1].exe -> Dropper.Small.qn : Cleaned with backup (quarantined).
C:\Documents and Settings\Glen\Local Settings\Temporary Internet Files\Content.IE5\8A66WLZL\SS1001[1].exe -> Dropper.Small.qn : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Local Settings\Temporary Internet Files\Content.IE5\6F43I9U7\dfndrff_e[1].exe -> Hijacker.VB.ia : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Application Data\winantiviruspro2006freeinstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Local Settings\Temporary Internet Files\Content.IE5\2MPZTH59\SysProtectScannerInstal l[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Cookies\dawn@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Cookies\dawn@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Glen\Cookies\glen@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@122.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
C:\Documents and Settings\Glen\Cookies\glen@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Cookies\dawn@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Glen\Cookies\glen@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Cookies\dawn@adviva[2].txt -> TrackingCookie.Adviva : Cleaned with backup (quarantined).
C:\Documents and Settings\Glen\Cookies\glen@adviva[2].txt -> TrackingCookie.Adviva : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@adviva[2].txt -> TrackingCookie.Adviva : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Cookies\dawn@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Glen\Cookies\glen@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Cookies\dawn@bfast[2].txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Cookies\dawn@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Cookies\dawn@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Glen\Cookies\glen@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Cookies\dawn@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Glen\Cookies\glen@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Cookies\dawn@e-2dj6wfkysiazgep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Glen\Cookies\glen@e-2dj6wfkykmdjoeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Glen\Cookies\glen@e-2dj6wjl4wiajcep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Glen\Cookies\glen@e-2dj6wjlyegd5gko.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@e-2dj6wfkieidjmkp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@e-2dj6wgmyugcjcdq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Cookies\dawn@ehg-bskyb.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Cookies\dawn@ehg-carphonewarehouse.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Cookies\dawn@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Glen\Cookies\glen@ehg-autotrader.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Glen\Cookies\glen@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@ehg-autotrader.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@ehg-carphonewarehouse.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Cookies\dawn@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Glen\Cookies\glen@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Cookies\dawn@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Cookies\dawn@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Cookies\dawn@project2.realtracker[1].txt -> TrackingCookie.Realtracker : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@project2.realtracker[1].txt -> TrackingCookie.Realtracker : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Cookies\dawn@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Glen\Cookies\glen@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Glen\Cookies\glen@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\Glen\Cookies\glen@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Cookies\dawn@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).
C:\Documents and Settings\Glen\Cookies\glen@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Dawn\Cookies\dawn@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
C:\Documents and Settings\Glen\Cookies\glen@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\WINDOWS\system32\config\systemprofile\Cookies\s ystem@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Sarah\Cookies\sarah@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).

::Report end

imported_Neal · #6 (**permalink**) 17-09-2006, 11:25 PM

Hi,

Please do NOT start a new thread each time you post, post into this thread right here.

I need to see a hijackthis log. Thanks.

not a clue · #7 (**permalink**) 18-09-2006, 11:57 AM

thought i had sent every thing dont understand plus computer still causing problems and still error coming up cant access programs very well and very slow?

imported_Neal · #8 (**permalink**) 18-09-2006, 08:31 PM

Hi,

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please post a new hijackthis log please and the vundo.txt.

Also...

To clean your temp folder, recycle bin, etc..please download this free tool:

CCleaner

Don't install any Toolbars, or other programs, should it ask you!Just uncheck the option of installing the Yahoo toolbar.
It will put a shortcut on your Desktop.

Before first use:
Select Options then Advanced.
UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Click on CCleaner to start it. Then click "Run Cleaner", just use the windows tab up front by default.

Then Reboot (Exit)

not a clue · #9 (**permalink**) 19-09-2006, 12:43 PM

VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 10:08:08 19/09/2006

Listing files found while scanning....

C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\tttss.bak1
C:\WINDOWS\system32\tttss.bak2
C:\WINDOWS\system32\tttss.ini2
C:\WINDOWS\system32\tttss.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\ssttt.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\tttss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\tttss.bak1
C:\WINDOWS\system32\tttss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\tttss.bak2
C:\WINDOWS\system32\tttss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\tttss.ini2
C:\WINDOWS\system32\tttss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\tttss.tmp
C:\WINDOWS\system32\tttss.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 10:23:45 19/09/2006

Listing files found while scanning....

C:\WINDOWS\system32\ssttt.dll

Beginning removal...

not a clue · #10 (**permalink**) 19-09-2006, 12:49 PM

it does not appear to have got rid of one file the computer shut downand rebooted but nothing resumed also the cc cleaner i have on my computer i will just use this one there seems to be no more pop ups but still this warning as above w024d245.dll comes on every time access acounts. plus the computer keeps crashing and we cant always access the internet?