WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Need Help Removing Hijacker, Please

Started by calicocat , Sep 12 2004 01:20 PM

This topic is locked

83 replies to this topic

#61 dgosling

SuperMember

Authentic Member
2,499 posts

Posted 24 September 2004 - 10:23 AM

wonderful!

Step#1

Please complete at least two of the following Online AV scans, letting them scan and fix what they find:

Panda AV Online Scan
Housecall Trend Micro AV Scan
Bitdefender AV scan
eTrust AV web scanner(Computer Associates)

Step#2

Please make sure you have the latest copy of CWShredder and then run it by clicking fix with all other windows closed

Step#3

Please use Ad-Aware SE to do a Full System Scan with all windows closed and the reference list updated

Step#4

Scan again with HJT

POST a new log file here in this thread with any other problems that the previous tools found and tell me what is happening on your husband's computer now.

Good Luck!

Advertisements

Register to Remove

#62 calicocat

Authentic Member

Authentic Member
50 posts

Posted 24 September 2004 - 11:33 AM

Only one question: the online scans requite installation of various files on my husband's computer, some of them Activex. Please assure me that these are harmless and can be uninstalled after the scans are complete. Thanks

#63 calicocat

Authentic Member

Authentic Member
50 posts

Posted 24 September 2004 - 04:07 PM

AV Scan results: The following trojan was found by McAfee: C:\program files\HiJackThis\backups\backup20040912-190458-724.dll The trojan name was BackDoor-BDD Here is a list of the infected files: C:\WINNT\addns32.dll C:\WINNT\appme.dll C:\WINNT\approach.ini:dueyn C:\WINNT\apprack.ini:eueiz C:\WINNT\atlnx.dll C:\WINNT\BestSol.ini\wuxep C:\WINNT\d3at32.dll C:\WINNT\EventSystem.log:qhmph C:\WINNT\FaxSetup.log:iiecb C:\WINNT\Kyor.ini:hspoy C:\WINNT\lunin10.exe:noyla C:\WINNT\mfcad.dll C:\WINNT\mfcbe32.dll C:\WINNT\mfcpd32.dll C:\WINNT\msdfmap.ini:nvwek C:\WINNT\msdx32.dll C:\WINNT\mszw.dll C:\WINNT\muisetup.log:ypzph C:\WINNT\notepad.exe:obwjh C:\WINNT\ntdtcsetup.log:jqcid C:\WINNT\ntkh32.dll C:\WINNT\n_iwivoi.dat C:\WINNT\PCS6.LIC:lroer C:\WINNT\regedit.exe:lhwiv C:\WINNT\sdkpo32.dll C:\WINNT\setupact.log:gyvji C:\WINNT\sysdu32.dll C:\WINNT\system32\apinf32.dll C:\WINNT\system32\apipw.dll C:\WINNT\system32\apiuv.dll C:\WINNT\system32\appaq.dll C:\WINNT\\system32\apphp.dll C:\WINNT\system32\crhc.dll C:\WINNT\system32\d3df.dll C:\WINNT\system32\ipxq32.dll C:\WINNT\system32\mfcba.dll C:\WINNT\system32\mfcsn32.dll C:\WINNT\system32\msxb32.dll C:\WINNT\system32\ntgh32.dll C:\WINNT\system32\ntna32.dll C:\WINNT\system32\nttk32.dll C:\WINNT\system32\sdkgn32.dll C:\WINNT\system32\sdkti32.dll C:\WINNT\uninstall-temp.exe:vqvnf C:\WINNT\vb.ini:pcvym C:\WINNT\vmmreg32.dll:gkyyb C:\WINNT\webshotsuninstall.exe:cygti C:\WINNT\winan.dll A message then came up saying that McAfee had deleted a number of the files but could not delete all of them and that I would need to remove them manually. The scan itself was PAINFULLY slow. I will now scan with one of the online AV scans which you listed. The following file could not be cleaned: C:\WINNT\sdkpo32.dll When I tried to clean/quarantine it, I got a 'file not found' message from McAfee. Before the scan, I was getting an error message whenever I tried to install any programme; it was that "16 bit" system message telling me that winnt\nt.exe was not suitable for running any Windows or DOS applications. Any attempted installs after that message were unsuccessful. I have now installed SpyBlaster and SpyGuard on my husband's computer. Hiss desktop is beginning to look like a Chinese menu

I will keep you advised of any progress. BTW: does this EVER end?

#64 dgosling

SuperMember

Authentic Member
2,499 posts

Posted 24 September 2004 - 05:00 PM

The Online Scans that download Active X controls are safe and can be removed very easily with HJT or manually from the 'Windows\Downloaded Program Files.

You said:

I have now installed SpyBlaster and SpyGuard

Please uninstall them because they will prevent any fixes from working. They should not be installed until your husband's computer is clean.

