Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need Help! Lots of pop-ups! [RESOLVED]


  • This topic is locked This topic is locked

#16
franklinagf

franklinagf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
The error message from Panda said:
Error on downloading Panda ActiveScanAn error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try again.

I had some trouble running SpySweeper. It would complete the scan but then when it was trying to remove the items it would freeze up and have to restart! I even got one of those Buffer Overrun detected messages once when SpySweeper was trying to remove the infected items and it closed everything!

OH NO............I just got a pop-up from: http://adopt.hbmedia...=0&r=h&rnd=2918 :ranting
and another from: http://count.exitexc...om/exit/1181164

Anyway it SpySweeper still saved the results of the scan so I deleted the files it found then went to the Registry Editor and deleted the keys it found. Then I ran SpySweeper again (in Safe Mode) and it found NOTHING!

Below is the Session Log (I had to run it 3 times, so I'm posting all 3) from SpySweeper and a new HJT log (wasn't sure wheter to run HJT in Safe or Normal Mode, so I ran it in Normal) . One other question...Should I disable my System Restore so these files that are being deleted are not stored in that?

Thanks again for your help! I'm going to try another scan with SpySweeper and see if those 2 pop-ups left anything while I wait for your reply! I'll let you know!

Angela


********
11:42 PM: |··· Start of Session, Sunday, July 17, 2005 ···|
11:42 PM: Spy Sweeper started
11:42 PM: Sweep initiated using definitions version 505
11:42 PM: Starting Memory Sweep
11:42 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:42 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:42 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:43 PM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MSGSRV32.EXE
11:43 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:43 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:43 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 03B890A4
11:44 PM: Memory Sweep Complete, Elapsed Time: 00:02:20
11:44 PM: Starting Registry Sweep
11:46 PM: Registry Sweep Complete, Elapsed Time:00:02:04
11:46 PM: Starting Cookie Sweep
11:46 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:46 PM: Starting File Sweep
11:46 PM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because it is being used by another process
11:46 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 0040533C in module 'WRSSSDK.EXE'. Read of address 1502FFFE
11:47 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00404C1E in module 'WRSSSDK.EXE'. Read of address FFFFFFFF
11:47 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:53 PM: File Sweep Complete, Elapsed Time: 00:06:21
11:53 PM: Full Sweep has completed. Elapsed time 00:10:50
11:53 PM: Traces Found: 0
11:53 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 03A53168
11:53 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 018CD324
11:53 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
********
10:34 PM: |··· Start of Session, Sunday, July 17, 2005 ···|
10:34 PM: Spy Sweeper started
10:34 PM: Sweep initiated using definitions version 505
10:34 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00404C1E in module 'WRSSSDK.EXE'. Read of address FFFFFFFF
10:34 PM: Starting Memory Sweep
10:34 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00404C1E in module 'WRSSSDK.EXE'. Read of address FFFFFFFF
10:34 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000004. Read of address 048BFEF8
10:35 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 01869498
10:35 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:35 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:35 PM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MSGSRV32.EXE
10:35 PM: Memory Sweep Complete, Elapsed Time: 00:01:45
10:35 PM: Starting Registry Sweep
10:37 PM: Found Adware: ebates money maker
10:37 PM: HKU\.default\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 4386605)
10:37 PM: HKU\.DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 4386609)
10:37 PM: Found Adware: hotbar
10:37 PM: HKU\.DEFAULT\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 4388580)
10:37 PM: Found Adware: 180search assistant
10:37 PM: HKU\.DEFAULT\software\sac\ (14 subtraces) (ID = 4396959)
10:37 PM: Found Trojan Horse: trojan-downloader-pacisoft
10:37 PM: HKU\.DEFAULT\software\psof1\ (6 subtraces) (ID = 4397754)
10:37 PM: Found Adware: redzip toolbar
10:37 PM: HKU\.DEFAULT\software\microsoft\windows\currentversion\explorer\ || insid (ID = 4400664)
10:38 PM: Registry Sweep Complete, Elapsed Time:00:02:02
10:38 PM: Starting Cookie Sweep
10:38 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:38 PM: Starting File Sweep
10:38 PM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because it is being used by another process
10:38 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:38 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00011846. Read of address FFFFFFFF
10:38 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00404C1E in module 'WRSSSDK.EXE'. Read of address FFFFFFFF
10:44 PM: Found Adware: speeddelivery
10:44 PM: c:\gigex downloads (2 subtraces) (ID = 4120180)
10:44 PM: File Sweep Complete, Elapsed Time: 00:06:16
10:44 PM: Full Sweep has completed. Elapsed time 00:10:08
10:44 PM: Traces Found: 29
10:44 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00403AD4 in module 'WRSSSDK.EXE'. Read of address 032B7FFC
10:44 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:44 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:44 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:44 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:44 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:50 PM: Removal process initiated
10:50 PM: Quarantining All Traces: ebates money maker
10:50 PM: Quarantining All Traces: hotbar
10:50 PM: Quarantining All Traces: 180search assistant
10:50 PM: Quarantining All Traces: trojan-downloader-pacisoft
