Please help me decipher my Hijack This Log (RESOLVED)

**Ria** · 16-03-2006

Hi,

We have broadband internet connection that gets high usage between me, my husband & our children. We have Norton Internet Security installed, as well as Ad-aware & Spybot Search & Destroy.

Recently we've developed a problem with some sort of malignant file -- whenever the parental controls are disabled we receive constant messages from Norton that a "Remote System is trying to access our computer" -- this is very disruptive. I've run a full system scan with the antivirus, deleted a number of adware files and quarantined 4 that wouldn't let me delete them. I have also run Ad-aware & Spybot, fixing the problems picked up by them.

Unfortunately, the messages continue to occur - again only when the parental controls are disabled. I've now run Hijack This but do not know enough about computers to know which entries to pay attention to. If someone could read my log file & point me in the right direction, I would be most appreciative. It follows: -

Logfile of HijackThis v1.97.7
Scan saved at 11:28:19 AM, on 16/03/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\sistray.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\Java\J2RE14~1.2\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Plaxo\2.3.4.2\InstallStub.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\webshots.scr
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Brian Vining\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optusnet.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.qut.edu.au:3128
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\PROGRA~1\Java\J2RE14~1.2\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.3.4.2\InstallStub.exe -a
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O10 - Unknown file in Winsock LSP: c:\progra~1\aventail\connect\asnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\aventail\connect\aslsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\aventail\connect\aslsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\aventail\connect\aslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Zango/ie/bridge-c3.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.13.14/ttinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab

Thanking you in advance.

**VopThis** · 16-03-2006

Logfile of HijackThis v1.97.7

You are running an outdated version of HJT. Latest version is 1.99.1.

Please read over all instruction here and load the latest HJT tool to the recommended FOLDER area:
http://www.d-a-l.com/help/showthread.php?t=32403

You can THEN fix the following items in HJT for now.

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

R3 - Default URLSearchHook is missing

O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Activ...veLauncher.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Zango/ie/bridge-c3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.

POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

**Ria** · 17-03-2006

OK ...

I installed the updated version of HJT, ran a scan & then checked & fixed the items you listed.

Unfortunately the problem still seems to be occurring.

I've rerun HJT & my logfile follows: -

Logfile of HijackThis v1.99.1
Scan saved at 5:35:20 PM, on 17/03/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\sistray.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\Java\J2RE14~1.2\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Plaxo\2.3.4.2\InstallStub.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\webshots.scr
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optusnet.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.qut.edu.au:3128
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\PROGRA~1\Java\J2RE14~1.2\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.3.4.2\InstallStub.exe -a
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\aventail\connect\asnsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\aventail\connect\aslsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\aventail\connect\aslsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\aventail\connect\aslsp.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.13.14/ttinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\System32\Tablet.exe

Thanks for your help.

**VopThis** · 17-03-2006

Try running the following scans:

Please download, install, update and scan your system with the free (trial) version of Ewido trojan scanner:

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread.

REBOOT.

Please do an online scan (scan only tool) with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  - Extended (if available otherwise Standard)
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

**Ria** · 17-03-2006

I've installed & run the Ewido trojan scanner -- what a great program!

Unfortunately I panicked after the scan was partially complete because I realised I'd told the program to "remove" rather than "clean" as you'd stated (of course I realised later it was the same -- but it's late here & my brain was a bit fuzzy), so I stopped the scan & then reran it -- so now I have two logfiles to paste (basically Part 1 & Part 2). Here they are: -

Part 1

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:18:22 AM, 18/03/2006
+ Report-Checksum: 8D0AA50C

+ Scan result:

HKLM\SOFTWARE\WildMedia -> Adware.MidAddle : Cleaned with backup
HKLM\SOFTWARE\WildMedia\LicenseStores -> Adware.MidAddle : Cleaned with backup
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-4235d44a-510debca.zip/BlackBox.class -> Dropper.Beyond.g : Error during cleaning
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loa deradv74.jar-170b188f-1d23e9f5.zip/Matrix.class -> Downloader.OpenStream.c : Error during cleaning
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@aotgroup.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@cz11.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@cz4.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@cz5.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@cz6.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@cz7.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@cz8.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@cz9.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@download.com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@e-2dj6wjlyoodzsgq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@estat[1].txt -> TrackingCookie.Estat : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@free.wegcash[1].txt -> TrackingCookie.Wegcash : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@image.masterstats[2].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@incredifind[2].txt -> TrackingCookie.Incredifind : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@ivwbox[2].txt -> TrackingCookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@maxim.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@server3.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@stats.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@vip.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@vip2.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@webstat[3].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@www.belstat[3].txt -> TrackingCookie.Belstat : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@y-1shz2prbmdj6wvny-1sez2pra2d...mniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup
C:\Documents and Settings\Brian Vining\Local Settings\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe -> Trojan.KillFiles.im : Cleaned with backup
C:\Documents and Settings\Brian Vining\Local Settings\Temp\Cookies\greg boylan@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Brian Vining\Local Settings\Temp\Cookies\greg boylan@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Brian Vining\Local Settings\Temp\Cookies\greg boylan@cz3.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Brian Vining\Local Settings\Temp\Cookies\greg boylan@cz4.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Brian Vining\Local Settings\Temp\Cookies\greg boylan@cz6.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Brian Vining\Local Settings\Temp\Cookies\greg boylan@cz8.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Brian Vining\Local Settings\Temp\Cookies\greg boylan@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Brian Vining\Local Settings\Temp\Cookies\greg boylan@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Brian Vining\Local Settings\Temp\Cookies\greg boylan@paycounter[1].txt -> TrackingCookie.Paycounter : Cleaned with backup
C:\Documents and Settings\Brian Vining\Local Settings\Temp\Cookies\greg boylan@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned with backup
C:\Documents and Settings\Brian Vining\Local Settings\Temp\Cookies\greg boylan@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Brian Vining\Local Settings\Temp\Cookies\greg boylan@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Brian Vining\Local Settings\Temp\Cookies\greg boylan@vip.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Brian Vining\Local Settings\Temp\Cookies\greg boylan@xxxcounter[1].txt -> TrackingCookie.Xxxcounter : Cleaned with backup