I will get back to you shortly

#65 calicocat

Authentic Member

Authentic Member
50 posts

Posted 24 September 2004 - 05:01 PM

I have done an AV csan in safe mode with Housecall. It found one infected file: C:\winnt\downloaded program files\Media TicketInstaller.ocx The virus/trojan identified was TROJ DLOADER.BX I have deleted this file. I tried to scan with Bitdefender and got the following error message: 16 bit MSDOS subsystem c:\winnt\avxoscan\plugins\trapdo~1.exe c:\winnt\system32\autoexec.nt. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'close' to terminate the application. I am offered 2 choices: 'close' & 'ignore' I have chosen 'ignore'. The scan appears to be running. I have set the scan to: verify memory scan emails scan in archives scan boot sector enable R.T.V.R. (whatever that is) I have not enabled 'auto clean' as i want to see what is picked up Status report: memory OK Master Boot Record 80 OK (Windows 95 B20 - Windows 98) partition Boot 1 (primary) (active) ok (windows NT 2000 NTFS) boot sector of drive A: OK (read error) the rest of the computer is now being scanned stay tuned for more results... :unsure:

#66 calicocat

Authentic Member

Authentic Member
50 posts

Posted 24 September 2004 - 05:02 PM

got your message about spyblaster/guard. as soon as this scan is complete, i will uninstall them. they did not appear to load in safe mode

#67 calicocat

Authentic Member

Authentic Member
50 posts

Posted 24 September 2004 - 08:43 PM

so far, Bitdefender has found the following:

Trojan.downloader.winupdt.A in c\program files\hijack this\backups\backup-20040912-190502-581.dll

3 instances of JS.KAK.gen@mm in archived emails

1 instance of win32.yahaa.k@mm in archived emails

CW Shredder indicated that my husband's computer was completely clean.

I scanned with Adaware & HJT .When i try to write the files to CD,

I get the following error message:

c:\winnt\system32\autoexec.nt. The system file is not suitable for running MS-DOS & Microsoft Windows applications. Choose 'close' to terminate the application.

When i choose 'ignore' I am able to write to the Cd.

Here is the adaware scan log:

Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

180Solutions Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "partner_id"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\msbb
Value : partner_id

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-21-790525478-1563985344-1343024091-500\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 4

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Trusted zone presumably compromised : mt-download.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
Category : Vulnerability
Comment : Trusted zone presumably compromised : mt-download.com
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com
Trusted zone presumably compromised : my-internet.info

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
Category : Vulnerability
Comment : Trusted zone presumably compromised : my-internet.info
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 6

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : File
Data : fkdfzr.dll
Category : Malware
Comment :
Object : C:\WINNT\system32\

WinAD Object Recognized!
Type : File
Data : ide21201.vxd
Category : Data Miner
Comment :
Object : C:\WINNT\system32\

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 8

Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 8

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

180Solutions Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\msbb

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 9

10:09:23 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:12:17.691
Objects scanned:102793
Objects identified:9
Objects ignored:0
New critical objects:9

Here is the HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 10:28:06 PM, on 9/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\GetRight\GETRIGHT.EXE
C:\Program Files\HiJackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [PNSetup] C:\Program Files\PopNot\PNSetup.exe
O4 - HKLM\..\Run: [PopNot] C:\Program Files\PopNot\PopNot.exe auto
O4 - HKCU\..\Run: [Lavasoft Adwatch] C:\Program Files\Lavasoft Ad-Aware\Ad-watch.exe /min
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: Allow Site's Pop-&ups - file://C:\Program Files\PopNot\trustsite.script
O8 - Extra context menu item: Always &Kill this Pop-up - file://C:\Program Files\PopNot\blocksite.script
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} (McAfee.com Download+Installer Class) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11E4B354-2AC4-4F60-BEB9-A9E59ED71D86}: NameServer = 24.153.22.195
O17 - HKLM\System\CS1\Services\Tcpip\..\{11E4B354-2AC4-4F60-BEB9-A9E59ED71D86}: NameServer = 24.153.22.195
O17 - HKLM\System\CS2\Services\Tcpip\..\{11E4B354-2AC4-4F60-BEB9-A9E59ED71D86}: NameServer = 24.153.22.195

I am concerned about these '16 bit MS DOS subsytem' messages. I have never seen this before onmy husband's computer and we upgraded to XP about 2 years ago.

Could this ne an indication of some sort of decay on the part of the O/S or is it more probably the result of more infection?

#68 dgosling

SuperMember

Authentic Member
2,499 posts

Posted 25 September 2004 - 01:16 AM

This is a result of the infection. I also note that you now have Ad-Watch running, that will also need to be uninstalled for any fix to work. None of the preventative programs should be running at this time or none of the fixes will work.

You should also keep Internet Explorer closed and do not reopen it if you can avoid it, as every time you open it, the infection is completely reinstalled.

On your computer Please download the following tool to determine which system files have had Alternate Data Streams added to them.
ADS Spy
Transfer it to your husband's computer then Please run it and post the results here in this thread

Please open HijackThis and click config in the bottom right hand corner. On the
next page choose backups at the top, second from the right. Choose the following two entries individually and delete them

backup-20040912-190502-581.dll
backup20040912-190458-724.dll

CWShredder was only indicating that there are no CWS entries that it monitors for. It does not mean that his computer is clean The Ad-Aware log indicates that you are still infected with CWS that is not monitored for.

Then if you receive the MS DOS error again choose close to close the topic.

Scan again with McAfee and post the results here with the results from the ADS scan above.

Good Luck!