10:50 PM: Quarantining All Traces: redzip toolbar
10:50 PM: Quarantining All Traces: speeddelivery
10:55 PM: An error occurred during quarantine:
10:55 PM: The remote procedure call failed
10:55 PM: Removal process completed. Elapsed time 00:04:42
10:55 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:55 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:55 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:55 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00404C1E in module 'WRSSSDK.EXE'. Read of address FFFFFFFF
10:55 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:55 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:56 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:56 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:56 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:00 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:00 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:00 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:00 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:00 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:00 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:00 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:00 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000093. Write of address CBFFFF4D
11:00 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:00 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000093. Write of address CBFFFF4D
11:01 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:01 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 016873B8
11:01 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:04 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:04 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:04 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:04 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:04 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:04 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:04 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:04 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:04 PM: Warning: Hosts File Shield unable to read from hosts file. External exception C000001D
11:05 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:05 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:36 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:36 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:36 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:36 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:36 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:36 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:36 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:36 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 0162349E. Read of address FFFFFFFF
11:42 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:42 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00403AD4 in module 'WRSSSDK.EXE'. Read of address 0186BFFC
11:42 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:42 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:42 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:42 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:42 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
11:42 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00404C1E in module 'WRSSSDK.EXE'. Read of address FFFFFFFF
11:42 PM: |··· End of Session, Sunday, July 17, 2005 ···|
********
10:15 PM: |··· Start of Session, Sunday, July 17, 2005 ···|
10:15 PM: Spy Sweeper started
10:15 PM: Sweep initiated using definitions version 505
10:15 PM: Starting Memory Sweep
10:15 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:15 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00404C1E in module 'WRSSSDK.EXE'. Read of address FFFFFFFF
10:15 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 01681288
10:16 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:16 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:16 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:16 PM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MSGSRV32.EXE
10:18 PM: Memory Sweep Complete, Elapsed Time: 00:02:25
10:18 PM: Starting Registry Sweep
10:19 PM: Found Adware: ebates money maker
10:19 PM: HKU\.default\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 4386605)
10:19 PM: HKU\.DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 4386609)
10:19 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tmu\ (1 subtraces) (ID = 4386622)
10:19 PM: Found Adware: hotbar
10:19 PM: HKLM\software\classes\clsid\{954814c0-40f3-4249-8528-b4922cd2964e}\ (2 subtraces) (ID = 4388419)
10:19 PM: HKLM\software\classes\clsid\{a54814c0-40f3-4249-8528-b4922cd2964e}\ (2 subtraces) (ID = 4388422)
10:19 PM: HKU\.DEFAULT\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 4388580)
10:19 PM: Found Adware: look2me
10:19 PM: HKLM\software\tsvcin\ (2 subtraces) (ID = 4391088)
10:19 PM: HKLM\software\tsvcin\ || a (ID = 4391089)
10:19 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:19 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 03185838
10:19 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:19 PM: Found Adware: 180search assistant
10:19 PM: HKU\.DEFAULT\software\sac\ (14 subtraces) (ID = 4396959)
10:19 PM: HKLM\software\sac\ (10 subtraces) (ID = 4396960)
10:19 PM: Found Trojan Horse: trojan-downloader-pacisoft
10:19 PM: HKU\.DEFAULT\software\psof1\ (6 subtraces) (ID = 4397754)
10:19 PM: Found Adware: redzip toolbar
10:19 PM: HKU\.DEFAULT\software\microsoft\windows\currentversion\explorer\ || insid (ID = 4400664)
10:20 PM: Found Adware: winad
10:20 PM: HKCR\appid\mediagateway.exe\ (1 subtraces) (ID = 4408841)
10:20 PM: HKCR\clsid\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (6 subtraces) (ID = 4408846)
10:20 PM: HKCR\mediagateway.installer\ (5 subtraces) (ID = 4408850)
10:20 PM: HKLM\software\classes\appid\mediagateway.exe\ (1 subtraces) (ID = 4408858)
10:20 PM: HKLM\software\classes\clsid\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (6 subtraces) (ID = 4408863)