::Report End

Part 2

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:02:48 AM, 18/03/2006
+ Report-Checksum: AAD5E7CE

+ Scan result:

C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-4235d44a-510debca.zip/BlackBox.class -> Dropper.Beyond.g : Cleaned with backup
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loa deradv74.jar-170b188f-1d23e9f5.zip/Matrix.class -> Downloader.OpenStream.c : Cleaned with backup
C:\Downloads\CoffeeTycoon_Setup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
C:\Downloads\GoldMinerJoe-AMSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
C:\Downloads\LipssySetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
C:\Downloads\ToEESetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
C:\Downloads\Tradewinds2Setup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
C:\Program Files\Ahead\Crazy Chewer Demo\setup_incredifind_ArcadeTown.exe -> Downloader.Keenval : Cleaned with backup
C:\Program Files\Fox Jones Demo\setup_incredifind_ArcadeTown.exe -> Downloader.Keenval : Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20060317-172831-755.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
C:\Program Files\Turbo Tanks\setup_incredifind_ArcadeTown.exe -> Downloader.Keenval : Cleaned with backup
C:\WINNT\Downloaded Program Files\MediaTicketsInstaller.ocx -> Adware.MediaTickets : Cleaned with backup

::Report End

I am now going to reboot as instructed & run the other scan. Will post the results when I have them.
Thanks again.

**Ria** · 17-03-2006

It's 2.30 in the morning ... I've just finished running the Kaspersky scan. Here are the results: -

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, March 18, 2006 2:52:52 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 17/03/2006
Kaspersky Anti-Virus database records: 182959
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 103492
Number of viruses found: 10
Number of infected objects: 26
Number of suspicious objects: 0
Duration of the scan process: 01:02:42

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\om fg.class-3e5ae470-3c43a381.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3 .jar-4a9df386-47cda8b5.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3 .jar-4a9df386-47cda8b5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-293343c1-46acb9d0.zip/binny/binny.class Infected: Trojan-Dropper.Java.Beyond.d skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-293343c1-46acb9d0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr 3.jar-13b40b84-5df44e75.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr 3.jar-13b40b84-5df44e75.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr 3.jar-57a31885-62f0aa91.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr 3.jar-57a31885-62f0aa91.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr 3.jar-6f6c11cb-1b147ad8.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr 3.jar-6f6c11cb-1b147ad8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr 3.jar-7858cb4a-67a4dbc2.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr 3.jar-7858cb4a-67a4dbc2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr 3.jar-7dc37009-27fee312.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr 3.jar-7dc37009-27fee312.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loa deradv201.jar-280e5f12-5325f5cd.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loa deradv201.jar-280e5f12-5325f5cd.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loa deradv237.jar-2d8175f5-2511140b.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loa deradv237.jar-2d8175f5-2511140b.zip ZIP: infected - 1 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\655273A6 Infected: not-a-virus:AdWare.Win32.WinAD.bv skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6D632BAD Infected: not-a-virus

ialer.Win32.E-Group.a skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\74AE5B07 Infected: not-a-virus:AdWare.Win32.MediaTickets.d skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\75B45A7A Infected: not-a-virus:AdWare.Win32.VirtualBouncer.d skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\75B70476 Infected: Trojan-Dropper.Win32.Mudrop.k skipped
C:\WINNT\mssys.com/DROP.EXE Infected: Trojan-Dropper.DOS.Rute skipped
C:\WINNT\mssys.com Mail: infected - 1 skipped

Scan process completed.

-- that's a lot of stuff, I hope it's fixable. Unfortunately the original problem is still occurring ...