#69 calicocat

Authentic Member

Authentic Member
50 posts

Posted 25 September 2004 - 06:53 AM

I have disabled all the preventative software, booted to safe mode and will now follow the rest of your directions. With all due respect to the amount of time and advice you have invested in this problem - do you really believe that it is fixable? Without a complete O/S re-install? This infection occurred two weeks ago today and I have spent well over 100 hours trying to root it out. It appears that I have made no progress whatsoever. In terms of return on investment, this project seems pointless. I'm willing to just trash the whole thing and start from scratch at this point, as I see no progress at all in the elimination of the problem - not because of your instruction, but because of my apparent inability to follow your instructions correctly.

#70 calicocat

Authentic Member

Authentic Member
50 posts

Posted 25 September 2004 - 07:08 AM

Most recent ADS log: C:\WINNT\MedCtrOC.log : ajcro (11591 bytes, MD5 7574ECEBED42A2C540F7C82B27615412) C:\WINNT\MF_C421.lfa : tjvwi (11591 bytes, MD5 7574ECEBED42A2C540F7C82B27615412) C:\WINNT\MozillaUninstall.exe : lkgkk (3063 bytes, MD5 D4EE4258D1CD45D155A4462F95CF8D14) C:\WINNT\MSOPrefs.232 : wmruh (56832 bytes, MD5 97D38F0B73B2ACB62F17955F1CE66B1F) C:\WINNT\PCS6.LIC : ufvsu (56832 bytes, MD5 97D38F0B73B2ACB62F17955F1CE66B1F) C:\WINNT\PCSPATS.DAT : vkwmo (11591 bytes, MD5 7574ECEBED42A2C540F7C82B27615412) C:\WINNT\Prairie Wind.bmp : olgzq (11388 bytes, MD5 67AAB077A24C5C189EB6265910922C54) C:\WINNT\QTFont.for : gmzel (3063 bytes, MD5 D4EE4258D1CD45D155A4462F95CF8D14) C:\WINNT\QTW.INI : fsgtw (11591 bytes, MD5 7574ECEBED42A2C540F7C82B27615412) C:\WINNT\QTW.INI : rmskn (56832 bytes, MD5 97D38F0B73B2ACB62F17955F1CE66B1F) C:\WINNT\RESULT.QTW : qmrms (3063 bytes, MD5 D4EE4258D1CD45D155A4462F95CF8D14) C:\WINNT\setupact.log : woskb (56832 bytes, MD5 97D38F0B73B2ACB62F17955F1CE66B1F) C:\WINNT\SYSINI.QTW : uajmb (11388 bytes, MD5 67AAB077A24C5C189EB6265910922C54) C:\WINNT\tl32v20.dll : mturv (3063 bytes, MD5 D4EE4258D1CD45D155A4462F95CF8D14) C:\WINNT\tsoc.log : tlfgu (11591 bytes, MD5 7574ECEBED42A2C540F7C82B27615412) C:\WINNT\twain.dll : eumxx (56832 bytes, MD5 97D38F0B73B2ACB62F17955F1CE66B1F) C:\WINNT\twunk_16.exe : lmxmw (11388 bytes, MD5 67AAB077A24C5C189EB6265910922C54) C:\WINNT\uninstall-temp.exe : wnaek (11388 bytes, MD5 67AAB077A24C5C189EB6265910922C54) C:\WINNT\Webshots.scr : pgwkc (11388 bytes, MD5 67AAB077A24C5C189EB6265910922C54) C:\WINNT\wiadebug.log : hhhpe (3063 bytes, MD5 D4EE4258D1CD45D155A4462F95CF8D14) C:\WINNT\win.002 : aizcy (56832 bytes, MD5 97D38F0B73B2ACB62F17955F1CE66B1F)

Advertisements

Register to Remove

#71 dgosling

SuperMember

Authentic Member
2,499 posts

Posted 26 September 2004 - 12:47 AM

The amount of time invested is not unusual with this infection. If you look through the forum you will notice there are many with 20,30,40,50 responses and I have one that dates back into August.

Reinstalling an OS comes with it's own set of problems and can cause hardware failure so we never recommend it. The decision is yours to make. If you decide to reinstall, unless you have a completely wiped hard drive with software that will erase all sectors of the hard drive, there is no guarantee that you will be rid of the infection. The likelihood of still having the infection depends on the type of infection and is relatively low but still there especially with these newer infections.

On reviewing the thread looking for where things have gone wrong, I note the following:
1. Working in Safe Mode prevents any fix. When a computer is in safe mode, anything unnecessary to start Windows, is hidden by default so the files will not appear anywhere, in any of the programs that have been used, or the HJT log. Nothing can be fixed as there is no way of finding the files, in Safe Mode

2. When Online AV scans are run without autoclean, they leave everything they find behind, so the trojans all remain where they were.

3. If a reboot is not done at the time it is scheduled, then all changes that were made will be returned to fully infected.

4. When a browser like IE is hijacked, opening it at all reinstalls the entire infection. For each time it is opened more files become infected.

