[Dillan]

Heres the Spy Sweeper Log

********
8:31 PM: | Start of Session, Sunday, February 19, 2006 |
8:31 PM: Spy Sweeper started
8:31 PM: Sweep initiated using definitions version 617
8:31 PM: Starting Memory Sweep
8:33 PM: Memory Sweep Complete, Elapsed Time: 00:01:46
8:33 PM: Starting Registry Sweep
8:33 PM: Found Adware: exact cashback/bargain buddy
8:33 PM: HKCR\adp.urlcatcher\ (3 subtraces) (ID = 104001)
8:33 PM: Found Adware: exact navisearch
8:33 PM: HKCR\adp.urlcatcher\ (3 subtraces) (ID = 104001)
8:33 PM: Found Adware: exact bullseye
8:33 PM: HKCR\adp.urlcatcher\ (3 subtraces) (ID = 104001)
8:33 PM: HKLM\software\classes\adp.urlcatcher\ (3 subtraces) (ID = 104013)
8:33 PM: HKLM\software\classes\adp.urlcatcher\ (3 subtraces) (ID = 104013)
8:33 PM: Found Adware: begin2search
8:33 PM: HKCR\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104124)
8:33 PM: HKCR\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104126)
8:33 PM: HKCR\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104127)
8:33 PM: HKCR\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104128)
8:33 PM: HKCR\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104139)
8:33 PM: HKCR\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104141)
8:33 PM: HKLM\software\classes\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104174)
8:33 PM: HKLM\software\classes\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104176)
8:33 PM: HKLM\software\classes\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104177)
8:33 PM: HKLM\software\classes\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104178)
8:33 PM: HKLM\software\classes\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104189)
8:33 PM: HKLM\software\classes\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104191)
8:33 PM: Found Adware: blazefind
8:33 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/admilliservx.dll\ (ID = 104525)
8:33 PM: Found Adware: linkmaker
8:33 PM: HKLM\software\classes\typelib\{423550e9-2f83-4678-9929-c1774088b180}\ (9 subtraces) (ID = 129743)
8:33 PM: HKCR\typelib\{423550e9-2f83-4678-9929-c1774088b180}\ (9 subtraces) (ID = 129750)
8:33 PM: HKCR\adp.urlcatcher.1\ (3 subtraces) (ID = 135552)
8:33 PM: Found Adware: shopathomeselect
8:33 PM: HKLM\software\ || test (ID = 141678)
8:33 PM: Found Adware: websearch toolbar
8:33 PM: HKLM\software\classes\wtoolsb.resprotocol\ (3 subtraces) (ID = 146451)
8:33 PM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (8 subtraces) (ID = 146518)
8:33 PM: HKCR\wtoolsb.resprotocol\ (3 subtraces) (ID = 146541)
8:33 PM: Found Adware: winad
8:33 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
8:33 PM: Found Adware: ist software
8:33 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/ysbactivex.dll\ (2 subtraces) (ID = 147854)
8:33 PM: Found Adware: quicklink search toolbar
8:33 PM: HKLM\software\classes\typelib\{ea420048-2898-4110-88c3-1f660b0c7ff3}\ (9 subtraces) (ID = 359443)
8:33 PM: HKCR\typelib\{ea420048-2898-4110-88c3-1f660b0c7ff3}\ (9 subtraces) (ID = 359446)
8:33 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/grinstall6.dll\ (2 subtraces) (ID = 509618)
8:33 PM: Found Adware: winantispyware 2005
8:33 PM: HKCR\appid\checkproduct2.dll\ (1 subtraces) (ID = 527632)
