Spyware (Malware): ------------------ www.win-fix.com => www2.palsol.com\spyrem_offer\index/html?hop-contentcl Ad-aware : www.lavasoftusa.com CW Shredder : www.spywareinfo.com/~merijn/downloads.html Center for Pest Control : research.pestpatrol.com DSOstop2 : www.wilders.org/downloads.htm HijackThis : www.spychecker.com/program/hijackthis.html IE-Spyad : www.pcworld.com/downloads/file_downloads.asp?fid=23332&fileidx=1 PestPatrol : www.pestpatrol.com Spybot Search & Destroy : www.safer-networking.org/en/download Spyware Blaster : www.javacoolsoftware.com/spywareblaster.html Spyware Guard: www.javacoolsoftware.com/sgdownload.html SpywareInfo : www1.spywareinfo.com/downloads.php Yahoo toolbar with anti-spy : toolbar.yahoo.com Norton Antivirus unlock code --------------------------- 69E8 59C7 5E0A 48FC 2F07 C1D5 F352 B222 AE Programs that go to net by themselves: -------------------------------------- cccPxySvc.exe Programs trying to break in? ---------------------------- tftp.exe Modified file names to prevent automatic network access: -------------------------------------------------------- C:\Program Files\Symantic\Liveupdate\Aupdate.exe luupdate.exe c:\windows\intuit\shared\arupld32.exe_ : browser history monitor d:\program files]debugging tools for windows]tlist.exe_ : NetCat Hacker tool ? C:\Program Files\Common Files\Epson\SAEGENT4.EXE C:\Windows\System\E_s4i2d1 - Epson printer C:\Program Files\PLUS!\Cmpagent.exe C:\Program Files\PLUS!\Sysagent.exe Intrusion attack IP Addresses: ------------------------------ 80.71.72.24 80.71.72.120 162.40.160.177:1356 4.231.174.213:3288 NetBus Trojan Horse ----- 84.9.65.199:3874 NetBus Trojan Horse, 2004 Oct 27 211.173.147.208:3757 NetBus Trojan Horse, 2004 Nov 04 66.36.152.175:3696 NetBus Trojan Horse, 2004 Nov 23 4.230.90.14:1604 NetBus Trojan Horse, 2004 Dec 01 201.252.38.128:4593 NetBus Trojan Horse, 2004 Dec 01 198.200.173.162:47150 Portscan 2004 Dec 08 4.231.227.219:3579 NetBus Trojan Horse, 2004 Dec 09 61.42.47.223:3686 NetBus Trojan Horse, 2004 Dec 16 4.231.56.37:4521 Back-Orifice Trojan Horse, 2004 Dec 22 4.230.63.72:4491 NetBus Trojan Horse, 2004 Dec 27 211.49.216.124:1628 NetBus Trojan Horse, 2004 Dec 31 211.110.41.252:4557 NetBus Trojan Horse, 2004 Dec 31 4.230.96.241:2682 Backdoor SubServer Trojan Horse 2005 Jan 11 24.238.194.29:2044 (loacal 192.168.1.2::3306) "D:\Program FilesMySQL\MySQL Server 4.1\bin\mysqld-nt.exe" 2005 Mar 11 MS_Windows_LSASS_RPC_DS_REquest 4.231.157.2(3609) HTTP_ActivePerl_Overflow from: localhost(2154) ehg-wss.hitbox.com (64.154.80.250) port(80) Suspicious Processes W98: ------------------------- mdm combobutton Directories to Clean or Delete ------------------------------ c:\Program Files\InstallShield Installation Information\* c:\temp\* c:\tmp\* c:\WINDOWS\Temporary Internet Files\Content.IE5\* 20041109 -------- D:\WINNT\system32\0 Download.Trojan D:\WINNT\system32\screensaver.zip w32.Netsky.p@mm D:\WINNT\system32\TFTP1092 w32.Spybot.Worm D:\WINNT\system32\TFTP776 w32.Spybot.Worm ??? ---- D:\Documents and Settings\Prem Sobel\Application Data\Mozilla\Profiles\default\ers533qg.slt\Mail\mail.earthlink.net\Inbox