5. When Ad-Aware is used and the things it finds are not quarantined or deleted, they remain where they were and can reinfect files that have already been cleaned

6. HijackThis can be a very dangerous program, easily making a computer unbootable, if used to remove the vital system files that are always listed in the log. The reason internet access was lost, some vital components for network connection vanished with a fix for other entries.

If you wish to continue the fix for your husband's computer, please do the following:
follow the instructions in order and do not skip any steps or take any other actions until instructed to, or the repair is likely to fail. Please do not use safe mode unless instructed to.

Step#1

1. On your husband's computer please Keep Internet Explorer Closed At All times or the computer will become reinfected

2. Follow the next instructions very carefully step by step, please do not omit anything or add anything to the steps and since you will not be opening IE - nothing will reinstall while removing things this way

3. Go to Start > Control Panel > Internet Options > General and choose delete cookies then choose delete files when you click delete files choose delete offline content then choose clear history

4. Go to Start > Control Panel > Internet Options > Security. Choose and highlight Trusted Zone then click on Sites. Remove all entries from the window that opens.

5. Go to Start > Control Panel > Internet Options > Security. Choose and highlight Local Intranet then click on Sites. Remove all entries from the window that opens and from the inner window.

Step#2

1. On your computer please download the following tool to determine which system files have had Alternate Data Streams added to them. ADS Spy

2. Transfer it to your husband's computer via floppy or CD

3. In normal mode please make sure there is NO check mark in the 'quick scan' box, and NO check mark in the 'ignore safe system info'. Please Put a check mark in the 'caluculate MD5 checksum' box

4. scan with ADS Spy, right click in the window>save scan results to disk

5. Transfer the scan results back to your computer and then post them back here into this thread.

Step#3

1. Please scan again in normal mode with McAfee for ADS.

2. Select all of the results (the files from A to L seem to be missing from the last scan results)

3. transfer the results to your computer and then post them here in this thread.

Step#4

You should clean out System Restore because other programs are unable to clean any files in the backups. All Restore Points will be lost when you do this but they are probably infected anyway.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Step#5