8:33 PM: HKCR\appid\{8c65aef6-e413-4314-815b-82717a3f1603}\ (1 subtraces) (ID = 527648)
8:33 PM: HKCR\interface\{4f79d1c5-24f9-4e59-8022-604d4b41d5ca}\ (8 subtraces) (ID = 527937)
8:33 PM: HKCR\typelib\{30ed49a5-ca6c-4918-b5f3-5e6818c91d8b}\ (9 subtraces) (ID = 528091)
8:33 PM: HKLM\software\classes\appid\checkproduct2.dll\ (1 subtraces) (ID = 528341)
8:33 PM: HKLM\software\classes\appid\{8c65aef6-e413-4314-815b-82717a3f1603}\ (1 subtraces) (ID = 528357)
8:33 PM: HKLM\software\classes\typelib\{30ed49a5-ca6c-4918-b5f3-5e6818c91d8b}\ (9 subtraces) (ID = 528800)
8:33 PM: HKLM\software\classes\appid\{8c65aef6-e413-4314-815b-82717a3f1603}\ (1 subtraces) (ID = 543259)
8:33 PM: Found Adware: cas
8:33 PM: HKCR\appid\{e0dc5cc4-25a5-4bc7-a3aa-3525733dc796}\ (1 subtraces) (ID = 609381)
8:33 PM: HKLM\software\classes\appid\{e0dc5cc4-25a5-4bc7-a3aa-3525733dc796}\ (1 subtraces) (ID = 609547)
8:33 PM: Found Adware: visfx
8:33 PM: HKLM\system\currentcontrolset\services\windows overlay components\ (12 subtraces) (ID = 712954)
8:33 PM: Found Adware: safesurf
8:33 PM: HKCR\typelib\{7638761f-0ce1-4e68-9692-d623527a6b7b}\ (9 subtraces) (ID = 730924)
8:33 PM: HKLM\software\classes\typelib\{7638761f-0ce1-4e68-9692-d623527a6b7b}\ (9 subtraces) (ID = 730979)
8:33 PM: HKLM\software\picshow\ (33 subtraces) (ID = 730989)
8:33 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
8:33 PM: Found Adware: ezula ilookup
8:33 PM: HKCR\interface\{5679b16c-cd3a-471f-a503-25c528a3ad26}\ (8 subtraces) (ID = 819134)
8:33 PM: HKCR\interface\{89e9f6cf-6f80-4c5e-b8e8-78e5a6b5d3bf}\ (8 subtraces) (ID = 819143)
8:33 PM: HKLM\software\classes\interface\{5679b16c-cd3a-471f-a503-25c528a3ad26}\ (8 subtraces) (ID = 819267)
8:33 PM: HKLM\software\classes\interface\{89e9f6cf-6f80-4c5e-b8e8-78e5a6b5d3bf}\ (8 subtraces) (ID = 819276)
8:33 PM: HKCR\clsid\{724d478a-2bd0-4db4-ae42-288b1e346ef7}\ (4 subtraces) (ID = 820366)
8:33 PM: HKCR\typelib\{1b8b502e-465b-4022-be4f-fb6d9f808a18}\ (9 subtraces) (ID = 820387)
8:33 PM: HKCR\typelib\{65d99893-a650-4292-83d0-3aff6f39e0b5}\ (9 subtraces) (ID = 820397)
8:33 PM: HKLM\software\italmanager\ (33 subtraces) (ID = 820452)
8:33 PM: HKLM\software\classes\clsid\{724d478a-2bd0-4db4-ae42-288b1e346ef7}\ (4 subtraces) (ID = 820519)
8:33 PM: HKLM\software\classes\typelib\{1b8b502e-465b-4022-be4f-fb6d9f808a18}\ (9 subtraces) (ID = 820540)
8:33 PM: HKLM\software\classes\typelib\{65d99893-a650-4292-83d0-3aff6f39e0b5}\ (9 subtraces) (ID = 820550)
8:33 PM: HKLM\system\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\ichckupd.exe\ (1 subtraces) (ID = 820614)
8:33 PM: Found Adware: adcom
8:33 PM: HKCR\appid\adcom.dll\ (1 subtraces) (ID = 861200)
8:33 PM: HKCR\appid\{4bc6bfc2-7da8-4d76-bf62-a4843344ac86}\ (1 subtraces) (ID = 861202)
8:33 PM: HKCR\typelib\{4bc6bfc2-7da8-4d76-bf62-a4843344ac86}\ (9 subtraces) (ID = 861421)
8:33 PM: HKLM\software\classes\appid\adcom.dll\ (1 subtraces) (ID = 861539)
8:33 PM: HKLM\software\classes\appid\{4bc6bfc2-7da8-4d76-bf62-a4843344ac86}\ (1 subtraces) (ID = 861541)
8:33 PM: HKLM\software\classes\typelib\{4bc6bfc2-7da8-4d76-bf62-a4843344ac86}\ (9 subtraces) (ID = 861765)
8:33 PM: HKCR\appid\main.dll\ || appid (ID = 889946)
8:33 PM: HKLM\software\classes\appid\main.dll\ || appid (ID = 889947)
8:33 PM: HKCR\typelib\{4dfd0b10-93db-4d7e-9b34-3d92ca493be4}\ (9 subtraces) (ID = 926753)