**VopThis** · 17-03-2006

Clean out your Norton Quarantine area when appropriate.

Many Kaspersky found items are JAVA based items. These should disappear with the use of the following cleaner:

Please download ATF Cleaner http://www.atribune.org/ccount/click.php?id=1 by Atribune.
This program is for XP and Windows 2000 only

It does not require any installation and uses minimal system resources. It is set up to clean IE, FireFox and Opera, and detects the browsers you have and grays out the other(s).

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Recommend UNCHECKING COOKIES if you rely on system remembered passwords.
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All EXCEPT FIREFOX SAVED PASSWORDS
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All EXCEPT COOKIES AND SAVED PASSWORDS
Click the Empty Selected button.

Click Exit on the Main menu to close the program.

Delete the following FOLDER:
C:\WINNT\mssys.com

Verify that Kaspersky now runs clean. Please provide any current observations.

**Ria** · 19-03-2006

Right-o I cleaned out the Norton Quarantine, downloaded & ran the ATF Cleaner, & deleted the folder you suggested to. Sad to say, the problem is still occurring.

The Kaspesky Log is as follows: -

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, March 20, 2006 2:44:29 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 19/03/2006
Kaspersky Anti-Virus database records: 182877
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 101304
Number of viruses found: 8
Number of infected objects: 23
Number of suspicious objects: 0
Duration of the scan process: 01:16:28

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\om fg.class-3e5ae470-3c43a381.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3 .jar-4a9df386-47cda8b5.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3 .jar-4a9df386-47cda8b5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-293343c1-46acb9d0.zip/binny/binny.class Infected: Trojan-Dropper.Java.Beyond.d skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-293343c1-46acb9d0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr 3.jar-13b40b84-5df44e75.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr 3.jar-13b40b84-5df44e75.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr 3.jar-57a31885-62f0aa91.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr 3.jar-57a31885-62f0aa91.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr 3.jar-6f6c11cb-1b147ad8.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr 3.jar-6f6c11cb-1b147ad8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr 3.jar-7858cb4a-67a4dbc2.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr 3.jar-7858cb4a-67a4dbc2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr 3.jar-7dc37009-27fee312.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr 3.jar-7dc37009-27fee312.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loa deradv201.jar-280e5f12-5325f5cd.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loa deradv201.jar-280e5f12-5325f5cd.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loa deradv237.jar-2d8175f5-2511140b.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\Brian Vining\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loa deradv237.jar-2d8175f5-2511140b.zip ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-448539723-1644491937-725345543-1000\Dc2 Infected: not-a-virus:AdWare.Win32.WinAD.bv skipped
C:\RECYCLER\S-1-5-21-448539723-1644491937-725345543-1000\Dc3 Infected: not-a-virus

ialer.Win32.E-Group.a skipped
C:\RECYCLER\S-1-5-21-448539723-1644491937-725345543-1000\Dc4 Infected: not-a-virus:AdWare.Win32.VirtualBouncer.d skipped
C:\RECYCLER\S-1-5-21-448539723-1644491937-725345543-1000\Dc5 Infected: Trojan-Dropper.Win32.Mudrop.k skipped

Scan process completed.

(since running the scan, I deleted the files from the recycle bin -- these had been put there when I deleted them from quarantine, without emptying the bin)

The last warning that came up also had "permit" as the default action on the pop-up, rather than"block" -- almost like it's getting more determined ...

Thanks again for all of your time -- it's sure keeping me up late at night (it's the only time I can get good access)
Ria

**VopThis** · 19-03-2006

You need to empty the cache in your Java Plugins control panel or remove the jar cache:

From the Start button, click Settings > Control Panel
(Note: It may be necessary to select the “Switch to Classic View’ option.)

In the Control Panel, open the "Java Plug-in Control Panel"
Select the Cache Tab
Click the Clear button inside the Cache Tab, which will clear your JRE cache directory

Or

Start > Settings > Control panel > Java Plugin [version number] > Choose Cache and click remove JAR Cache.

**Ria** · 20-03-2006

I've now emptied the cache in the Java plugins control panel, and for good measure, I reran Adaware, Spybot & Eiwdo.

The Ewido report is below: -

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:54:34 AM, 20/03/2006
+ Report-Checksum: 459F9339

+ Scan result:

C:\Documents and Settings\Brian Vining\Cookies\greg boylan@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Brian Vining\Cookies\greg boylan@vip.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup

::Report End

After this I ran Kapersky, which told me my computer is clean .... yet I am still experiencing these constant intrusion attempts when the parental controls are turned off!

I'm hoping you have some ideas because it doesn't make any sense to me.

Please help me decipher my Hijack This Log (RESOLVED)

Please help me decipher my Hijack This Log (RESOLVED)

Similar Threads

Hijack This Log (RESOLVED)

Hijack this log.(RESOLVED)

Error Code to decipher ?

Hijack This Log (Resolved)

Hijack looking-for.cc (Resolved)