10:20 PM: HKLM\software\classes\mediagateway.installer\ (5 subtraces) (ID = 4408867)
10:20 PM: Registry Sweep Complete, Elapsed Time:00:02:12
10:20 PM: Starting Cookie Sweep
10:20 PM: Found Cookie: go2net.com cookie
10:20 PM: default@go2net[1].txt (ID = 181156)
10:20 PM: Found Cookie: azjmp cookie
10:20 PM: default@azjmp[2].txt (ID = 180691)
10:20 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:20 PM: Found Cookie: overture cookie
10:20 PM: default@overture[1].txt (ID = 181537)
10:20 PM: default@perf.overture[1].txt (ID = 181538)
10:20 PM: Found Cookie: mygeek cookie
10:20 PM: default@mygeek[2].txt (ID = 181473)
10:20 PM: Found Cookie: winantiviruspro cookie
10:20 PM: default@www.winantiviruspro[2].txt (ID = 182128)
10:20 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:20 PM: Found Cookie: reliablestats cookie
10:20 PM: default@stats1.reliablestats[2].txt (ID = 181686)
10:20 PM: Found Cookie: adserver cookie
10:20 PM: default@z1.adserver[1].txt (ID = 180561)
10:20 PM: Found Cookie: addynamix cookie
10:20 PM: default@ads.addynamix[2].txt (ID = 180477)
10:20 PM: Found Cookie: yieldmanager cookie
10:20 PM: default@ad.yieldmanager[2].txt (ID = 182189)
10:20 PM: Found Cookie: zedo cookie
10:20 PM: default@zedo[1].txt (ID = 182200)
10:20 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:20 PM: Found Cookie: touchclarity cookie
10:20 PM: default@partypoker.touchclarity[2].txt (ID = 182001)
10:20 PM: Cookie Sweep Complete, Elapsed Time: 00:00:05
10:20 PM: Starting File Sweep
10:20 PM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because it is being used by another process
10:23 PM: Found Adware: abetterinternet
10:23 PM: remtm3.exe (ID = 4128124)
10:23 PM: abiuninst.htm (ID = 4127732)
10:23 PM: saieau.dat (ID = 4113568)
10:23 PM: Found Adware: windows afa internet enhancement
10:23 PM: qbuninstaller.exe (ID = 4135464)
10:23 PM: mediagatewayx.dll (ID = 4135413)
10:26 PM: Found Adware: speeddelivery
10:26 PM: c:\gigex downloads (2 subtraces) (ID = 4120180)
10:27 PM: File Sweep Complete, Elapsed Time: 00:06:30
10:27 PM: Full Sweep has completed. Elapsed time 00:11:18
10:27 PM: Traces Found: 99
10:27 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:27 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:27 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:28 PM: Removal process initiated
10:28 PM: Quarantining All Traces: ebates money maker
10:28 PM: Quarantining All Traces: hotbar
10:28 PM: Quarantining All Traces: look2me
10:28 PM: Quarantining All Traces: 180search assistant
10:28 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:28 PM: Quarantining All Traces: trojan-downloader-pacisoft
10:28 PM: Quarantining All Traces: redzip toolbar
10:28 PM: Quarantining All Traces: winad
10:28 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:28 PM: Quarantining All Traces: go2net.com cookie
10:28 PM: Quarantining All Traces: azjmp cookie
10:28 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:28 PM: Quarantining All Traces: overture cookie
10:28 PM: Quarantining All Traces: mygeek cookie
10:28 PM: Quarantining All Traces: winantiviruspro cookie
10:28 PM: Quarantining All Traces: reliablestats cookie
10:28 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:28 PM: Quarantining All Traces: adserver cookie
10:28 PM: Quarantining All Traces: addynamix cookie
10:28 PM: Quarantining All Traces: yieldmanager cookie
10:28 PM: Quarantining All Traces: zedo cookie
10:28 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:28 PM: Quarantining All Traces: touchclarity cookie
10:28 PM: Quarantining All Traces: abetterinternet
10:28 PM: Quarantining All Traces: windows afa internet enhancement
10:28 PM: Quarantining All Traces: speeddelivery
10:28 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:28 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:29 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:29 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:29 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:29 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:32 PM: An error occurred during quarantine:
10:32 PM: The remote procedure call failed
10:32 PM: Removal process completed. Elapsed time 00:04:06
10:33 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:33 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:33 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:33 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:33 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:33 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:33 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:33 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:33 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004023A8 in module 'WRSSSDK.EXE'. Write of address 00C3694E
10:33 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00402360 in module 'WRSSSDK.EXE'. Write of address 00C369C2
10:34 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:34 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:34 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:34 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:34 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:34 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:34 PM: |··· End of Session, Sunday, July 17, 2005 ···|
********
10:14 PM: |··· Start of Session, Sunday, July 17, 2005 ···|
10:14 PM: Spy Sweeper started
10:14 PM: Program Version 4.0.3 (Build 405) Using Spyware Definitions 505
10:14 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:14 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address C29D71AE. Read of address FFFFFFFF
10:14 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:15 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:15 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:15 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:15 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:15 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:15 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:15 PM: |··· End of Session, Sunday, July 17, 2005 ···|