8:33 PM: HKLM\software\classes\typelib\{4dfd0b10-93db-4d7e-9b34-3d92ca493be4}\ (9 subtraces) (ID = 926787)
8:33 PM: Found Adware: searchtoolbar
8:33 PM: HKU\WRSS_Profile_S-1-5-21-2368092398-3236749464-4268638850-1008\software\search toolbar\ (8 subtraces) (ID = 141344)
8:33 PM: HKU\WRSS_Profile_S-1-5-21-2368092398-3236749464-4268638850-1008\software\microsoft\internet explorer\menuext\power search\ (2 subtraces) (ID = 146458)
8:33 PM: HKU\WRSS_Profile_S-1-5-21-2368092398-3236749464-4268638850-1008\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467)
8:33 PM: HKU\WRSS_Profile_S-1-5-21-2368092398-3236749464-4268638850-1008\software\msietslink\ (27 subtraces) (ID = 146512)
8:33 PM: HKU\WRSS_Profile_S-1-5-21-2368092398-3236749464-4268638850-1008\software\toolbar\ (15 subtraces) (ID = 146513)
8:33 PM: HKU\WRSS_Profile_S-1-5-21-2368092398-3236749464-4268638850-1008\software\wintools\ (11 subtraces) (ID = 146514)
8:33 PM: HKU\WRSS_Profile_S-1-5-21-2368092398-3236749464-4268638850-1008\software\toolbar\ (15 subtraces) (ID = 646239)
8:33 PM: HKU\WRSS_Profile_S-1-5-21-2368092398-3236749464-4268638850-1008\software\wintools\ (11 subtraces) (ID = 646241)
8:33 PM: Found Adware: mindset interactive - favoriteman
8:33 PM: HKU\WRSS_Profile_S-1-5-21-2368092398-3236749464-4268638850-1008\software\microsoft\windows\ || server (ID = 1025299)
8:33 PM: Found Adware: drsnsrch.com hijack
8:33 PM: HKU\S-1-5-21-2368092398-3236749464-4268638850-1007\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
8:33 PM: Found Adware: search fast communicator toolbar
8:33 PM: HKU\S-1-5-21-2368092398-3236749464-4268638850-1007\software\communicator toolbar\ (9 subtraces) (ID = 140688)
8:33 PM: HKU\S-1-5-21-2368092398-3236749464-4268638850-1007\software\adcom\ (3 subtraces) (ID = 861431)
8:33 PM: Found Trojan Horse: trojan-downloader-pacisoft
8:33 PM: HKU\S-1-5-21-2368092398-3236749464-4268638850-1007\software\apd123\ (12 subtraces) (ID = 861435)
8:33 PM: HKU\S-1-5-21-2368092398-3236749464-4268638850-1007\software\cas2\ (9 subtraces) (ID = 862278)
8:33 PM: HKU\WRSS_Profile_S-1-5-21-2368092398-3236749464-4268638850-1006\software\search toolbar\ (4 subtraces) (ID = 141344)
8:33 PM: Found Adware: surfsidekick
8:33 PM: HKU\WRSS_Profile_S-1-5-21-2368092398-3236749464-4268638850-1006\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
8:33 PM: HKU\WRSS_Profile_S-1-5-21-2368092398-3236749464-4268638850-1006\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143403)
8:33 PM: HKU\WRSS_Profile_S-1-5-21-2368092398-3236749464-4268638850-1006\software\surfsidekick3\ (3 subtraces) (ID = 143412)
8:33 PM: HKU\WRSS_Profile_S-1-5-21-2368092398-3236749464-4268638850-1006\software\microsoft\windows\currentversion\run\ || wintools (ID = 146484)
8:33 PM: HKU\WRSS_Profile_S-1-5-21-2368092398-3236749464-4268638850-1006\software\msietslink\ (22 subtraces) (ID = 146512)
8:33 PM: HKU\WRSS_Profile_S-1-5-21-2368092398-3236749464-4268638850-1006\software\adcom\ (3 subtraces) (ID = 861431)
8:33 PM: Registry Sweep Complete, Elapsed Time:00:00:23
8:33 PM: Starting Cookie Sweep
8:33 PM: Found Spy Cookie: realmedia cookie
8:33 PM: mary betts@realmedia[1].txt (ID = 3235)
8:33 PM: Found Spy Cookie: hbmediapro cookie
8:33 PM: brooks [email protected][2].txt (ID = 2768)
8:33 PM: Found Spy Cookie: ask cookie
