Solved AntiSpyware Master

Geri,

She found USS/USS plugin in add/remove programs, but said it had the same icon as some other Toshiba stuff and didn't remove it. I had her end process for uss.exe in task manager and the alert disappeard. She is going to try to do Kapersky again and get a log.

 

Geri,

She has run the kapersky scan several times and gets no option to save the file. When I run it I can see everything before I save it. She isn't even getting that, only number of files, viruses, length of scan, etc. I had her uninstall it and reinstall and she is getting the same thing. I tried running it on mine and stopped the scan after it started. It gave me the option to save what was done, but her's says it is done and only says Stop Scan. If she does that she gets a warning that she is stopping without saving the log, but still gets no option to save it.

Is there anything you can suggest? or maybe a different scan she can try?

 

Hi
Ok have her uninstall Kaspersky in add/remove programs.

Then have her do this.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Now have her run the scan again.

OK sounds like it may be some kind of protection Toshiba added. I'll see if I can find some info on it.

Have her do this for me.
Click on start > Click on My Computer > Double click on local Disk C
Double click on the Program Files Folder.
Double click on the USS Folder
Right click on the uss.exe file, Click on properties (bottom of the window that opens)
Click on the Version tab.
Click on the product name or company name.

Let me know what it says.
Then close those windows.

Lets get a uninstall list also.

To get an Uninstall List from HijackThis:

• Open HijackThis, click Config, click Misc Tools
• Click "Open Uninstall Manager "
• Click "Save List" (generates uninstall_list.txt)
• Click Save, copy and paste the results in your next post.

Thanks
Geri

 

Geri,

She ran HJT and the entry you mentioned was not there. You mentioned to run the scan again. Were you referring to HJT? and did you need another log?

She did not find uss.exe. I had her do a search for it and she found it in Prefetch. She is going to try to get info from properties on it.

Download list:
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 7.0.9
ALPS Touch Pad Driver
AOL Coach Version 2.0(Build:20041026.5 en)
Atheros Client Utility
Atheros Wireless LAN MiniPCI/PCIe card Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
CD/DVD Drive Acoustic Silencer
DVD-RAM Driver
Express Media Player
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB894871)
Hotfix for Windows XP (KB895200)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB935448)
InterVideo WinDVD for TOSHIBA
J2SE Runtime Environment 5.0 Update 6
Lexmark 8300 Series
Malwarebytes' Anti-Malware
McAfee Uninstall Wizard
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Digital Image Starter Edition 2006
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office OneNote 2003
Microsoft Office Standard Edition 2003
Microsoft Works
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MyConnect Special Offer
Office 2003 Trial Assistant
Pdf995
QuickTime
RealPlayer Basic
REALTEK Gigabit and Fast Ethernet NIC Driver
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Sonic DLA
Sonic RecordNow!
TOSHIBA Accessibility
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Fn-esse
TOSHIBA Games
TOSHIBA Hardware Setup
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Registration
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Touch and Launch
TouchPad On/Off Utility
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
USS_USSPlugin 1.0.124.3
USS_USSPlugin 1.0.124.3
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884018
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893056
Yahoo! Music Engine

 

Hi

No I was talking about the Kaspersky scan, sorry.

It doesn't seem that USS_USSPlugin is a threat, though I can't pin point what it belongs to.
So we'll leave it for now.

I would really like a Kaspersky scan, But...
If she can not get Kaspersky to run, then lets do a scan with Panda.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Thanks
Geri

 

Ok, here is what she managed to get on the uss.exe:

file version 2.0.15.0
copyright 2007 by USS
internal name - USS
original file name - USS.exe
product name - USS module

under USS properties tab--says it was created
Sun 5-18-2008 @ 6:06PM but was modified Fri
2-08-2008 @2:37 PM--kind of weird.

When I've googled uss.exe, it seems that there are two programs that use a file by that name, the screen saver and US Shield. It looks like US Shield may be a legit program. What do you think? It never came up before now though.