Logfile of HijackThis v1.99.1
Scan saved at 12:06:34 AM, on 7/18/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\ISSCH.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\COMPAQ KNOWLEDGE CENTER\BIN\MPBTN.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...onsumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Startup: Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge Center\bin\silent.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O12 - Plugin for .pps: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPDOC.DLL
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .ppt: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPDOC.DLL
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq....co/SysQuery.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://cat.fnismls.c...rintControl.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60...geWell-ipix.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by11fd.bay11....es/MsnPUpld.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6us.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.char...oad/tgctlcm.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

Advertisements


#17
franklinagf

franklinagf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
OK, I ran SpySweeper again allowing it to clean my System Restore folder. I also disabled System Restore! (Didn't think I could do much more damage than is already done!)
It found more items but this time it was able to quarantine all the items! I'll post the new log below!

Guess what? I'm still getting pop-ups from: loadingwebsite, ads2.revenue and party poker! :tazz: But they are a little less frequent!

Anything else to try?

Thanks,
Angela

********
12:58 AM: |··· Start of Session, Monday, July 18, 2005 ···|
12:58 AM: Spy Sweeper started
12:58 AM: Sweep initiated using definitions version 505
12:58 AM: Starting Memory Sweep
12:58 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
12:58 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 01683B24
12:59 AM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MSGSRV32.EXE
12:59 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 016AA6E4
12:59 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 01710494
1:00 AM: Memory Sweep Complete, Elapsed Time: 00:01:57
1:00 AM: Starting Registry Sweep
1:02 AM: Registry Sweep Complete, Elapsed Time:00:02:03
1:02 AM: Starting Cookie Sweep
1:02 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
1:02 AM: Starting File Sweep
1:02 AM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because it is being used by another process
1:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
1:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00404C1E in module 'WRSSSDK.EXE'. Read of address FFFFFFFF
1:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00002664. Read of address FFFFFFFF
1:05 AM: Found Adware: roings search enhancment
1:05 AM: a0007702.cpy (ID = 4117785)
1:05 AM: Found Adware: abetterinternet
1:05 AM: a0007703.cpy (ID = 4128092)
1:05 AM: a0007704.cpy (ID = 4128173)
1:05 AM: a0007772.cpy (ID = 4128124)
1:05 AM: Found Adware: windows afa internet enhancement
1:05 AM: a0007773.cpy (ID = 4135464)
1:08 AM: File Sweep Complete, Elapsed Time: 00:06:35
1:08 AM: Full Sweep has completed. Elapsed time 00:10:41
1:08 AM: Traces Found: 5
1:09 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 03900AEC
1:09 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
1:09 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
1:11 AM: Removal process initiated
1:11 AM: Quarantining All Traces: roings search enhancment
1:11 AM: Quarantining All Traces: abetterinternet
1:11 AM: Quarantining All Traces: windows afa internet enhancement
1:11 AM: Removal process completed. Elapsed time 00:00:06
********
12:33 AM: |··· Start of Session, Monday, July 18, 2005 ···|
12:33 AM: Spy Sweeper started
12:33 AM: Sweep initiated using definitions version 505
12:33 AM: Starting Memory Sweep
12:33 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
12:34 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000018. Write of address FF53F001
12:34 AM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MSGSRV32.EXE
12:34 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000018. Write of address FF53F001
12:34 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000018. Write of address FF53F001
12:34 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000018. Write of address FF53F001
12:36 AM: Memory Sweep Complete, Elapsed Time: 00:02:11
12:36 AM: Starting Registry Sweep
12:38 AM: Registry Sweep Complete, Elapsed Time:00:02:06
12:38 AM: Starting Cookie Sweep
12:38 AM: Found Cookie: delfinproject cookie
12:38 AM: default@delfinproject[1].txt (ID = 180928)
12:38 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 03289EBC
12:38 AM: Found Cookie: zedo cookie
12:38 AM: default@zedo[2].txt (ID = 182200)
12:38 AM: Found Cookie: exitexchange cookie
12:38 AM: default@exitexchange[1].txt (ID = 181059)
12:38 AM: Found Cookie: trafficmp cookie
12:38 AM: default@trafficmp[1].txt (ID = 182017)
12:38 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
12:38 AM: Found Cookie: yieldmanager cookie
12:38 AM: default@ad.yieldmanager[2].txt (ID = 182189)
12:38 AM: Cookie Sweep Complete, Elapsed Time: 00:00:04
12:38 AM: Starting File Sweep
12:38 AM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because it is being used by another process
12:38 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
12:39 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000029. Read of address FFFFFFFF
12:39 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00404C1E in module 'WRSSSDK.EXE'. Read of address FFFFFFFF
12:39 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00404C1E in module 'WRSSSDK.EXE'. Read of address FFFFFFFF
12:42 AM: Found Adware: roings search enhancment
12:42 AM: a0007702.cpy (ID = 4117785)
12:42 AM: Found Adware: abetterinternet
12:42 AM: a0007703.cpy (ID = 4128092)
12:42 AM: a0007704.cpy (ID = 4128173)
12:42 AM: a0007772.cpy (ID = 4128124)
12:42 AM: Found Adware: windows afa internet enhancement
12:42 AM: a0007773.cpy (ID = 4135464)
12:45 AM: File Sweep Complete, Elapsed Time: 00:07:05
12:45 AM: Full Sweep has completed. Elapsed time 00:11:31
12:45 AM: Traces Found: 10
12:45 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 0312B6D4
12:45 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
12:45 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
12:48 AM: Removal process initiated
12:48 AM: Quarantining All Traces: delfinproject cookie
12:48 AM: Quarantining All Traces: zedo cookie
12:48 AM: Quarantining All Traces: exitexchange cookie
12:48 AM: Quarantining All Traces: trafficmp cookie
12:48 AM: Quarantining All Traces: yieldmanager cookie
12:48 AM: Quarantining All Traces: roings search enhancment
12:48 AM: roings search enhancment is in use. It will be removed on reboot.
12:48 AM: a0007702.cpy is in use. It will be removed on reboot.
12:48 AM: Quarantining All Traces: abetterinternet
12:48 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
12:48 AM: abetterinternet is in use. It will be removed on reboot.
12:48 AM: a0007703.cpy is in use. It will be removed on reboot.
12:48 AM: a0007704.cpy is in use. It will be removed on reboot.
12:48 AM: a0007772.cpy is in use. It will be removed on reboot.
12:48 AM: Quarantining All Traces: windows afa internet enhancement
12:48 AM: windows afa internet enhancement is in use. It will be removed on reboot.
12:48 AM: a0007773.cpy is in use. It will be removed on reboot.
12:48 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
12:48 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
12:48 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
12:48 AM: Preparing to restart your computer. Please wait...
12:48 AM: Removal process completed. Elapsed time 00:00:19
12:50 AM: Warning: Hosts File Shield unable to read from hosts file. Invalid pointer operation
12:50 AM: Warning: Hosts File Shield unable to read from hosts file. Invalid pointer operation
12:51 AM: Warning: Hosts File Shield unable to read from hosts file. Invalid pointer operation
12:51 AM: Warning: Hosts File Shield unable to read from hosts file. Invalid pointer operation
12:51 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000029. Read of address FFFFFFFF
12:51 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00401DDD in module 'WRSSSDK.EXE'. Write of address 00B1134C
12:51 AM: Warning: Hosts File Shield unable to read from hosts file. Invalid pointer operation
12:51 AM: Warning: Hosts File Shield unable to read from hosts file. Invalid pointer operation
12:51 AM: Warning: Hosts File Shield unable to read from hosts file. Invalid pointer operation
12:51 AM: Warning: Hosts File Shield unable to read from hosts file. Invalid pointer operation
12:51 AM: Warning: Hosts File Shield unable to read from hosts file. Invalid pointer operation
12:51 AM: Warning: Hosts File Shield unable to read from hosts file. Invalid pointer operation
12:51 AM: Warning: Hosts File Shield unable to read from hosts file. Invalid pointer operation
12:51 AM: Warning: Hosts File Shield unable to read from hosts file. Invalid pointer operation
12:52 AM: Warning: Hosts File Shield unable to read from hosts file. Invalid pointer operation
12:52 AM: Warning: Hosts File Shield unable to read from hosts file. Invalid pointer operation
  • 0