8:33 PM: brooks betts@ask[1].txt (ID = 2245)
8:33 PM: Found Spy Cookie: atwola cookie
8:33 PM: brooks betts@atwola[1].txt (ID = 2255)
8:33 PM: Found Spy Cookie: directtrack cookie
8:33 PM: brooks betts@directtrack[1].txt (ID = 2527)
8:33 PM: Found Spy Cookie: exitexchange cookie
8:33 PM: brooks betts@exitexchange[1].txt (ID = 2633)
8:33 PM: Found Spy Cookie: clickandtrack cookie
8:33 PM: brooks [email protected][2].txt (ID = 2397)
8:33 PM: brooks [email protected][2].txt (ID = 2528)
8:33 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
8:33 PM: Starting File Sweep
8:33 PM: c:\program files\fcengine (3 subtraces) (ID = -2147471607)
8:45 PM: plugin.dll (ID = 154761)
8:46 PM: sskknwrd.dll (ID = 77733)
8:46 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\safemode.htt". The system cannot find the file specified
8:49 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\greenshd.gif". The system cannot find the file specified
8:50 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\xpblkpop.wav". The system cannot find the file specified
8:50 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\xpinfbar.wav". The system cannot find the file specified
8:50 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\type.wav". The system cannot find the file specified
8:50 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\newemail.wav". The system cannot find the file specified
8:51 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\lvback.gif". The system cannot find the file specified
8:51 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\logowin.gif". The system cannot find the file specified
8:51 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\ipp_0014.asp". The system cannot find the file specified
8:51 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\ipp_0002.asp". The system cannot find the file specified
8:52 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\news.png". The system cannot find the file specified
8:52 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\redshd.gif". The system cannot find the file specified
8:52 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\update\update.url". The system cannot find the path specified
8:53 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\newalert.wav". The system cannot find the file specified
8:53 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\online.wav". The system cannot find the file specified
8:53 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\page1.asp". The system cannot find the file specified
8:53 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\ipp_0007.asp". The system cannot find the file specified
8:53 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\ipp_0010.asp". The system cannot find the file specified
8:53 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\ipp_0005.asp". The system cannot find the file specified
8:53 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\ipp_0004.asp". The system cannot find the file specified
8:53 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\ipp_0006.asp". The system cannot find the file specified
8:53 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\ipp_0001.asp". The system cannot find the file specified
8:53 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\ipp_0013.asp". The system cannot find the file specified
8:54 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\paint.png". The system cannot find the file specified
8:57 PM: grinstall.inf (ID = 75773)
8:57 PM: ba4b9463-5e98-4c07-bbdf-6b3444 (ID = 87862)
8:57 PM: 973876e5-e1aa-4683-8452-701cad (ID = 87861)
8:57 PM: a11cfa2d-d8bf-4875-b0a3-f44287 (ID = 87860)
8:57 PM: Found System Monitor: potentially rootkit-masked files
8:57 PM: mnmmup.sys (ID = 0)
8:57 PM: certs.db (ID = 0)
8:57 PM: keys.db (ID = 0)
8:57 PM: keys.db (ID = 0)
8:57 PM: certs.db (ID = 0)
8:57 PM: secmods.db (ID = 0)
8:57 PM: log.0000000001 (ID = 0)
8:57 PM: __db.004 (ID = 0)
8:57 PM: __db.001 (ID = 0)
8:57 PM: secmods.db (ID = 0)
8:57 PM: __db.004 (ID = 0)
8:57 PM: __db.001 (ID = 0)
8:57 PM: keys.db (ID = 0)
8:57 PM: certs.db (ID = 0)
8:57 PM: secmods.db (ID = 0)
8:57 PM: log.0000000001 (ID = 0)
8:57 PM: __db.003 (ID = 0)
8:58 PM: __db.003 (ID = 0)
8:58 PM: __db.002 (ID = 0)
8:58 PM: __db.002 (ID = 0)
8:58 PM: __db.001 (ID = 0)
8:58 PM: __db.004 (ID = 0)
8:58 PM: log.0000000001 (ID = 0)
8:58 PM: __db.003 (ID = 0)
8:58 PM: __db.002 (ID = 0)
8:59 PM: File Sweep Complete, Elapsed Time: 00:25:20
8:59 PM: Full Sweep has completed. Elapsed time 00:27:40
8:59 PM: Traces Found: 703
9:47 PM: Removal process initiated
9:47 PM: Quarantining All Traces: potentially rootkit-masked files
9:47 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
9:47 PM: mnmmup.sys is in use. It will be removed on reboot.
9:47 PM: Quarantining All Traces: visfx
9:47 PM: Quarantining All Traces: websearch toolbar
9:47 PM: Quarantining All Traces: begin2search
9:47 PM: Quarantining All Traces: blazefind
9:47 PM: Quarantining All Traces: cas
9:47 PM: Quarantining All Traces: mindset interactive - favoriteman
9:47 PM: Quarantining All Traces: quicklink search toolbar
9:47 PM: Quarantining All Traces: surfsidekick
9:47 PM: Quarantining All Traces: trojan-downloader-pacisoft
9:47 PM: Quarantining All Traces: winad
9:47 PM: Quarantining All Traces: adcom
9:47 PM: Quarantining All Traces: drsnsrch.com hijack
9:47 PM: Quarantining All Traces: exact bullseye
9:47 PM: Quarantining All Traces: exact cashback/bargain buddy
9:47 PM: Quarantining All Traces: exact navisearch
9:47 PM: Quarantining All Traces: ezula ilookup
9:47 PM: Quarantining All Traces: ist software
9:47 PM: Quarantining All Traces: linkmaker
9:47 PM: Quarantining All Traces: safesurf
9:47 PM: Quarantining All Traces: search fast communicator toolbar
9:47 PM: Quarantining All Traces: searchtoolbar
9:47 PM: Quarantining All Traces: shopathomeselect
9:47 PM: Quarantining All Traces: ask cookie
9:47 PM: Quarantining All Traces: atwola cookie
9:47 PM: Quarantining All Traces: clickandtrack cookie
9:47 PM: Quarantining All Traces: directtrack cookie
9:47 PM: Quarantining All Traces: exitexchange cookie
9:47 PM: Quarantining All Traces: hbmediapro cookie
9:47 PM: Quarantining All Traces: realmedia cookie
9:47 PM: Quarantining All Traces: winantispyware 2005
9:48 PM: Removal process completed. Elapsed time 00:01:12
********
8:28 PM: | Start of Session, Sunday, February 19, 2006 |
8:28 PM: Spy Sweeper started
8:29 PM: Your spyware definitions have been updated.
8:31 PM: | End of Session, Sunday, February 19, 2006 |