She had problems with the Panda Scan. It would stop when it got to 45% and go to the page where she could export the file. I'm hoping it's the full scan. It's listed below:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-05-26 21:26:15
PROTECTIONS: 1
MALWARE: 32
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00029036 adware/superspider Adware No 1 Yes No c:\windows\mssys.exe
00039754 adware/browseraid Adware No 0 Yes No c:\windows\rundll16.exe
00040007 adware/cws.yexe Adware No 0 Yes No c:\windows\loader.exe
00040007 adware/cws.yexe Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3}
00041487 adware/webhancer Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C900B400-CDFE-11D3-976A-00E02913A9E0}
00132447 adware program Adware No 0 Yes No c:\windows\x.exe
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@trafficmp[3].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@trafficmp[1].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@casalemedia[3].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@doubleclick[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@atdmt[3].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@fastclick[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@fastclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@tribalfusion[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@tribalfusion[3].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@mediaplex[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@mediaplex[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@statcounter[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@ad.yieldmanager[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@ad.yieldmanager[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@apmebf[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@apmebf[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@bs.serving-sys[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@advertising[1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@statse.webtrendslive[2].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\WINDOWS\TEMP\Cookies\mimi@statse.webtrendslive[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@realmedia[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@realmedia[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@questionmarket[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@questionmarket[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@zedo[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@zedo[1].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@bluestreak[2].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@bluestreak[3].txt
00218977 adware/affilred Adware No 0 Yes No c:\windows\msupdate.exe
00219327 adware/conspy Adware No 0 Yes No c:\windows\waol.exe
00219327 adware/conspy Adware No 0 Yes No c:\windows\editpad.exe
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@atwola[1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@ads.addynamix[1].txt
01300646 Generic Malware Virus/Trojan Yes 0 Yes No C:\PROGRAM FILES\USS\{5F608915-125D-404D-AC44-D78C760AE1A3}\ASAGENTS.DLL
02082771 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\USS\{5F608915-125D-404d-AC44-D78C760AE1A3}\wasffNT.exe
02891362 Adware/Yazzle Adware No 0 Yes No C:\Documents and Settings\Mimi\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.19117
02938563 Adware/PurityScan Adware No 0 Yes No C:\Documents and Settings\Mimi\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.48442
02981178 Generic Malware Virus/Trojan No 0 Yes No C:\WINDOWS\system32\logXv06\logXv061083.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location ص
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description ص
;===================================================================================================================================================================================
;===================================================================================================================================================================================

 

Hi moonpie
OK Panda is showing USS as bad.


OK have her do this.

Please backup your registry before proceeding to any of the steps.

Download ERUNT from Derfisch or Aumha and save it to your desktop.

Follow the steps from Creating a Backup Copy of the Windows XP Registry section of this site to back up your registry: http://billjr.spaces.live.com/blog/cns!28CBD6442F406227!292.entry


Make sure this is exactlly as shown.
Open "NotePad†Copy the contents of the code box below to the blank NotePad.
Click "File" > "Save as "
In the "Save In" box at the top click the down arrow and select DeskTop

In the "File name" type in: fix.reg
In the "Save As Type" select: All Files
Once saved, Go to your desktop double click "fix.reg file" and let it merge with the registry.

Code:

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321 E378-FFAD-4999-8C62-03CA8155F0B3}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C900 B400-CDFE-11D3-976A-00E02913A9E0}] 

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code:

  c:\windows\mssys.exe
  c:\windows\rundll16.exe
  c:\windows\loader.exe
  c:\windows\x.exe
  c:\windows\msupdate.exe
  c:\windows\waol.exe
  c:\windows\editpad.exe
  C:\PROGRAM FILES\USS

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move " window (under the light blue bar) and choose Paste.
  
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Now have her run another Panda scan and post the log.

Thanks
Geri

 

c:\windows\mssys.exe moved successfully.
c:\windows\rundll16.exe moved successfully.
c:\windows\loader.exe moved successfully.
c:\windows\x.exe moved successfully.
c:\windows\msupdate.exe moved successfully.
c:\windows\waol.exe moved successfully.
c:\windows\editpad.exe moved successfully.
C:\PROGRAM FILES\USS\{5F608915-125D-404d-AC44-D78C760AE1A3} moved successfully.
C:\PROGRAM FILES\USS\#monitors\RegMonitor moved successfully.
C:\PROGRAM FILES\USS\#monitors\FileMonitor moved successfully.
C:\PROGRAM FILES\USS\#monitors\DirMonitor moved successfully.
C:\PROGRAM FILES\USS\#monitors moved successfully.
C:\PROGRAM FILES\USS\#agents\53 moved successfully.
C:\PROGRAM FILES\USS\#agents moved successfully.
C:\PROGRAM FILES\USS moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05272008_221840



On this Panda scan, it also showed 26 low threat with no way to see what
they were.