#18
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hiya

well spysweeper seems to be finding stuff each time, unfortunately they are being regenerated. Ok, we are at least making some progress.

Now that you have purged the system restore, please create a new sys restore point by re enabling sys restore, do it just after a scan. At least that way we will have something to restore to if we need it.

can you please open spysweeper. In the LH pane, click on "shields", then in the right hand pane select the "start up items" icon. amke sure that the "edit start up items" box is checked. This will open a list of startup files in the box. adjust the width of the item and executable fields so that the full file path and name are shown. Please copy and paste that information here.

Do the same for the "Hosts" icon, make sure the Edit box has a check mark, then copy and paste the contents of that log for me too.

There is an option in spysweeper to permanently block cookies, so use that to block those cookies that you found and quarantined.

Reboot into safe mode, run the spysweeper scan again, save the log for me as usuall, but this time after the scan delete everything it finds from the quarantine. Then immediately after it, run Adaware, save the log and have it fix everything it finds.

Reboot into normal mode.

Try and run the panda online scan again, make a note of any error messages. and if succesfull, post the log for me.

Good Luck

UKBiker
  • 0

#19
franklinagf

franklinagf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hello again!

I've created a restore point and ran SpySweeper and Adaware. Both found NOTHING! I think we are finally getting somewhere! :tazz:

It won't let you highlight the items in the start up items or hosts in SpySweeper to copy and paste. I can write them down and type them here if you need me to.

Below are the logs from SpySweeper and Adaware. I finally got the Panda Activescan to run by going in and deleting the file it had previously set up in my Windows directory! It is scanning now and I will post that log as soon as it completes. Bad news though, it's only scanned 10000 items and has already found 6 that are infected!

Also, when I rebooted in Safe Mode the first time I got another error message!Microsoft Visual C++ Runtime Library
Runtime Error
Program: C:\Windows\Explorer.exe
This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information.

What's this coming from? Is it normal?

I'll be back shortly to post the Panda log!

Thanks,
Angela

********
9:53 PM: |··· Start of Session, Monday, July 18, 2005 ···|
9:53 PM: Spy Sweeper started
9:53 PM: Sweep initiated using definitions version 505
9:53 PM: Starting Memory Sweep
9:53 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
9:53 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
9:54 PM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MSGSRV32.EXE
9:54 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
9:54 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
9:55 PM: Memory Sweep Complete, Elapsed Time: 00:02:15
9:55 PM: Starting Registry Sweep
9:57 PM: Registry Sweep Complete, Elapsed Time:00:02:04
9:57 PM: Starting File Sweep
9:57 PM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because it is being used by another process
9:58 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
9:58 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000029. Read of address FFFFFFFF
10:03 PM: File Sweep Complete, Elapsed Time: 00:06:21
10:03 PM: Full Sweep has completed. Elapsed time 00:10:42
10:03 PM: Traces Found: 0
10:04 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:04 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
10:04 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000003. Read of address FFFFFFFF
********


Ad-Aware SE Build 1.06r1
Logfile Created on:Monday, July 18, 2005 10:16:04 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R54 14.07.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):17 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


7-18-2005 10:16:04 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : .DEFAULT\software\nvidia corporation\global\nview\windowmanagement
Description : nvidia nview cached application window positions