1. Scan again with HijackThis [b]in normal mode

2. Please post the new log file as well as the two logs of ADS

#72 calicocat

Authentic Member

Authentic Member
50 posts

Posted 27 September 2004 - 07:03 AM

Step 1 - 1: I won't open IE intentionally until you tell me that it is safe to do so. Step 1 - 3: complete Step 1 - 4: no sites in trusted zone Step 1 - 5: no sites in Local Intranet zone Step 2: ADS Spy results: C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\33479_wallpaper110.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\33479_wallpaper110.jpg : Q30lsldxJoudresxAaaqpcawXc (5220 bytes, MD5 314CD75EDBC5879EBA14B0726803E176) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\angel-of-the-morn-ll.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\angel-of-the-morn-ll.jpg : Q30lsldxJoudresxAaaqpcawXc (7288 bytes, MD5 597453E468719A8DB755F1D5837714BA) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\animated sig1.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\animated sig1.gif : Q30lsldxJoudresxAaaqpcawXc (3076 bytes, MD5 B4E80E043D88E586B31159C9DEF7D35C) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\animated sig2.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\animated sig2.gif : Q30lsldxJoudresxAaaqpcawXc (4608 bytes, MD5 BE6CBC23F1973C14D74D7DB6C602E24F) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\applebutter_makers.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\applebutter_makers.jpg : Q30lsldxJoudresxAaaqpcawXc (11068 bytes, MD5 11932BD64F947C79E541C9C9FE767615) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\Arctic_fox.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\Arctic_fox.jpg : Q30lsldxJoudresxAaaqpcawXc (3452 bytes, MD5 58066FA7021727A01C508782D9D9CF7A) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\Barn_owl.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\Barn_owl.jpg : Q30lsldxJoudresxAaaqpcawXc (4368 bytes, MD5 C817D8B2A0E3B191C857821AD6814043) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\bellywarmers.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\bellywarmers.jpg : Q30lsldxJoudresxAaaqpcawXc (8340 bytes, MD5 2C6A6C2D4BDE30381C67241FCD3BBAB4) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\Capecod_christmas.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\Capecod_christmas.gif : Q30lsldxJoudresxAaaqpcawXc (11904 bytes, MD5 77DAAE827BA7C7A0F1A36909869A0907) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\capecod_coldfishparty.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\capecod_coldfishparty.jpg : Q30lsldxJoudresxAaaqpcawXc (8100 bytes, MD5 A044E66D479219DA80D2CD50BA8C02F2) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\carnival_capers1.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\carnival_capers1.gif : Q30lsldxJoudresxAaaqpcawXc (8552 bytes, MD5 DED4CBFB5C927D401DFFA946E998EC06) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\carver_coggins.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\carver_coggins.gif : Q30lsldxJoudresxAaaqpcawXc (8252 bytes, MD5 E5CDDEC113CA4870316FBA5AD17664D4) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\christmaseve.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\christmaseve.jpg : Q30lsldxJoudresxAaaqpcawXc (10784 bytes, MD5 7A6A84B2F30885231F34378143645FA9) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\clammers-at-hodges-horn.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\clammers-at-hodges-horn.jpg : Q30lsldxJoudresxAaaqpcawXc (8256 bytes, MD5 147058408E4875D370C0BCA367D64B21) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\cotton_country.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\cotton_country.gif : Q30lsldxJoudresxAaaqpcawXc (9656 bytes, MD5 4CC857D1489FB8A290D5A97552C514C5) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\country_race.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\country_race.gif : Q30lsldxJoudresxAaaqpcawXc (8520 bytes, MD5 7CBE330463DED0EC4C9A490975CDC7C5) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\daddys_coming_home.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\daddys_coming_home.jpg : Q30lsldxJoudresxAaaqpcawXc (4900 bytes, MD5 DFBC4B7B82EB24F7665CAFBF27DCC611) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\dahlia_dinalhaven_makesa_do.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\dahlia_dinalhaven_makesa_do.gif : Q30lsldxJoudresxAaaqpcawXc (8712 bytes, MD5 5D384392693AD0A3B6FDD8088CA4E939) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\devilstoneharbor.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\devilstoneharbor.jpg : Q30lsldxJoudresxAaaqpcawXc (9080 bytes, MD5 79790E5FFDE6839CAB23715C7C330692) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\dreamers.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\dreamers.jpg : Q30lsldxJoudresxAaaqpcawXc (6840 bytes, MD5 2C205E7AD74DE322849105E8E5D10FFC) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\elmr.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\elmr.jpg : Q30lsldxJoudresxAaaqpcawXc (12180 bytes, MD5 3CAC0DF9F08887DCEB60D8F80A4A10EB) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\ethel_the_gourmet.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\ethel_the_gourmet.jpg : Q30lsldxJoudresxAaaqpcawXc (9376 bytes, MD5 E7355E6EA68043E2B9585BF878AB203E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\fairhavenbythesea.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\fairhavenbythesea.jpg : Q30lsldxJoudresxAaaqpcawXc (5464 bytes, MD5 CAAA96F9A40BE1331BCA121E874724EA) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\feathered_critics.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\feathered_critics.jpg : Q30lsldxJoudresxAaaqpcawXc (4100 bytes, MD5 FEE591A5D966321740EAEB41F8D5D721) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\foxrun.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\foxrun.gif : Q30lsldxJoudresxAaaqpcawXc (11652 bytes, MD5 EA2547EF8E1831DC98FFB67331903291) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\foxyfox_outfoxes_foxHunters.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\foxyfox_outfoxes_foxHunters.gif : Q30lsldxJoudresxAaaqpcawXc (8300 bytes, MD5 D6433251CB440400DEDC49F0A204AEA3) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\fredrick_the_literate.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\fredrick_the_literate.jpg : Q30lsldxJoudresxAaaqpcawXc (8712 bytes, MD5 B535D31B465EBB227DC3B908FF371B7B) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\fun_lovin_silly_folks_1.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\fun_lovin_silly_folks_1.gif : Q30lsldxJoudresxAaaqpcawXc (6204 bytes, MD5 DE9F0973C4228E8CBFB7E9619D48075E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\GenPuck.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\GenPuck.gif : Q30lsldxJoudresxAaaqpcawXc (1676 bytes, MD5 719031BEF51A2AC97602B0DF67C2A9F2) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\goalie - dumb.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\goalie - dumb.gif : Q30lsldxJoudresxAaaqpcawXc (8588 bytes, MD5 5C0E62F3A1B01C6FAE3F53DB2263D1E6) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\handscoloured2a.bmp : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\handscoloured2a.bmp : Q30lsldxJoudresxAaaqpcawXc (8760 bytes, MD5 0B1A8473441EF2D0BBBEAA103864B9D0) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\hickory_haven_canal.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\hickory_haven_canal.jpg : Q30lsldxJoudresxAaaqpcawXc (10408 bytes, MD5 256F9EE3C49FE07E48372EC13AD39D62) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\home_is_my_sailor.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\home_is_my_sailor.jpg : Q30lsldxJoudresxAaaqpcawXc (9276 bytes, MD5 434CC8F3A8934F62FFF0F47957A74413) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\Iceridersonchesapeakebay.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\Iceridersonchesapeakebay.jpg : Q30lsldxJoudresxAaaqpcawXc (6432 bytes, MD5 391BE4DF8748DCDD7ACFD6528C85793D) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\jingle_bell_teddy_and_friends.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\jingle_bell_teddy_and_friends.jpg : Q30lsldxJoudresxAaaqpcawXc (12040 bytes, MD5 2D929D315A4E851BA597C7DE6E6DDF45) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\jollyhillfarms.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\jollyhillfarms.jpg : Q30lsldxJoudresxAaaqpcawXc (10116 bytes, MD5 734FB5EB71B623B117F1D60113A5827F) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\laborday.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\laborday.jpg : Q30lsldxJoudresxAaaqpcawXc (6768 bytes, MD5 587A9657772C70437917E6B913F4F9E6) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\LL-53.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\LL-53.jpg : Q30lsldxJoudresxAaaqpcawXc (7244 bytes, MD5 128F1E8402D65B52D5454495262ED6AD) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\logo-gens.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\logo-gens.gif : Q30lsldxJoudresxAaaqpcawXc (3976 bytes, MD5 B2434A71BF0677AD8D83B3E9F25389D9) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\love.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\love.jpg : Q30lsldxJoudresxAaaqpcawXc (7216 bytes, MD5 8F6F333D9F854309B13D6A2191205113) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\McAshphaltlogo.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\McAshphaltlogo.gif : Q30lsldxJoudresxAaaqpcawXc (5824 bytes, MD5 710B4F74C8ED6EED4869FA9C51D5C6CA) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\Monarch.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\Monarch.jpg : Q30lsldxJoudresxAaaqpcawXc (4520 bytes, MD5 EB56DE9F4519F7110FE0F7343E2180BF) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\New_Orleans.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\New_Orleans.jpg : Q30lsldxJoudresxAaaqpcawXc (4948 bytes, MD5 6C4776F02E3AF4BF096D8B795E3A7FC6) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\player - dumb.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\player - dumb.gif : Q30lsldxJoudresxAaaqpcawXc (6592 bytes, MD5 9BD43A09C1EA9A30E83AA1D18768B2DF) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\Sample.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\Sample.jpg : Q30lsldxJoudresxAaaqpcawXc (4592 bytes, MD5 4D0849DE8B99F3AFE5F15F1A5A6A9C69) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\twas_twilight_b4_christmas_.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\twas_twilight_b4_christmas_.gif : Q30lsldxJoudresxAaaqpcawXc (13052 bytes, MD5 A676494E4326EE647E798A50694D0C99) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\underconstruction1.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\underconstruction1.gif : Q30lsldxJoudresxAaaqpcawXc (4540 bytes, MD5 2E7B6F634C1BD1B93ACB1D74D3F8F81C) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\warm_christmas_love.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\warm_christmas_love.gif : Q30lsldxJoudresxAaaqpcawXc (11612 bytes, MD5 1E01F08FCF9ABD988512C0E15042EDEF) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\ws_xmas-1991.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\My Pictures\ws_xmas-1991.jpg : Q30lsldxJoudresxAaaqpcawXc (9616 bytes, MD5 3D0651DF7AD72E97F2C45443E6A9C492) C:\Documents and Settings\Administrator.GATEWAY\My Documents\OMH Site\images\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Administrator.GATEWAY\My Documents\OMH Site\omh-history_files\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\All Users.WINNT\Documents\My Pictures\Sample Pictures\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\Derry's Hockey\MinGens graphics\Christmas\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\Derry's Hockey\MinGens graphics\Halloween\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\Derry's Hockey\MinGens graphics\orbiter\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\Derry's Hockey\MinGens graphics\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\Derry's Hockey\MinGensPics Unformatted\02-10-16 Cobourg formatted\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\Derry's Hockey\MinGensPics Unformatted\02-10-28 Whitby formatted\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\Derry's Hockey\MinGensPics Unformatted\02-11-06 Peterborough formatted\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\Derry's Hockey\MinGensPics Unformatted\02-11-09 Team Meeting formatted\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\Derry's Hockey\MinGensPics Unformatted\03-30-03 Avalanche\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\Derry's Hockey\Website\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\Local Settings\Application Data\Microsoft\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\Documents\Centennial College\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\Documents\Community College Article for Web Site_files\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\124-640x480.bmp : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\124-640x480.bmp : Q30lsldxJoudresxAaaqpcawXc (10104 bytes, MD5 E493F99503B87A5F3EF2F0EBE8103FBE) C:\Documents and Settings\Gateway\My Documents\My Pictures\139am.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\139am.jpg : Q30lsldxJoudresxAaaqpcawXc (8804 bytes, MD5 35AABB5B388669E64075753DA5ACD238) C:\Documents and Settings\Gateway\My Documents\My Pictures\3dflagsdotcom_canad2wm.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\3dflagsdotcom_canad2wm.gif : Q30lsldxJoudresxAaaqpcawXc (3080 bytes, MD5 B8CC62D8210C98EEB115047D1D34D3A9) C:\Documents and Settings\Gateway\My Documents\My Pictures\3dflagsdotcom_usa2wm.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\3dflagsdotcom_usa2wm.gif : Q30lsldxJoudresxAaaqpcawXc (3988 bytes, MD5 4DEFDDE33FA6668A9BEF7C508B9DDBD7) C:\Documents and Settings\Gateway\My Documents\My Pictures\89am.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\89am.jpg : Q30lsldxJoudresxAaaqpcawXc (10084 bytes, MD5 4948A4EEC6D2CAF769D80DF19AE61C09) C:\Documents and Settings\Gateway\My Documents\My Pictures\ATT132429.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\ATT132429.jpg : Q30lsldxJoudresxAaaqpcawXc (4772 bytes, MD5 B2058894FB5DECC333D2A50212E5EE05) C:\Documents and Settings\Gateway\My Documents\My Pictures\ATT132430.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\ATT132430.jpg : Q30lsldxJoudresxAaaqpcawXc (5076 bytes, MD5 C717D11C91CB3C5DCFF01A3B3777C25C) C:\Documents and Settings\Gateway\My Documents\My Pictures\ATT132431.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\ATT132431.jpg : Q30lsldxJoudresxAaaqpcawXc (4692 bytes, MD5 93C783139D2AEDAA9983F88397C17827) C:\Documents and Settings\Gateway\My Documents\My Pictures\ATT132432.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\ATT132432.jpg : Q30lsldxJoudresxAaaqpcawXc (5220 bytes, MD5 A02D469DB6F4C41527C76FA084B252D9) C:\Documents and Settings\Gateway\My Documents\My Pictures\Dogfight.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\Dogfight.jpg : Q30lsldxJoudresxAaaqpcawXc (6712 bytes, MD5 A6007E498FADC07D5A7B8BB04BBCCDE3) C:\Documents and Settings\Gateway\My Documents\My Pictures\Gesundheit.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\Gesundheit.gif : Q30lsldxJoudresxAaaqpcawXc (5204 bytes, MD5 1038D46AE6187851169530CD4B0DF4C3) C:\Documents and Settings\Gateway\My Documents\My Pictures\Goose.bmp : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\Goose.bmp : Q30lsldxJoudresxAaaqpcawXc (1808 bytes, MD5 EF42CFB7730D8A7F50DD166D6130DABA) C:\Documents and Settings\Gateway\My Documents\My Pictures\How_Do_They_Answer_Their_Phone_.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\How_Do_They_Answer_Their_Phone_.jpg : Q30lsldxJoudresxAaaqpcawXc (6128 bytes, MD5 D93AE01CA124A1F3ED72513129DFBDF5) C:\Documents and Settings\Gateway\My Documents\My Pictures\Jobrating.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\Jobrating.jpg : Q30lsldxJoudresxAaaqpcawXc (7868 bytes, MD5 263115320C1B8BFC45926878BD8DE835) C:\Documents and Settings\Gateway\My Documents\My Pictures\MVC-014F.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\MVC-014F.jpg : Q30lsldxJoudresxAaaqpcawXc (6812 bytes, MD5 F305AECD865CD76326F7D403EC464F14) C:\Documents and Settings\Gateway\My Documents\My Pictures\MVC-015F.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\MVC-015F.jpg : Q30lsldxJoudresxAaaqpcawXc (7628 bytes, MD5 609B8A920DD575F1ED7C231BF07F1A7A) C:\Documents and Settings\Gateway\My Documents\My Pictures\MVC-016F.JPG : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\MVC-016F.JPG : Q30lsldxJoudresxAaaqpcawXc (2428 bytes, MD5 4FDCD558D0CAF259E1BEB811A715357C) C:\Documents and Settings\Gateway\My Documents\My Pictures\new2.bmp : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\new2.bmp : Q30lsldxJoudresxAaaqpcawXc (1232 bytes, MD5 F7AD3183E5D0E6E8C71ECE0CCC414E51) C:\Documents and Settings\Gateway\My Documents\My Pictures\Okay1... We apologize!.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\Okay1... We apologize!.jpg : Q30lsldxJoudresxAaaqpcawXc (5992 bytes, MD5 B93484C77723AF9581EC3B79C7F3AF25) C:\Documents and Settings\Gateway\My Documents\My Pictures\Pumpkin.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\Pumpkin.jpg : Q30lsldxJoudresxAaaqpcawXc (10176 bytes, MD5 5E583E3DFB3C30DFB8407F0501C10A03) C:\Documents and Settings\Gateway\My Documents\My Pictures\Rooster.bmp : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\Rooster.bmp : Q30lsldxJoudresxAaaqpcawXc (6440 bytes, MD5 1E049495CDE836FB5705CD05CCA53AB8) C:\Documents and Settings\Gateway\My Documents\My Pictures\Sample.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\Sample.jpg : Q30lsldxJoudresxAaaqpcawXc (4592 bytes, MD5 4D0849DE8B99F3AFE5F15F1A5A6A9C69) C:\Documents and Settings\Gateway\My Documents\My Pictures\supplychain.gif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\supplychain.gif : Q30lsldxJoudresxAaaqpcawXc (6116 bytes, MD5 57A031FEC9D54F9C6A594668A738596F) C:\Documents and Settings\Gateway\My Documents\My Pictures\teamwork.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\teamwork.jpg : Q30lsldxJoudresxAaaqpcawXc (6904 bytes, MD5 61E928D6FB37D3F15DA849F250B81F82) C:\Documents and Settings\Gateway\My Documents\My Pictures\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\tt.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\tt.jpg : Q30lsldxJoudresxAaaqpcawXc (8396 bytes, MD5 0CD3386FE2A44354DF6B31660A6FA2F4) C:\Documents and Settings\Gateway\My Documents\My Pictures\Womandri.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\Womandri.jpg : Q30lsldxJoudresxAaaqpcawXc (6932 bytes, MD5 5452F38AF0969ADE050FF488E4AE26F2) C:\Documents and Settings\Gateway\My Documents\My Pictures\Worldsworsthuntingdog.jpg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Documents and Settings\Gateway\My Documents\My Pictures\Worldsworsthuntingdog.jpg : Q30lsldxJoudresxAaaqpcawXc (6196 bytes, MD5 420BE1D8C879A0EB545664F0F64CB450) C:\Documents and Settings\Gateway\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\My Download Files\images\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Program Files\ICQ\Received Files\Captain Ahab\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\Program Files\mcafee.com\MPS\Images\Thumbs.db : encryptable (0 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) C:\WINNT\MedCtrOC.log : ajcro (11591 bytes, MD5 7574ECEBED42A2C540F7C82B27615412) C:\WINNT\MF_C421.lfa : tjvwi (11591 bytes, MD5 7574ECEBED42A2C540F7C82B27615412) C:\WINNT\MozillaUninstall.exe : lkgkk (3063 bytes, MD5 D4EE4258D1CD45D155A4462F95CF8D14) C:\WINNT\MSOPrefs.232 : wmruh (56832 bytes, MD5 97D38F0B73B2ACB62F17955F1CE66B1F) C:\WINNT\PCS6.LIC : ufvsu (56832 bytes, MD5 97D38F0B73B2ACB62F17955F1CE66B1F) C:\WINNT\PCSPATS.DAT : vkwmo (11591 bytes, MD5 7574ECEBED42A2C540F7C82B27615412) C:\WINNT\Prairie Wind.bmp : olgzq (11388 bytes, MD5 67AAB077A24C5C189EB6265910922C54) C:\WINNT\QTFont.for : gmzel (3063 bytes, MD5 D4EE4258D1CD45D155A4462F95CF8D14) C:\WINNT\QTW.INI : fsgtw (11591 bytes, MD5 7574ECEBED42A2C540F7C82B27615412) C:\WINNT\QTW.INI : rmskn (56832 bytes, MD5 97D38F0B73B2ACB62F17955F1CE66B1F) C:\WINNT\RESULT.QTW : qmrms (3063 bytes, MD5 D4EE4258D1CD45D155A4462F95CF8D14) C:\WINNT\setupact.log : woskb (56832 bytes, MD5 97D38F0B73B2ACB62F17955F1CE66B1F) C:\WINNT\SYSINI.QTW : uajmb (11388 bytes, MD5 67AAB077A24C5C189EB6265910922C54) C:\WINNT\tl32v20.dll : mturv (3063 bytes, MD5 D4EE4258D1CD45D155A4462F95CF8D14) C:\WINNT\tsoc.log : tlfgu (11591 bytes, MD5 7574ECEBED42A2C540F7C82B27615412) C:\WINNT\twain.dll : eumxx (56832 bytes, MD5 97D38F0B73B2ACB62F17955F1CE66B1F) C:\WINNT\twunk_16.exe : lmxmw (11388 bytes, MD5 67AAB077A24C5C189EB6265910922C54) C:\WINNT\uninstall-temp.exe : wnaek (11388 bytes, MD5 67AAB077A24C5C189EB6265910922C54) C:\WINNT\Webshots.scr : pgwkc (11388 bytes, MD5 67AAB077A24C5C189EB6265910922C54) C:\WINNT\wiadebug.log : hhhpe (3063 bytes, MD5 D4EE4258D1CD45D155A4462F95CF8D14) C:\WINNT\win.002 : aizcy (56832 bytes, MD5 97D38F0B73B2ACB62F17955F1CE66B1F) Step 3 I'll post the results of McAfee when they are complete. I have set it to scan 'my computer' and have set it to scan for everything that it can scan for. Sometimes I get a complete scan and sometimes I don't and I have no idea why that is. Do you want me to allow it to clean as it finds poroblems? Step 4 I turned off system restore as soon as I realized there was a problem with the computer Step 5 I'll scan with HJT as soon as McAfee is done.

#73 calicocat

Authentic Member

Authentic Member
50 posts

Posted 27 September 2004 - 10:02 AM

McAfee found no infected files.

Here is latest HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 11:51:04 AM, on 9/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Webshots\WebshotsTray.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKCU\..\Run: [Lavasoft Adwatch] C:\Program Files\Lavasoft Ad-Aware\Ad-watch.exe /min
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} (McAfee.com Download+Installer Class) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11E4B354-2AC4-4F60-BEB9-A9E59ED71D86}: NameServer = 24.153.22.195
O17 - HKLM\System\CS1\Services\Tcpip\..\{11E4B354-2AC4-4F60-BEB9-A9E59ED71D86}: NameServer = 24.153.22.195
O17 - HKLM\System\CS2\Services\Tcpip\..\{11E4B354-2AC4-4F60-BEB9-A9E59ED71D86}: NameServer = 24.153.22.195

#74 dgosling

SuperMember

Authentic Member
2,499 posts

Posted 27 September 2004 - 10:05 AM

The infected files often change names when you reboot a computer. To determine what is bad in the ADS scans they have to be done back to back without a REBOOT between scans. Please do not have McAfee fix them because as far as I know McAfee is incapable of cleaning the bad ADS but will probably delete the file. I do not need an AV scan at this time it can only complicate things. Please just use McAfee to scan for ADS.

#75 calicocat

Authentic Member

Authentic Member
50 posts

Posted 27 September 2004 - 03:03 PM

I cannot configure McAfee to specifically search for ADS's. How it picked them up the last time I do not know. My McAfee is online and I have no idea how to set it up to scan for anything specific. The closest that I can see is the 'scan for potentially unwanted programs (detect spyware, adware, dialers and other programs)'. This morning's scan showed no infections.

Body Background

skin color theme