[Advertisements]

Looks like SpySweeper found traces of a rootkit. We need to run a rootkit scan to be certain there isn't still one on there.

It is VERY important to not be surfing online or anything else while this scan runs. Please have nothing else open/running on the pc while this works.

Please download Rootkit Revealer (link is at the very bottom of the page)

• Unzip it to your desktop.
• Open the rootkitrevealer folder and double-click rootkitrevealer.exe
• Click the Scan button (bottom right)
• It may take a while to scan (don't do anything while it's running)
• When it's done, go up to File > Save. Choose to save it to your desktop.
• Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

[Kat]

Looks like SpySweeper found traces of a rootkit. We need to run a rootkit scan to be certain there isn't still one on there.

It is VERY important to not be surfing online or anything else while this scan runs. Please have nothing else open/running on the pc while this works.

Please download Rootkit Revealer (link is at the very bottom of the page)

• Unzip it to your desktop.
• Open the rootkitrevealer folder and double-click rootkitrevealer.exe
• Click the Scan button (bottom right)
• It may take a while to scan (don't do anything while it's running)
• When it's done, go up to File > Save. Choose to save it to your desktop.
• Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

[Dillan]

Ok here is the report of RootkitRevealer:

HKLM\S-1-5-21-2368092398-3236749464-4268638850-1007\RemoteAccess\InternetProfile 2/20/2005 7:48 PM 9 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\webcal\URL Protocol 5/29/2004 8:31 PM 13 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\SchedulingAgent\LastTaskRun 2/20/2006 2:09 PM 16 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Dillan Betts\Local Settings\Temporary Internet Files\Content.IE5\ALN4T4ZM\news[1]. 9/25/2004 7:43 PM 21.66 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010005.ci 2/20/2006 2:17 PM 48.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010005.dir 2/20/2006 2:17 PM 569 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010006.ci 2/20/2006 2:28 PM 4.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010006.dir 2/20/2006 2:28 PM 340 bytes Hidden from Windows API.

[Kat]

Those are easily taken care of!

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


Now lets reset your system restore and get you a clean restore point:

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


After you have done these, please let me know how everything is running now, and any other trouble you may be having (if any)

[Dillan]

Well I'm happy to say that everything is totally cleaned up thanks to you. Thanks for all the help, I thought it was going to be impossible to find help for this but I was wrong. And now Ill be going to the Tutorials in geek U to learn more before I do practice log 1.

[Kat]

I'm glad everything is working well. I'm sorry that we ended up having to use so many different tools. Sometimes, we can use only manual fixes to remove things. Sometimes, one scan is enough to unearth the problems for us. In this case, you had several different things hiding on that system that each scan found different traces of. The good news is that you ARE good and clean. Now...let's make sure you stay that way!

Congratulations! Your log is now clean!

Here are some items that you will want to add to your to-do list:

These are some tips to reduce the potential for Spyware/Adware/Virus infection in the future:
I would strongly recommend reviewing and installing the following applications if you dont currently have them running on your system:

Use Anti-Virus Software
It is very important that your computer has Anti-Virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online and stand-alone Anti-Virus programs:
Virus, Spyware, and Malware Protection and Removal Resources

Update your AntiVirus Software
It is imperitive that you update your Anti-Virus software at least once a week (Even more if you wish). If you do not update your Anti-Virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall
I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls

Spyware/Adware Detection and Removal Programs:
Understanding Spyware, Browser Hijackers, and DialersAd-Aware SEIf you suspect that you have spyware installed on your computer, here are instructions on how to setup and use Ad-Aware SE
How to use Ad-Aware SE to remove Spyware
[/list]Spybot S&DIf you suspect that you have spyware installed on your computer, here are instructions on how to setup and use Spybot S&D
How to use Spybot to remove Spyware
[/list]I strongly recommend using both of these programs to catch most spyware/adware

Prevention Programs:

• SpywareBlaster -- SpywareBlaster will prevent spyware from being installed.
• SpywareGuard -- SpywareGuard offers realtime protection from spyware installation attempts.
• IE/Spyad -- IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts File -- The MVPS Hosts File replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar -- Get the free Google Toolbar to help stop pop up windows.

Other Necessary Programs:

• A More Secure Browser
  Internet Explorer is not the most secure and best browser.
  There are safer and better alternatives available. I recommend using Firefox

Be sure to also keep up with Windows and IE updates.

Windows Security and Critical Updates
http://v4.windowsupdate.microsoft.com/en/default.asp

Internet Explorer Security and Critical Updates
http://www.microsoft.com/windows/ie/default.asp

And also see TonyKlein's good advice
So how did I get infected in the first place?

Update all these Programs Regularly:Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically.

______________________________________________________

See you in GeekU!

[Kat]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.