--------------------------------------------------------------------------------


;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-05-28 11:07:46
PROTECTIONS: 1
MALWARE: 29
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00040007 adware/cws.yexe Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3}
00041487 adware/webhancer Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C900B400-CDFE-11D3-976A-00E02913A9E0}
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@trafficmp[1].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@trafficmp[3].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@casalemedia[3].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@atdmt[3].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@atdmt[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@fastclick[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@fastclick[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@tribalfusion[3].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@mediaplex[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@mediaplex[2].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@statcounter[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@ad.yieldmanager[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@ad.yieldmanager[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@apmebf[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@apmebf[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@burstnet[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@serving-sys[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@bs.serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@bs.serving-sys[3].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@advertising[1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@statse.webtrendslive[2].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\WINDOWS\TEMP\Cookies\mimi@statse.webtrendslive[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@ads.pointroll[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@realmedia[3].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@realmedia[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@questionmarket[3].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@questionmarket[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@zedo[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@zedo[3].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@bluestreak[3].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@bluestreak[2].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@atwola[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@atwola[2].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@ads.addynamix[1].txt
01300646 Generic Malware Virus/Trojan No 0 Yes No C:\_OTMoveIt\MovedFiles\05272008_221840\PROGRAM FILES\USS\{5F608915-125D-404d-AC44-D78C760AE1A3}\AsAgents.dll
02082771 Generic Malware Virus/Trojan No 0 Yes No C:\_OTMoveIt\MovedFiles\05272008_221840\PROGRAM FILES\USS\{5F608915-125D-404d-AC44-D78C760AE1A3}\wasffNT.exe
02891362 Adware/Yazzle Adware No 0 Yes No C:\Documents and Settings\Mimi\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.19117
02938563 Adware/PurityScan Adware No 0 Yes No C:\Documents and Settings\Mimi\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.48442
02981178 Generic Malware Virus/Trojan No 0 Yes No C:\WINDOWS\system32\logXv06\logXv061083.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location ø*
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description ø*

 

Hi moonpie
Ok this needs to be put into OTMoveIT@ and click the move button.

C:\WINDOWS\system32\logXv06

The reg edit was not done or was not done correctly.
It would be best if she would come here for this.
The registry is not to be taken lightly and we don't want any mistakes with it.

Geri

 

She has been coming to this thread and reading your directions. I had the account so I've been doing the posting. I will ask her to register and deal with you directly if you like. She may not have understood exactly what she needed to do.

 

I'm the sister-in-law. I have completed the last instruction. Do I need to do something else with the registry?

C:\WINDOWS\system32\logXv06

 

Hi eldaj
Welcome.
I did not know you were following the thread, I thought moonpie was maybe emailing you the instructions and things can be misunderstood.

OK you did the OTMoveIT2 with this folder?
C:\WINDOWS\system32\logXv06

Now I would like you to do this. Even if you did it before please do so again.

First Click on Start > All Programs
Go to ERUNT and click on ERUNT.
OK it to back up your registry.

Now do this.

If there is a fix.reg file on your desktop please delete it.

Open "NotePad†Copy the contents of the code box below to the blank NotePad.
Click "File" > "Save as "
In the "Save In" box at the top click the down arrow and select DeskTop

In the "File name" type in: fix.reg
In the "Save As Type" select: All Files
Once saved, Go to your desktop double click "fix.reg file" and let it merge with the registry.

Code:

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321 E378-FFAD-4999-8C62-03CA8155F0B3}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C900 B400-CDFE-11D3-976A-00E02913A9E0}] 

Please run ATF Cleaner again.

Now run a new Panda scan and post the log.

Thanks
Geri

 

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-05-30 00:42:05
PROTECTIONS: 1
MALWARE: 7
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00040007 adware/cws.yexe Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3}
00041487 adware/webhancer Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C900B400-CDFE-11D3-976A-00E02913A9E0}
01300646 Generic Malware Virus/Trojan No 0 Yes No C:\_OTMoveIt\MovedFiles\05272008_221840\PROGRAM FILES\USS\{5F608915-125D-404d-AC44-D78C760AE1A3}\AsAgents.dll
02082771 Generic Malware Virus/Trojan No 0 Yes No C:\_OTMoveIt\MovedFiles\05272008_221840\PROGRAM FILES\USS\{5F608915-125D-404d-AC44-D78C760AE1A3}\wasffNT.exe
02891362 Adware/Yazzle Adware No 0 Yes No C:\Documents and Settings\Mimi\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.19117
02938563 Adware/PurityScan Adware No 0 Yes No C:\Documents and Settings\Mimi\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.48442
02981178 Generic Malware Virus/Trojan No 0 Yes No C:\_OTMoveIt\MovedFiles\05292008_203923\WINDOWS\system32\logXv06\logXv061083.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location

;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description

;===================================================================================================================================================================================
;===================================================================================================================================================================================

 

Hi eldaj
OK well those registry entries just don't want to go away.

So lets do this,

Please back up your registry again as you did before.

• Download RegASSASSIN by malwarebytes.org from here
• Unzip/extract it to a folder on your desktop
• Double-click on RegASSASSIN.exe to start RegASSASSIN
• Copy and paste the below into the white box one at a time.
  • 
    
    
    Code:

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321 E378-FFAD-4999-8C62-03CA8155F0B3}]
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C900 B400-CDFE-11D3-976A-00E02913A9E0}] 

• Click Delete
• Answer Yes to any prompts

Now run Panda again and post the log.

Thanks
Geri

 

Hi Geri---RegASSASIN will not allow me to delete the two items--always get an error message "Hive returned Null ". I backed up the registry.
Thanks,
Eldaj

 

Hi eldaj

OK Please do this.

Highlight and copy the contents of the code box below.

Code:

@echo off
cd desktop
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321 E378-FFAD-4999-8C62-03CA8155F0B3}dummy
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C900 B400-CDFE-11D3-976A-00E02913A9E0}dummy
reg save HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321 E378-FFAD-4999-8C62-03CA8155F0B3}dummy dummy1.hiv
reg save HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C900 B400-CDFE-11D3-976A-00E02913A9E0}dummy dummy2.hiv
reg restore HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321 E378-FFAD-4999-8C62-03CA8155F0B3} dummy1.hiv
reg restore HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C900 B400-CDFE-11D3-976A-00E02913A9E0} dummy2.hiv
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321 E378-FFAD-4999-8C62-03CA8155F0B3}dummy /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C900 B400-CDFE-11D3-976A-00E02913A9E0}dummy /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321 E378-FFAD-4999-8C62-03CA8155F0B3} /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C900 B400-CDFE-11D3-976A-00E02913A9E0} /f
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321 E378-FFAD-4999-8C62-03CA8155F0B3}>dummy.txt
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C900 B400-CDFE-11D3-976A-00E02913A9E0}>>dummy.txt
del /q dummy*.hiv
start notepad dummy.txt
exit
cls

Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own and open a text file named dummy.txt (which will also be located on the desktop). Please post the contents of dummy.txt, if anything.

Thanks
Geri

 

Hi Geri
After following the instructions, the dummy.txt window is blank.

Thanks again,
EldaJ

 

Hi eldaj
OK Great, That's what we wanted.

Now please do another Panda scan and post the log.

Thanks
Geri

 

Hi again Geri---
Here's the Panda scan results. By the way, since my McAfee has expired, can I download a free virus protection, such as AVG or something called Dr.Web or do you recommend something else? Thanks again.
EldaJ;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-05-31 20:16:34
PROTECTIONS: 1
MALWARE: 27
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00040007 adware/cws.yexe Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3}
00041487 adware/webhancer Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C900B400-CDFE-11D3-976A-00E02913A9E0}
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@trafficmp[2].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@atdmt[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@fastclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@mediaplex[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@statcounter[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@ad.yieldmanager[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@burstnet[2].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@www.burstbeacon[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@advertising[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@ads.pointroll[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@realmedia[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@questionmarket[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@zedo[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@target[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@atwola[2].txt
01300646 Generic Malware Virus/Trojan No 0 Yes No C:\_OTMoveIt\MovedFiles\05272008_221840\PROGRAM FILES\USS\{5F608915-125D-404d-AC44-D78C760AE1A3}\AsAgents.dll
01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Mimi\Cookies\mimi@adserver.easyad[1].txt
02082771 Generic Malware Virus/Trojan No 0 Yes No C:\_OTMoveIt\MovedFiles\05272008_221840\PROGRAM FILES\USS\{5F608915-125D-404d-AC44-D78C760AE1A3}\wasffNT.exe
02891362 Adware/Yazzle Adware No 0 Yes No C:\Documents and Settings\Mimi\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.19117
02938563 Adware/PurityScan Adware No 0 Yes No C:\Documents and Settings\Mimi\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.48442
02981178 Generic Malware Virus/Trojan No 0 Yes No C:\_OTMoveIt\MovedFiles\05292008_203923\WINDOWS\system32\logXv06\logXv061083.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================

 

Hi eldaj
OK Think the problem is that the board here is putting a space in the reg entry when it's posted in the Panda log.

So lets see if this one will work.

Please back up your registry.

Delete any reg.fix you have on your desk top.

Now do this.

Open "NotePad†Copy the contents of the code box below to the blank NotePad.
Click "File" > "Save as "
In the "Save In" box at the top click the down arrow and select DeskTop

In the "File name" type in: fix.reg
In the "Save As Type" select: All Files
Once saved, Go to your desktop double click "fix.reg file" and let it merge with the registry.

Code:

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C900B400-CDFE-11D3-976A-00E02913A9E0}]

Now run panda again and post the log.

Thanks
Geri