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293868753
Threads : 4
Priority : High
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294933041
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [SPOOL32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294931017
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
LegalCopyright : Copyright © Microsoft Corp. 1994 - 1998
OriginalFilename : spool32.exe

#:4 [MPREXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294940013
Threads : 3
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : MPREXE.EXE

#:5 [EXPLORER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294868429
Threads : 15
Priority : Normal
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : EXPLORER.EXE

#:6 [RUNDLL32.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294794333
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : Copyright © Microsoft Corp. 1991-1998
OriginalFilename : RUNDLL.EXE

#:7 [STMGR.EXE]
FilePath : C:\WINDOWS\SYSTEM\RESTORE\
ProcessID : 4294711061
Threads : 4
Priority : Normal
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
ProductName : Microsoft ® PCHealth
CompanyName : Microsoft Corporation
FileDescription : Microsoft ® PC State Manager
InternalName : StateMgr.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : StateMgr.exe

#:8 [DDHELP.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294722529
Threads : 2
Priority : Realtime
FileVersion : 4.08.01.0881
ProductVersion : 4.08.01.0881
ProductName : Microsoftr DirectX for Windowsr 95 and 98
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
LegalCopyright : Copyright c Microsoft Corp. 1994-2001
OriginalFilename : DDHelp.exe

#:9 [AD-AWARE.EXE]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\
ProcessID : 4294879481
Threads : 2
Priority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright c Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17



Deep scanning and examining files (c:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for c:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17


Deep scanning and examining files (d:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for d:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1009 entries scanned.
New critical objects:0
Objects found so far: 17




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17

10:21:41 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:05:37.400
Objects scanned:66188
Objects identified:0
Objects ignored:0
New critical objects:0
  • 0

#20
franklinagf

franklinagf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Finally here's the log from Panda ActiveScan


Incident Status Location

Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CORDS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\AKI_3DAE.DLL
Adware:adware/ncase No disinfected C:\WINDOWS\SYSTEM\saie_kyf.dat
Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\RUNMSC.LOADER.1
Adware:adware/mediatickets No disinfected HKEY_CLASSES_ROOT\MEDIAGATEWAYX.INSTALLER
Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NCWMSDRM.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MUJTES40.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NQRSSK.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NEWRSPT.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\VGODCTL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\FJWPP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DYGEST.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ZKPFLDR.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SFRRUN.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WTTRVRES.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DZCOMPOS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RWR20.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SXOOLSS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ljfil13n.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\pecrt.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\BGACKBOX.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ADI_DDAE.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MESCP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\AKI_3DAE.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\TCUMBVW.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CORDS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav6110.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav6147.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav3120.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav3130.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav5141.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav51A5.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav51C3.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav5387.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav6003.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav6006.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav62D3.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav62E0.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav6334.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav6343.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7005.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7012.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7015.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7021.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7023.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7046.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7131.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7171.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7172.TMP
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\hosts
Adware:Adware/PopCapLoader No disinfected C:\Program Files\HiJack This\backups\backup-20050714-103703-684.inf
Adware:Adware/PopCapLoader No disinfected C:\Program Files\HiJack This\backups\backup-20050714-103703-684.dll
  • 0

#21
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hiya there

thanks for bearing with us on this one.

Ok, i will go through the panda log now and get a reply posted as soon as i can. dont log off please until i get the post up, lets see what we can get this time. :tazz:

UKBiker
  • 0

#22
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hiya

OK, Lets have another go at this

1) If you have not already done so, Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Please copy and paste these instructions into a text file and then save it as you will need to access it in safe mode later in the fix.Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode ensure that you have no antispyware or AV apps running as these may stop the fix, then please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file that you created with these instructions in it, and copy the file names below to the clipboard by highlighting them all and pressing Control-C:

