Forum Home
Press F1
 
Thread ID: 67781 2006-04-05 14:07:00 Spyware Quake problem- Hijack this log posted Sick Puppy (6959) Press F1
Post ID Timestamp Content User
444293 2006-04-07 08:31:00 Speedy's and then yours in that order- the way I read both posts I assumed I should used HJT to remove/fix the registrys and then download the programs you outlined to clean up any loose ends e.g. virus files that were still left on my computer after following Speedy's advice. Was/is this the correct approach? Having not done this sort of thing before on a PC,I just did it the way I read it... :blush:

I'm at work at the moment printing out the this thread, the other spywarequake one and user info the downloads you mentioned as well as HJT. Definitely need to do the reading- fact is I simply don't know enough about running these types of programs (i.e. anything that's not Windows! :D ), so sitting down and reading everything from scratch is gonna be my best bet. Pancake, please tell me if I am going about this the wrong way- I want my PC sorted, but I don't want to step on any toes either! :)

regards

Andrew 		Sick Puppy (6959)
444294 2006-04-07 09:10:00 Its ok.No problem,but its best to run the programs first as they are made to dig a bit further to remove hidden files.You can always run them after... :) Pancake (6359)
444295 2006-04-07 09:52:00 Yeah, from the reading I've been doing while I've been printing the stuff out, I have gone the wrong way! Will read thoroughly, then try again! Doh! Thanks for your help Pancake, appreciated!

Yup, I'm definitely a newbie! :D 		Sick Puppy (6959)
444296 2006-04-07 16:37:00 Hi guys!

Pancake, I followed the instructions you gave me, and Ewido removed about 47 infected files . I did the logs (or at least I hope I did!), so here goes:

Bitdefender log Hope this is what you want- id didn't give me anything else!

BitDefender Online Scanner - Real Time Virus ReportBitDefender Online
Scanner - Real Time Virus Report
Generated at: Sat, Apr 08, 2006 - 02:50:39

Scan Info
Scanned Files252589
Infected Files0

Virus Detected
No virus found .


This summary of the scan process will be used by the BitDefender Antivirus
Lab to create agregate statistics about virus activity around the world .


Hijack This log I performed this in safe mode using the Administrator's access .
Logfile of HijackThis v1 . 99 . 1
Scan saved at 03:00:09, on 08/04/2006
Platform: Windows XP SP2 (WinNT 5 . 01 . 2600)
MSIE: Internet Explorer v6 . 00 SP2 (6 . 00 . 2900 . 2180)

Running processes:
C:\WINDOWS\System32\smss . exe
C:\WINDOWS\system32\winlogon . exe
C:\WINDOWS\system32\services . exe
C:\WINDOWS\system32\lsass . exe
C:\WINDOWS\system32\svchost . exe
C:\WINDOWS\system32\svchost . exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc . exe
C:\WINDOWS\Explorer . EXE
C:\Program Files\HJT\HijackThis . exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www . asus . com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www . asus . com
O4 - HKLM\ . . \Run: [HControl] C:\WINDOWS\ATK0100\HControl . exe
O4 - HKLM\ . . \Run: [NvCplDaemon] RUNDLL32 . EXE C:\WINDOWS\system32\NvCpl . dll,NvStartup
O4 - HKLM\ . . \Run: [nwiz] nwiz . exe /install
O4 - HKLM\ . . \Run: [RTHDCPL] RTHDCPL . EXE
O4 - HKLM\ . . \Run: [Alcmtr] ALCMTR . EXE
O4 - HKLM\ . . \Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU . exe
O4 - HKLM\ . . \Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife . exe 1
O4 - HKLM\ . . \Run: [NB Probe] C:\Program Files\ASUS\NB Probe\NBProbe . exe
O4 - HKLM\ . . \Run: [Wireless Console] C:\Program Files\ASUS\Wireless Console\wcourier . exe
O4 - HKLM\ . . \Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr . exe
O4 - HKLM\ . . \Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh . exe
O4 - HKLM\ . . \Run: [Zshutdown] c:\sysprep\patch\sysprep . cmd
O4 - HKLM\ . . \Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc . exe
O4 - HKLM\ . . \Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk . exe /tf Intel PROSet/Wireless
O4 - HKLM\ . . \Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz . exe
O4 - HKLM\ . . \Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc . exe /STARTUP
O4 - HKLM\ . . \Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck . exe
O4 - HKLM\ . . \Run: [InCD] C:\Program Files\Ahead\InCD\InCD . exe
O4 - HKLM\ . . \Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ . exe"
O4 - HKLM\ . . \Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient . exe
O4 - HKLM\ . . \Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask . exe" -atboottime
O4 - HKCU\ . . \Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw . exe /RUNONCE
O4 - Global Startup: ASUS ChkMail . lnk = C:\Program Files\ASUS\Asus ChkMail\ChkMail . exe
O4 - Global Startup: Bluetooth Manager . lnk = ?
O4 - Global Startup: WinZip Quick Pick . lnk = C:\Program Files\WinZip\WZQKPICK . EXE
O4 - Global Startup: Adobe Reader Speed Launch . lnk = C:\Program Files\Adobe\Acrobat 7 . 0\Reader\reader_sl . exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel . exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel . exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR . DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe
O14 - IERESET . INF: START_PAGE_URL=http://www . asus . com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - . bitdefender . com/resources/scan8/oscan8 . cab" target="_blank">download . bitdefender . com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - . microsoft . com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site . cab?1143181161062" target="_blank">update . microsoft . com
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - . zonelabs . com/bin/promotions/spywaredetector/ICSScanner37610 . cab" target="_blank">download . zonelabs . com
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify . dll
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC . - C:\WINDOWS\ATKKBService . exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr . exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc . exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc . exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng . exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl . exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT . exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv . exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv . exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc . exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32 . exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc . exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc . exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon . exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr . exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv . exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon . exe

Content of the Smitfiles log
smitRem © log file
version 2 . 8

by noahdfear


Microsoft Windows XP [Version 5 . 1 . 2600]
The current date is: 08/04/2006
The current time is: 0:37:38 . 32

Running from
C:\Program Files\SmitRem\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS . exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer . com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C 2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui . dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461E F-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui . dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard . com key


PSGuard . com key not present!


checking for WinHound . com key


WinHound . com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

Security Toolbar


~~~ Shortcuts ~~~

Online Security Guide . url
Online Security Guide . url
Security Troubleshooting . url
Security Troubleshooting . url


~~~ Favorites ~~~



~~~ system32 folder ~~~

1024 dir
ld**** . tmp
ncompat . tlb
nvctrl . exe
hp*** . tmp


~~~ Icons in System32 ~~~

ts . ico
ot . ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2 . 03
Copyright(C) 2002-2003 Craig . Peacock@beyondlogic . org
Killing PID 776 'explorer . exe'
Killing PID 776 'explorer . exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS . exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer . com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C 2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui . dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461E F-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui . dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet . dll ~~~

CLEAN! :)

ewido log
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 01:33:54, 08/04/2006
+ Report-Checksum: 4DEF8699

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \\SpywareQuake -> Adware . SpywareQuake : Cleaned with backup
C:\WINDOWS\system32\dfrgsrv . exe -> Trojan . Small : Cleaned with backup
C:\WINDOWS\system32\stickrep . dll -> Trojan . Small : Cleaned with backup
C:\WINDOWS\system32\interf . tlb -> Trojan . Small : Cleaned with backup
C:\Documents and Settings\Andrew Comrie\Cookies\andrew comrie@tacoda[2] . txt -> TrackingCookie . Tacoda : Cleaned with backup
C:\Documents and Settings\Andrew Comrie\Cookies\andrew comrie@microsoftuk . 122 . 2o7[1] . txt -> TrackingCookie . 2o7 : Cleaned with backup
C:\Documents and Settings\Andrew Comrie\Cookies\andrew comrie@image . masterstats[1] . txt -> TrackingCookie . Masterstats : Cleaned with backup
C:\Documents and Settings\Andrew Comrie\Cookies\andrew comrie@free . wegcash[1] . txt -> TrackingCookie . Wegcash : Cleaned with backup
C:\Documents and Settings\Andrew Comrie\Cookies\andrew comrie@burstnet[1] . txt -> TrackingCookie . Burstnet : Cleaned with backup
C:\Documents and Settings\Andrew Comrie\Cookies\andrew comrie@ad . yieldmanager[2] . txt -> TrackingCookie . Yieldmanager : Cleaned with backup
C:\Documents and Settings\Andrew Comrie\Cookies\andrew comrie@programs . wegcash[2] . txt -> TrackingCookie . Wegcash : Cleaned with backup
:mozilla . 21:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Doubleclick : Cleaned with backup
:mozilla . 52:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Tribalfusion : Cleaned with backup
:mozilla . 73:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Atdmt : Cleaned with backup
:mozilla . 80:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Advertising : Cleaned with backup
:mozilla . 81:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Advertising : Cleaned with backup
:mozilla . 82:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Advertising : Cleaned with backup
:mozilla . 84:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Fastclick : Cleaned with backup
:mozilla . 85:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Fastclick : Cleaned with backup
:mozilla . 86:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Fastclick : Cleaned with backup
:mozilla . 93:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Adjuggler : Cleaned with backup
:mozilla . 94:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Adjuggler : Cleaned with backup
:mozilla . 98:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Pointroll : Cleaned with backup
:mozilla . 99:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Pointroll : Cleaned with backup
:mozilla . 100:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Pointroll : Cleaned with backup
:mozilla . 102:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Statcounter : Cleaned with backup
:mozilla . 103:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Statcounter : Cleaned with backup
:mozilla . 104:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Statcounter : Cleaned with backup
:mozilla . 107:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Euroclick : Cleaned with backup
:mozilla . 108:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Euroclick : Cleaned with backup
:mozilla . 109:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Euroclick : Cleaned with backup
:mozilla . 110:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Euroclick : Cleaned with backup
:mozilla . 111:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Euroclick : Cleaned with backup
:mozilla . 112:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Casalemedia : Cleaned with backup
:mozilla . 121:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Googleadservices : Cleaned with backup
:mozilla . 123:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Mediaplex : Cleaned with backup
:mozilla . 130:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Qksrv : Cleaned with backup
:mozilla . 131:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Qksrv : Cleaned with backup
:mozilla . 157:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Googleadservices : Cleaned with backup
:mozilla . 173:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Serving-sys : Cleaned with backup
:mozilla . 194:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . 2o7 : Cleaned with backup
:mozilla . 213:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Serving-sys : Cleaned with backup
:mozilla . 214:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Serving-sys : Cleaned with backup
:mozilla . 215:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Serving-sys : Cleaned with backup
:mozilla . 216:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Serving-sys : Cleaned with backup
:mozilla . 223:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Tacoda : Cleaned with backup
:mozilla . 224:C:\Documents and Settings\Andrew Comrie\Application Data\Mozilla\Firefox\Profiles\8d5x4h0n . default\coo kies . txt -> TrackingCookie . Tacoda : Cleaned with backup
C:\Program Files\SpywareQuake -> Adware . SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\sq . ini -> Adware . SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\SpywareQuake . exe -> Adware . SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\msvcr71 . dll -> Adware . SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\msvcp71 . dll -> Adware . SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\blacklist . txt -> Adware . SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\ref . dat -> Adware . SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\Lang -> Adware . SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\Lang\English . ini -> Adware . SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\Logs -> Adware . SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\Quarantine -> Adware . SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\SpywareQuake . url -> Adware . SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\uninst . exe -> Adware . SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\ignored . lst -> Adware . SpywareQuake : Cleaned with backup


::Report End 		Sick Puppy (6959)
444297 2006-04-07 16:44:00 Hi Pancake, I've posted the file logs- please let me know if they are incomplete (or worse still, if somethign is wrong!) .

Spyware quake appears to be gone, so thanks for that- woo-hoo! There was just a shortcut left which I deleted from the desktop and the recycle bin, and en entry in Zone Alarm which I removed also .

Incidentally, the registry/processes listed in my original HJT log that I did not need- are they still there, and do I tick them to fix/remove them as I would the malware? I would look, but I'm a bit tired at the mo!

If anybody needs me, I'll be in my room- sleeping! :waughh:

And for my next trick, tomorrow I'll be having a look at the settings on my browsers- mozilla's in, IE is out . . . plenty of reading to do!

Thanks again! 		Sick Puppy (6959)
444298 2006-04-08 00:33:00 Just curious, but my ZoneAlarm keeps on blocking a generic Win 32 application from using the internet- did not come up before this happened (don't recall anything trying to enter the internet from my laptop before). Anybody with any ideas? :confused: Sick Puppy (6959)
444299 2006-04-08 00:58:00 Thats all good . The infection has gone .


If you wish to do so, here are a few things that you can do that will help keep your computer a bit more cleaner and a bit more safer . .

If you have not already done so, you might want to run Disk Cleanup and run it in each user's profile:

Run Disk Cleanup
Click "Start > Programs > Accessories > System Tools > Disk Cleanup"
Please make sure the following are checked:
-- Downloaded Program Files
-- Temporary Internet Files
-- Recycle Bin
-- Temporary Files
Click "OK" and Disk Cleanup will delete those files for you .


Now that you are clean its now is a good time to flush out your restored files .

To flush the XP System Restore Points:
(Using XP, you must be logged in as Administrator to do this . )
Go to Start>Run and type msconfig Press enter .
When msconfig opens, click the Launch System Restore Button .
On the next page, click the System Restore Settings Link on the left .
Check the box labeled Turn Off System Restore .

Reboot . Go back in and turn System Restore ON . A new Restore Point will be created .

How Do I Protect My Computer Against Future Malware Now I'm Clean .

NOTE:You may have already taken some of these steps .

Update your anti-virus software & Windows operating system on a daily or weekly basis . Microsoft also distributes updates to its operating systems . These updates fix security holes or other problems that make a computer susceptible to security breaches . How to update your Windows operating system (http://www . windowsupdate . com/)

Know What You're Installing
Check the source .
To avoid malware, make sure your software comes from a reputable source . Be particularly suspicious of sponsored software (software that relies on advertising) or software that claims to speed up your Internet connection .

Use Custom Install .
If you feel comfortable with software installation, you can choose Custom Install (as opposed to Typical Install) . Custom Install allows you to select only the software components you wish to install, and leave out others (such as potential spyware) .

Modify Security Settings (Internet Explorer 6)
To reduce the risk of installing malware, you can set Internet Explorer to high security mode . To do so:

Open Internet Explorer . Go to Tools > Internet Options… .
On the Internet Options screen, select the Security tab, then select the Internet icon (if it is not already selected) .
Under Security level for this zone, click Default Level . Set the slider to High .
Note: You may have to lower the security level to view certain Web sites .
Next, select the Trusted Sites icon . Under Security level for this zone, click Default Level . Set the slider to Medium .
Click Apply, then OK to save the changes .

Some Recommended Protection Programs

Each tool has its own strengths for identifying and removing specific types of malware . To thoroughly check your computer, its recommend that you use more than one malware removal program . Don't forget to back up your data files before starting a scan!

Some available programs are:

Ad-Aware (http://www . lavasoft . com/)
SpyBot Search & Destroy ( . safer-networking . org/en/index . html" target="_blank">www . safer-networking . org)

Now that you are clean, to help protect your system I recommend that you get the following free programs:
SpywareBlaster ( . javacoolsoftware . com/spywareblaster . html" target="_blank">www . javacoolsoftware . com) to help prevent spyware from installing .
SpywareGuard ( . javacoolsoftware . com/spywareguard . html" target="_blank">www . javacoolsoftware . com) to catch and block spyware .
IESpy-Ad ( . aumha . org/secure . htm" target="_blank">www . aumha . org)to block access to malicious websites so you cannot be redirected to them from an infected site or email .
WinPatrol (http://www . winpatrol . com/) to monitor any changes that programs make to the registry .


Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List . It will save you a lot of grief, as well as money if you are thinking of purchasing . Here is the link:

. spywarewarrior . com/rogue_anti-spyware . htm" target="_blank">www . spywarewarrior . com
If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above link work, check this for an independent comparison of several anti-spyware programs:

. spywarewarrior . com/asw-test-guide . htm" target="_blank">www . spywarewarrior . com


Here is a helpful article:
"So how did I get infected in the first place?"
. biz/postlite7736- . html" target="_blank">computercops . biz

Let us know if we have not resolved your problem . Otherwise, you are good to go .
Happy and Safe Surfing! 		Pancake (6359)
444300 2006-04-08 01:26:00 Cool- I have already have Adaware, Spybot search and destroy, AVG and Zone Alarm, and usually try to update them every week (though spybot gave me problems last week)- same with Windows Update .

So tonight, I undertake the disk cleanup, flush the restored files etc, check the security settings on my browsers and check out those other four programs you suggested . Oh, and work out what the hell a Generic Host Process is for Win32 services .

Yup, not a day for surfing! :D

Thanks again Pancake- have a great weekend! 		Sick Puppy (6959)
444301 2006-04-08 01:32:00 There is no malware in you log so I would say its safe to let that Win32 out on the net. Pancake (6359)
444302 2006-04-08 04:37:00 Yeah, I think it ws the settings on Zone Alarm- I ramped everything up to high on IE and ZA for damage control- one virus had already gotten through, didn't need any more! :)

ZA never gave me the option- it simply denied access and told me about it afterwards! lol

Better shoot off- buying toys for the laptop! (okay, cleaning stuff and CD-R's, so not really toys, but shopping is shopping!

Cheers,
A. 		Sick Puppy (6959)
1 2 3