C:\WINDOWS\SYSTEM\CORDS.DLL
C:\WINDOWS\SYSTEM\AKI_3DAE.DLL
C:\WINDOWS\SYSTEM\saie_kyf.dat
C:\WINDOWS\SYSTEM\NCWMSDRM.DLL
C:\WINDOWS\SYSTEM\MUJTES40.DLL
C:\WINDOWS\SYSTEM\NQRSSK.DLL
C:\WINDOWS\SYSTEM\NEWRSPT.DLL
C:\WINDOWS\SYSTEM\VGODCTL.DLL
C:\WINDOWS\SYSTEM\FJWPP.DLL
C:\WINDOWS\SYSTEM\DYGEST.DLL
C:\WINDOWS\SYSTEM\ZKPFLDR.DLL
C:\WINDOWS\SYSTEM\SFRRUN.DLL
C:\WINDOWS\SYSTEM\WTTRVRES.DLL
C:\WINDOWS\SYSTEM\DZCOMPOS.DLL
C:\WINDOWS\SYSTEM\RWR20.DLL
C:\WINDOWS\SYSTEM\SXOOLSS.DLL
C:\WINDOWS\SYSTEM\ljfil13n.dll
C:\WINDOWS\SYSTEM\pecrt.dll
C:\WINDOWS\SYSTEM\BGACKBOX.DLL
C:\WINDOWS\SYSTEM\ADI_DDAE.DLL
C:\WINDOWS\SYSTEM\MESCP.DLL
C:\WINDOWS\SYSTEM\AKI_3DAE.DLL
C:\WINDOWS\SYSTEM\TCUMBVW.DLL
C:\WINDOWS\SYSTEM\CORDS.DLL
C:\WINDOWS\TEMP\pav6110.TMP
C:\WINDOWS\TEMP\pav6147.TMP
C:\WINDOWS\TEMP\pav3120.TMP
C:\WINDOWS\TEMP\pav3130.TMP
C:\WINDOWS\TEMP\pav5141.TMP
C:\WINDOWS\TEMP\pav51A5.TMP
C:\WINDOWS\TEMP\pav51C3.TMP
C:\WINDOWS\TEMP\pav5387.TMP
C:\WINDOWS\TEMP\pav6003.TMP
C:\WINDOWS\TEMP\pav6006.TMP
C:\WINDOWS\TEMP\pav62D3.TMP
C:\WINDOWS\TEMP\pav62E0.TMP
C:\WINDOWS\TEMP\pav6334.TMP
C:\WINDOWS\TEMP\pav6343.TMP
C:\WINDOWS\TEMP\pav7005.TMP
C:\WINDOWS\TEMP\pav7012.TMP
C:\WINDOWS\TEMP\pav7015.TMP
C:\WINDOWS\TEMP\pav7021.TMP
C:\WINDOWS\TEMP\pav7023.TMP
C:\WINDOWS\TEMP\pav7046.TMP
C:\WINDOWS\TEMP\pav7131.TMP
C:\WINDOWS\TEMP\pav7171.TMP
C:\WINDOWS\TEMP\pav7172.TMP
C:\WINDOWS\SYSTEM\guard.tmp


6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

8) Please rerun the panda Active Scan again as you did before and post its new log here for me.

Good Luck

UKBiker
  • 0

#23
franklinagf

franklinagf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Obviously KillBox didn't kill anything!

I also go another Runtime Error trying to close Explorer.exe during the Panda scan!

However, I did a search for any file containing the text NicTech and came up with a few other files that were not on the list for me to delete:

C:\WINDOWS\SYSTEM\ivv16.dll
C:\WINDOWS\TEMP\pav10D4.TMP
C:\WINDOWS\TEMP\pav1115.TMP
C:\WINDOWS\TEMP\pav50E0.TMP
C:\WINDOWS\TEMP\pav5161.TMP
C:\WINDOWS\TEMP\pavD043.TMP

and of course....
C:\_RESTORE\ARCHIVE\BKUPVXDLASTLOG.1
C:\_RESTORE\ARCHIVE\BKUPVXDLASTLOG.4
C:\WINDOWS\USER

Should I try deleting these as well as the others using KillBox and run another Panda scan?

Thanks,
Angela

Here's the Panda log:


Incident Status Location

Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IVV16.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\AKI_3DAE.DLL
Adware:adware/ncase No disinfected C:\WINDOWS\SYSTEM\saie_kyf.dat
Adware:adware/savenow No disinfected HKEY_CLASSES_ROOT\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07}
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NCWMSDRM.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MUJTES40.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NQRSSK.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NEWRSPT.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\VGODCTL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\FJWPP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DYGEST.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ZKPFLDR.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SFRRUN.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WTTRVRES.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DZCOMPOS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RWR20.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SXOOLSS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ljfil13n.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\pecrt.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\BGACKBOX.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ADI_DDAE.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MESCP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\AKI_3DAE.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\TCUMBVW.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CORDS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ivv16.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav6110.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav6147.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav3120.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav3130.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav5141.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav51A5.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav51C3.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav5387.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav6003.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav6006.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav62D3.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav62E0.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav6334.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav6343.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7005.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7012.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7015.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7021.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7023.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7046.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7131.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7171.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7172.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav10D4.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav1115.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav50E0.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav5161.TMP
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\hosts
Adware:Adware/PopCapLoader No disinfected C:\Program Files\HiJack This\backups\backup-20050714-103703-684.inf
Adware:Adware/PopCapLoader No disinfected C:\Program Files\HiJack This\backups\backup-20050714-103703-684.dll
  • 0

#24
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hiya

Ok, im looking at it now

UKBiker
  • 0

#25
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi gain

give me 10 minutes and i will have a reply for you, in the meantime, can you give me a list of the files contained in the c:/windows/hosts file please?

UKBiker
  • 0

Advertisements


#26
franklinagf

franklinagf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
There is no "hosts" folder only files!

These are the following files in the C:\WINDOWS directory that contain the word "host":

HOSTS, 1KB, SAM file, Modified 6/8/2000
LMHOSTS, 4KB, SAM file, Modified 6/8/2000
HOSTS, 1KB, (only says file), Modified 7/19/2005
hosts20050210-161800.backup, 1KB, backup file, Modified 2/10/2005
hosts20050210-161809.backup, 1KB, backup file, Modified 2/10/2005


Angela
  • 0

#27
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi again

Sorry about that, im not thinking straight

Please copy and paste these instructions into a text file and then save it . This time do NOT reboot into safe mode

3) please run Killbox.

4) Select "delete on reboot"

5) Open the text file that you created with these instructions in it, and copy the file names below to the clipboard by highlighting them all and pressing Control-C:

C:\WINDOWS\SYSTEM\IVV16.DLL
C:\WINDOWS\SYSTEM\AKI_3DAE.DLL
C:\WINDOWS\SYSTEM\saie_kyf.dat
C:\WINDOWS\SYSTEM\NCWMSDRM.DLL
C:\WINDOWS\SYSTEM\MUJTES40.DLL
C:\WINDOWS\SYSTEM\NQRSSK.DLL
C:\WINDOWS\SYSTEM\NEWRSPT.DLL
C:\WINDOWS\SYSTEM\VGODCTL.DLL
C:\WINDOWS\SYSTEM\FJWPP.DLL
C:\WINDOWS\SYSTEM\DYGEST.DLL
C:\WINDOWS\SYSTEM\ZKPFLDR.DLL
C:\WINDOWS\SYSTEM\SFRRUN.DLL
C:\WINDOWS\SYSTEM\WTTRVRES.DLL
C:\WINDOWS\SYSTEM\DZCOMPOS.DLL
C:\WINDOWS\SYSTEM\RWR20.DLL
C:\WINDOWS\SYSTEM\SXOOLSS.DLL
C:\WINDOWS\SYSTEM\ljfil13n.dll
C:\WINDOWS\SYSTEM\pecrt.dll
C:\WINDOWS\SYSTEM\BGACKBOX.DLL
C:\WINDOWS\SYSTEM\ADI_DDAE.DLL
C:\WINDOWS\SYSTEM\MESCP.DLL
C:\WINDOWS\SYSTEM\AKI_3DAE.DLL
C:\WINDOWS\SYSTEM\TCUMBVW.DLL
C:\WINDOWS\SYSTEM\CORDS.DLL
C:\WINDOWS\SYSTEM\ivv16.dll
C:\WINDOWS\TEMP\pav6110.TMP
C:\WINDOWS\TEMP\pav6147.TMP
C:\WINDOWS\TEMP\pav3120.TMP
C:\WINDOWS\TEMP\pav3130.TMP
C:\WINDOWS\TEMP\pav5141.TMP
C:\WINDOWS\TEMP\pav51A5.TMP
C:\WINDOWS\TEMP\pav51C3.TMP
C:\WINDOWS\TEMP\pav5387.TMP
C:\WINDOWS\TEMP\pav6003.TMP
C:\WINDOWS\TEMP\pav6006.TMP
C:\WINDOWS\TEMP\pav62D3.TMP
C:\WINDOWS\TEMP\pav62E0.TMP
C:\WINDOWS\TEMP\pav6334.TMP
C:\WINDOWS\TEMP\pav6343.TMP
C:\WINDOWS\TEMP\pav7005.TMP
C:\WINDOWS\TEMP\pav7012.TMP
C:\WINDOWS\TEMP\pav7015.TMP
C:\WINDOWS\TEMP\pav7021.TMP
C:\WINDOWS\TEMP\pav7023.TMP
C:\WINDOWS\TEMP\pav7046.TMP
C:\WINDOWS\TEMP\pav7131.TMP
C:\WINDOWS\TEMP\pav7171.TMP
C:\WINDOWS\TEMP\pav7172.TMP
C:\WINDOWS\TEMP\pav10D4.TMP
C:\WINDOWS\TEMP\pav1115.TMP
C:\WINDOWS\TEMP\pav50E0.TMP
C:\WINDOWS\TEMP\pav5161.TMP
C:\WINDOWS\SYSTEM\guard.tmp


6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

8) Please rerun the panda Active Scan again as you did before and post its new log here for me.

Good Luck

UKBiker
  • 0

#28
franklinagf

franklinagf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Also just found a folder called "localhost" which was modified on 7/11/2005 located at:

C:\WINDOWS\Application Data\Macromedia\Flash Player\#SharedObjects\K8FNRKE2\guestdesk.com

The localhost folder contains only 1 file: core
  • 0

#29
franklinagf

franklinagf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
MUCH BETTER!

Here's the new Panda log:


Incident Status Location

Adware:adware/ncase No disinfected C:\WINDOWS\SYSTEM\saie_kyf.dat
Adware:adware/savenow No disinfected HKEY_CLASSES_ROOT\Interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}
Adware:Adware/PopCapLoader No disinfected C:\Program Files\HiJack This\backups\backup-20050714-103703-684.inf
Adware:Adware/PopCapLoader No disinfected C:\Program Files\HiJack This\backups\backup-20050714-103703-684.dll
  • 0

#30
franklinagf

franklinagf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
THANK YOU, THANK YOU, THANK YOU!!!!!! ;)

I deleted everything ActiveScan found in the last scan, disabled System Restore to get rid of everything there, then re-enabled it and created a new restore point.

I ran Panda ActiveScan again and it found nothing!
I ran SpySweeper again and it found nothing!

The only trouble I'm having is that Adaware freezes up before completing the scan but I'm working on that now!

The only trace on anything from NicTech left on my computer (I think!) is located at:
C:\WINDOWS\USER (the DAT file I mentioned earlier)

Is there anything I can do to get rid of it from there?

Thanks,
Angela :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP