Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

180 Solutions [RESOLVED]

Started by lil_lost , Jul 14 2005 03:05 PM

  • This topic is locked This topic is locked

#1
lil_lost
Posted 14 July 2005 - 03:05 PM

lil_lost

    Member

  • Member
  • PipPip
  • 33 posts
I have been working on a PC and it had Aurora and 180Solutions. I am pretty sure I have gotten rid of all of it except for the 4 registry keys. Unfortunately those 4 keys are allowing things to be added to the system so it can be a losing battle.
The keys are:
hkey_classes_root/clientax.required component.1
hkey_classes_root/clientax.required component
hkey_classes_root/clientax.clientInstaller.1
hkey_classes_root/clientax.clientInstaller

In safe mode I ran updated files of Adaware, Spybot, Ewido, AVG, Cleanup!, CWShredder and WhenU remove.
All come up clean now except for those 4 keys. Even if spybot and Adaware run before booting or in safe mode they will not remove them and I cannot manually remove them.

Sorry I dont have the PC right here so I cant run Hijack This. Any ideas are appreciated.
Thank you
  • 0

Advertisements

#2
don77
Posted 14 July 2005 - 03:17 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi and welcome lil_lost

See if this Removal Tool will clean them up for you,

If not,
Please download WebRoot SpySweeper from here:
http://www.webroot.c...6d6f87b866d2848
(It's a 2 week trial)

Click the "Free Trial" link on the right - next to "SpySweeper for Home Computers".
On the next page, click the "Free Trial" button.
Download it and install it.
When you open the program, it will prompt you to update to the latest definitions.
Please do so, then click "Sweep Now"
Then click the "Start" button.
When it's done scanning, click the "Next" button.
Remove everything it finds, then save the log - copy the log and paste it here for me.
  • 0

#3
lil_lost
Posted 14 July 2005 - 04:34 PM

lil_lost

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
will do.

If you could where on Symantec's site did you find that removal tool? I have looked and came up empty.

Thanks
  • 0

#4
don77
Posted 14 July 2005 - 04:43 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
http://sarc.com/avce....180search.html
  • 0

#5
lil_lost
Posted 14 July 2005 - 06:20 PM

lil_lost

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
The clean tool found no records of 180Solutions. Thankfully SpySweeper did. Here is the log I am looking into those registry keys. HOLY SNIKIES BATMAN!! The registry keys are gone. Let me know if you see anything in this log.
Thanks

********
8:06 PM: |··· Start of Session, Thursday, July 14, 2005 ···|
8:06 PM: Spy Sweeper started
8:06 PM: Sweep initiated using definitions version 504
8:06 PM: Starting Memory Sweep
8:08 PM: Memory Sweep Complete, Elapsed Time: 00:01:32
8:08 PM: Starting Registry Sweep
8:08 PM: Registry Sweep Complete, Elapsed Time:00:00:12
8:08 PM: Starting Cookie Sweep
8:08 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:08 PM: Starting File Sweep
8:08 PM: Found Adware: dealhelper
8:08 PM: 00094983.xml (ID = 4003077)
8:08 PM: Found Adware: roings search enhancment
8:08 PM: 00094908.ocx (ID = 4021685)
8:08 PM: Found Adware: delfin
8:08 PM: 00094608.old (ID = 4003119)
8:08 PM: 00094800.ocx (ID = 4003181)
8:08 PM: 00094981.xml (ID = 4003079)
8:08 PM: 00094798.exe (ID = 4003213)
8:08 PM: 00094802.dbd (ID = 4003119)
8:08 PM: Found Adware: purityscan
8:08 PM: 00094834.exe (ID = 4020770)
8:09 PM: Warning: Failed to read file "c:\windows\system32\dozqeb.exe". System Error. Code: 5.
Access is denied
8:09 PM: 00094906.inf (ID = 4021654)
8:09 PM: 00094832.inf (ID = 4020649)
8:09 PM: 00094622.exe (ID = 4003244)
8:09 PM: 00094828.inf (ID = 4020649)
8:10 PM: 00094979.xml (ID = 4003074)
8:10 PM: Found Adware: targetsaver
8:10 PM: 00094923.exe (ID = 4026546)
8:10 PM: 00094977.exe (ID = 4003070)
8:10 PM: 00094620.dll (ID = 4003184)
8:10 PM: 00094975.xml (ID = 4003073)
8:10 PM: Warning: Failed to read file "c:\windows\system32\msdirectx.sys". System Error. Code: 5.
Access is denied
8:10 PM: 00094973.xml (ID = 4003074)
8:10 PM: 00094903.inf (ID = 4021654)
8:10 PM: 00094971.xml (ID = 4003078)
8:10 PM: 00094969.xml (ID = 4003077)
8:10 PM: 00094967.xml (ID = 4003077)
8:10 PM: 00094792.dbd (ID = 4003124)
8:10 PM: 00094965.xml (ID = 4003076)
8:10 PM: 00094963.xml (ID = 4003076)
8:10 PM: 00094790.dbd (ID = 4003125)
8:10 PM: 00094961.xml (ID = 4003075)
8:10 PM: 00094959.xml (ID = 4003076)
8:10 PM: 00094618.exe (ID = 4003185)
8:10 PM: 00094901.exe (ID = 4021808)
8:10 PM: Warning: Failed to read file "c:\windows\optimize.exe". System Error. Code: 5.
Access is denied
8:10 PM: 00094957.xml (ID = 4003073)
8:10 PM: 00094955.xml (ID = 4003074)
8:11 PM: Found Adware: shopathomeselect
8:11 PM: 00094989.dll (ID = 4023414)
8:11 PM: 00094953.exe (ID = 4003046)
8:11 PM: 00094951.xml (ID = 4003075)
8:11 PM: 00094899.inf (ID = 4021654)
8:11 PM: 00094949.xml (ID = 4003078)
8:11 PM: 00094947.xml (ID = 4003073)
8:11 PM: 00094945.xml (ID = 4003075)
8:11 PM: 00094943.xml (ID = 4003078)
8:11 PM: 00094941.xml (ID = 4003072)
8:11 PM: 00094939.xml (ID = 4003072)
8:11 PM: 00094937.xml (ID = 4003072)
8:11 PM: 00094782.ddx (ID = 4003117)
8:11 PM: 00094779.ddx (ID = 4003116)
8:11 PM: 00094775.ddx (ID = 4003116)
8:11 PM: Found Adware: elitebar
8:11 PM: 00094871.osd (ID = 4005609)
8:11 PM: 00094869.osd (ID = 4005609)
8:11 PM: 00094867.osd (ID = 4005609)
8:11 PM: 00094637.ddx (ID = 4003112)
8:11 PM: 00094635.ddx (ID = 4003112)
8:11 PM: 00094633.ddx (ID = 4003112)
8:11 PM: 00094631.ddx (ID = 4003111)
8:11 PM: 00094602.ddx (ID = 4003112)
8:11 PM: 00094603.ddx (ID = 4003112)
8:11 PM: 00094604.ddx (ID = 4003112)
8:11 PM: 00094605.ddx (ID = 4003112)
8:11 PM: 00094606.ddx (ID = 4003112)
8:11 PM: 00094607.ddx (ID = 4003112)
8:11 PM: 00094629.ddx (ID = 4003112)
8:11 PM: 00094627.ddx (ID = 4003112)
8:11 PM: File Sweep Complete, Elapsed Time: 00:02:51
8:11 PM: Full Sweep has completed. Elapsed time 00:04:42
8:11 PM: Traces Found: 61
8:15 PM: Removal process initiated
8:15 PM: Quarantining All Traces: dealhelper
8:16 PM: Quarantining All Traces: roings search enhancment
8:16 PM: Quarantining All Traces: delfin
8:16 PM: Quarantining All Traces: purityscan
8:16 PM: Quarantining All Traces: targetsaver
8:16 PM: Quarantining All Traces: shopathomeselect
8:16 PM: Quarantining All Traces: elitebar
8:16 PM: Removal process completed. Elapsed time 00:00:33
********
7:55 PM: |··· Start of Session, Thursday, July 14, 2005 ···|
7:55 PM: Spy Sweeper started
7:55 PM: Sweep initiated using definitions version 504
7:56 PM: Starting Memory Sweep
7:56 PM: Found Adware: delfin
7:56 PM: Detected running threat: C:\WINDOWS\system32\nsvsvc\nsvsvc.exe (ID = 4003185)
7:56 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || Nsv (ID = 0)
7:56 PM: Detected running threat: C:\WINDOWS\system32\nsvsvc\nsvs.dll (ID = 4003184)
7:56 PM: Detected running threat: C:\WINDOWS\system32\vidctrl\vidctrl.exe (ID = 4003244)
7:56 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || vidctrl (ID = 0)
7:57 PM: Found Adware: purityscan
7:57 PM: Detected running threat: C:\WINDOWS\system32\F?nts\tracert.exe (ID = 1003)
7:57 PM: HKU\S-1-5-21-1123561945-838170752-1417001333-1004\Software\Microsoft\Windows\CurrentVersion\Run || Eydesfks (ID = 0)
7:58 PM: Memory Sweep Complete, Elapsed Time: 00:02:03
7:58 PM: Starting Registry Sweep
7:58 PM: Found Adware: apropos
7:58 PM: HKU\S-1-5-21-1123561945-838170752-1417001333-1004\software\aprps\ (7 subtraces) (ID = 4270105)
7:58 PM: HKU\S-1-5-18\software\aprps\ (7 subtraces) (ID = 4270105)
7:58 PM: HKCR\clsid\{a8bd9566-9895-4fa3-918d-a51d4cd15865}\ (3 subtraces) (ID = 4291397)
7:58 PM: HKCR\clsid\{d0070620-1e72-42e7-a14c-3a255ad31839}\ (21 subtraces) (ID = 4291398)
7:58 PM: HKCR\interface\{2bb15d36-43be-4743-a3a0-3308f4b1a610}\ (8 subtraces) (ID = 4291399)
7:58 PM: HKCR\interface\{41700749-a109-4254-af13-be54011e8783}\ (8 subtraces) (ID = 4291400)
7:58 PM: HKLM\software\classes\clsid\{a8bd9566-9895-4fa3-918d-a51d4cd15865}\ (3 subtraces) (ID = 4291401)
7:58 PM: HKLM\software\classes\clsid\{d0070620-1e72-42e7-a14c-3a255ad31839}\ (21 subtraces) (ID = 4291402)
7:58 PM: HKLM\software\classes\interface\{2bb15d36-43be-4743-a3a0-3308f4b1a610}\ (8 subtraces) (ID = 4291403)
7:58 PM: HKLM\software\classes\interface\{41700749-a109-4254-af13-be54011e8783}\ (8 subtraces) (ID = 4291404)
7:58 PM: HKLM\software\classes\typelib\{2a7db8d1-43be-4ad3-a81e-9bb8c9d00073}\ (9 subtraces) (ID = 4291405)
7:58 PM: HKLM\software\classes\vccpgdataaccess.pgdataaccessctrl.1\ (3 subtraces) (ID = 4291406)
7:58 PM: HKLM\software\microsoft\windows\currentversion\run\ || nsv (ID = 4291426)
7:58 PM: HKLM\software\microsoft\windows\currentversion\uninstall\displayutility\ (2 subtraces) (ID = 4291439)
7:58 PM: HKLM\software\motoin\ (2 subtraces) (ID = 4291443)
7:58 PM: HKU\S-1-5-21-1123561945-838170752-1417001333-1004\software\mvu\ (5 subtraces) (ID = 4291444)
7:58 PM: HKLM\software\mvu\ (5 subtraces) (ID = 4291445)
7:58 PM: HKLM\software\vidctrl\ (3 subtraces) (ID = 4291457)
7:58 PM: HKCR\typelib\{2a7db8d1-43be-4ad3-a81e-9bb8c9d00073}\ (9 subtraces) (ID = 4291460)
7:58 PM: HKCR\vccpgdataaccess.pgdataaccessctrl.1\ (3 subtraces) (ID = 4291461)
7:58 PM: Found Adware: elitebar
7:58 PM: HKCR\clsid\{02c20140-76f8-4763-83d5-b660107babcd}\ (21 subtraces) (ID = 4292231)
7:58 PM: HKCR\interface\{a74cd7de-ea6f-11d4-abf3-000102378429}\ (8 subtraces) (ID = 4292242)
7:58 PM: HKCR\plot.plotctrl.1\ (3 subtraces) (ID = 4292249)
7:58 PM: HKLM\software\classes\clsid\{02c20140-76f8-4763-83d5-b660107babcd}\ (21 subtraces) (ID = 4292261)
7:58 PM: HKLM\software\classes\interface\{a74cd7de-ea6f-11d4-abf3-000102378429}\ (8 subtraces) (ID = 4292272)
7:58 PM: HKLM\software\classes\plot.plotctrl.1\ (3 subtraces) (ID = 4292278)
7:58 PM: HKLM\software\classes\typelib\{a74cd7dd-ea6f-11d4-abf3-000102378429}\ (9 subtraces) (ID = 4292280)
7:58 PM: HKLM\software\microsoft\code store database\distribution units\v3cab\ (12 subtraces) (ID = 4292284)
7:58 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/v3.dll\ (2 subtraces) (ID = 4292295)
7:58 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\v3.dll (ID = 4292306)
7:58 PM: HKCR\typelib\{a74cd7dd-ea6f-11d4-abf3-000102378429}\ (9 subtraces) (ID = 4292315)
7:58 PM: Found Adware: drsnsrch.com hijacker
7:58 PM: HKU\S-1-5-21-1123561945-838170752-1417001333-1004\software\microsoft\search assistant\ || defaultsearchurl (ID = 4294809)
7:58 PM: HKU\S-1-5-18\software\microsoft\search assistant\ || defaultsearchurl (ID = 4294809)
7:58 PM: Found Adware: istbar
7:58 PM: HKCR\clsid\{7c559105-9ecf-42b8-b3f7-832e75edd959}\ (6 subtraces) (ID = 4295688)
7:58 PM: HKCR\interface\{0985c112-2562-46f2-8da6-92648ba4630f}\ (8 subtraces) (ID = 4295700)
7:58 PM: HKCR\istx.installer\ (3 subtraces) (ID = 4295711)
7:58 PM: HKLM\software\classes\clsid\{7c559105-9ecf-42b8-b3f7-832e75edd959}\ (6 subtraces) (ID = 4295717)
7:58 PM: HKLM\software\classes\interface\{0985c112-2562-46f2-8da6-92648ba4630f}\ (8 subtraces) (ID = 4295724)
7:58 PM: HKLM\software\classes\istx.installer\ (3 subtraces) (ID = 4295734)
7:58 PM: HKLM\software\classes\istx.installer\clsid\ (1 subtraces) (ID = 4295735)
7:58 PM: HKLM\software\classes\typelib\{67907b3c-a6ef-4a01-99ad-3fcd5f526429}\ (9 subtraces) (ID = 4295741)
7:58 PM: HKU\S-1-5-21-1123561945-838170752-1417001333-1004\software\ist\ (1 subtraces) (ID = 4295746)
7:58 PM: HKLM\software\microsoft\code store database\distribution units\{7c559105-9ecf-42b8-b3f7-832e75edd959}\ (10 subtraces) (ID = 4295752)
7:58 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/istactivex.dll\ (2 subtraces) (ID = 4295765)
7:58 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\istactivex.dll (ID = 4295815)
7:58 PM: HKCR\typelib\{67907b3c-a6ef-4a01-99ad-3fcd5f526429}\ (9 subtraces) (ID = 4295832)
7:58 PM: Found Adware: 180search assistant
7:58 PM: HKCR\clientax.clientinstaller.1\ (3 subtraces) (ID = 4302317)
7:58 PM: HKCR\clientax.clientinstaller\ (5 subtraces) (ID = 4302318)
7:58 PM: HKCR\clientax.requiredcomponent.1\ (3 subtraces) (ID = 4302319)
7:58 PM: HKCR\clientax.requiredcomponent\ (5 subtraces) (ID = 4302320)
7:58 PM: HKLM\software\classes\clientax.clientinstaller.1\ (3 subtraces) (ID = 4302345)
7:58 PM: HKLM\software\classes\clientax.clientinstaller\ (5 subtraces) (ID = 4302346)
7:58 PM: HKLM\software\classes\clientax.requiredcomponent.1\ (3 subtraces) (ID = 4302347)
7:58 PM: HKLM\software\classes\clientax.requiredcomponent\ (5 subtraces) (ID = 4302348)
7:58 PM: Found System Monitor: networkessentials
7:58 PM: HKLM\software\novo\ (23 subtraces) (ID = 4302939)
7:58 PM: HKLM\software\np\ (2 subtraces) (ID = 4302940)
7:58 PM: Found Adware: popup killer
7:58 PM: HKU\S-1-5-21-1123561945-838170752-1417001333-1004\software\ultimate popup killer\ (3 subtraces) (ID = 4303638)
7:58 PM: HKCR\clsid\{9eb320ce-be1d-4304-a081-4b4665414bef}\ (21 subtraces) (ID = 4303994)
7:58 PM: HKCR\clsid\{39da2444-065f-47cb-b27c-ccb1a39c06b7}\ (3 subtraces) (ID = 4304036)
7:58 PM: HKCR\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 4304215)
7:58 PM: HKCR\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 4304216)
7:58 PM: HKCR\mediaticketsinstaller.mediaticketsinstallerctrl.1\ (3 subtraces) (ID = 4304219)
7:58 PM: HKLM\software\classes\clsid\{9eb320ce-be1d-4304-a081-4b4665414bef}\ (21 subtraces) (ID = 4304336)
7:58 PM: HKLM\software\classes\clsid\{39da2444-065f-47cb-b27c-ccb1a39c06b7}\ (3 subtraces) (ID = 4304371)
7:58 PM: HKLM\software\classes\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 4304546)
7:58 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 4304547)
7:58 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\typelib\ (2 subtraces) (ID = 4304548)
7:58 PM: HKLM\software\classes\mediaticketsinstaller.mediaticketsinstallerctrl.1\ (3 subtraces) (ID = 4304551)
7:58 PM: HKLM\software\classes\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 4304555)
7:58 PM: HKLM\software\clickspring\ (2 subtraces) (ID = 4304567)
7:58 PM: HKLM\software\microsoft\code store database\distribution units\{9eb320ce-be1d-4304-a081-4b4665414bef}\ (14 subtraces) (ID = 4304572)
7:58 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/conflict.1/mediaticketsinstaller.ocx\ (2 subtraces) (ID = 4304853)
7:58 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaticketsinstaller.ocx\ (2 subtraces) (ID = 4304855)
7:58 PM: HKCR\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 4305961)
7:58 PM: Found Adware: roings search enhancment
7:58 PM: HKCR\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\ (23 subtraces) (ID = 4306926)
7:58 PM: HKCR\clsid\{e0ce16cb-741c-4b24-8d04-a817856e07f4}\ (5 subtraces) (ID = 4306932)
7:58 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\inprocserver32\ (2 subtraces) (ID = 4306974)
7:58 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\miscstatus\ (3 subtraces) (ID = 4306975)
7:58 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\progid\ (1 subtraces) (ID = 4306976)
7:58 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\toolboxbitmap32\ (1 subtraces) (ID = 4306977)
7:58 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\typelib\ (1 subtraces) (ID = 4306978)
7:58 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\version\ (1 subtraces) (ID = 4306979)
7:58 PM: HKLM\software\microsoft\windows\currentversion\uninstall\media-motor\ (2 subtraces) (ID = 4307100)
7:58 PM: HKLM\software\mm\ (1 subtraces) (ID = 4307103)
7:58 PM: Found Adware: bho_sep
7:58 PM: HKU\S-1-5-21-1123561945-838170752-1417001333-1004\software\sep\ (9 subtraces) (ID = 4308588)
7:58 PM: HKU\S-1-5-18\software\sep\ (9 subtraces) (ID = 4308588)
7:58 PM: Found Adware: surfaccuracy
7:58 PM: HKLM\software\sacc\ (8 subtraces) (ID = 4310428)
7:58 PM: Found Adware: surf accuracy
7:58 PM: HKLM\software\sacc\ (8 subtraces) (ID = 4310432)
7:58 PM: Found Adware: targetsaver
7:58 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 4310676)
7:58 PM: HKU\S-1-5-21-1123561945-838170752-1417001333-1004\software\tsl2\ (1 subtraces) (ID = 4310684)
7:58 PM: Found Adware: targetsoft
7:58 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 4310691)
7:58 PM: Found Adware: teenxxx (tinybar)
7:58 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/istactivex.dll\ (2 subtraces) (ID = 4310722)
7:58 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\istactivex.dll (ID = 4310725)
7:58 PM: Found Trojan Horse: trojan-backdoor-soundcheck
7:58 PM: HKU\S-1-5-18\software\microsoft\ole\ || compaq32 service drivers (ID = 4311326)
7:58 PM: HKLM\software\microsoft\ole\ || compaq32 service drivers (ID = 4311328)
7:58 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || compaq32 service drivers (ID = 4311330)
7:58 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\runservices\ || compaq32 service drivers (ID = 4311334)
7:58 PM: HKU\S-1-5-18\system\currentcontrolset\control\lsa\ || compaq32 service drivers (ID = 4311338)
7:58 PM: HKLM\system\currentcontrolset\control\lsa\ || compaq32 service drivers (ID = 4311340)
7:58 PM: HKLM\system\currentcontrolset\services\msdirectx\ (11 subtraces) (ID = 4311342)
7:58 PM: Found Adware: abetterinternet
7:58 PM: HKLM\system\currentcontrolset\services\svcproc\ (12 subtraces) (ID = 4313356)
7:58 PM: Found Adware: winad
7:58 PM: HKCR\clsid\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (6 subtraces) (ID = 4314405)
7:58 PM: HKLM\software\classes\clsid\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (6 subtraces) (ID = 4314422)
7:58 PM: HKLM\software\media gateway\ (2 subtraces) (ID = 4314437)
7:58 PM: HKLM\software\microsoft\code store database\distribution units\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (12 subtraces) (ID = 4314440)
7:58 PM: Found Adware: yoursitebar
7:58 PM: HKCR\clsid\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658}\ (6 subtraces) (ID = 4315114)
7:58 PM: HKLM\software\classes\ysbactivex.installer\ (3 subtraces) (ID = 4315134)
7:58 PM: HKLM\software\microsoft\code store database\distribution units\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658}\ (10 subtraces) (ID = 4315135)
7:58 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/ysbactivex.dll\ (2 subtraces) (ID = 4315139)
7:58 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\ysbactivex.dll (ID = 4315143)
7:58 PM: HKCR\ysbactivex.installer\ (3 subtraces) (ID = 4315155)
7:58 PM: Registry Sweep Complete, Elapsed Time:00:00:17
7:58 PM: Starting Cookie Sweep
7:58 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:58 PM: Starting File Sweep
7:58 PM: c:\program files\aprps (15 subtraces) (ID = 3994820)
7:58 PM: c:\windows\system32\nsvsvc (4 subtraces) (ID = 4003302)
7:58 PM: c:\documents and settings\all users\application data\nsv (16 subtraces) (ID = 4003285)
7:58 PM: c:\windows\system32\vidctrl (1 subtraces) (ID = 4003304)
7:58 PM: 00094324.old (ID = 4003119)
7:58 PM: m67m.ocx (ID = 4021685)
7:58 PM: 00092943.old (ID = 4003119)
7:58 PM: 00092972.old (ID = 4003119)
7:58 PM: 00093001.old (ID = 4003119)
7:58 PM: 00093482.old (ID = 4003119)
7:58 PM: 00092916.old (ID = 4003119)
7:58 PM: Found Adware: dealhelper
7:58 PM: hwjsvku1.xml (ID = 4003077)
7:58 PM: m67m.ocx (ID = 4021685)
7:58 PM: wmv1215.dbd (ID = 4003119)
7:58 PM: nsv.ocx (ID = 4003181)
7:58 PM: abiuninst.htm (ID = 4031749)
7:58 PM: kuqtfsu3.xml (ID = 4003079)
7:58 PM: removedisplayutility.exe (ID = 4003213)
7:58 PM: istactivex.dll (ID = 4010861)
7:59 PM: shex.exe (ID = 4020770)
7:59 PM: Warning: Failed to read file "c:\windows\system32\dozqeb.exe". System Error. Code: 5.
Access is denied
7:59 PM: 00094142.old (ID = 4003119)
7:59 PM: m67m.inf (ID = 4021654)
7:59 PM: mediaticketsinstaller.inf (ID = 4020649)
7:59 PM: ransy.reg (ID = 4039286)
7:59 PM: mediaticketsinstaller.ocx (ID = 4020654)
7:59 PM: vidctrl.exe (ID = 4003244)
7:59 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || vidctrl (ID = 0)
7:59 PM: mediaticketsinstaller.inf (ID = 4020649)
7:59 PM: ldhiuhk1.xml (ID = 4003074)
7:59 PM: tsuninst.exe (ID = 4026546)
7:59 PM: whwvvq.exe (ID = 4003070)
7:59 PM: Found Adware: internetoptimizer
7:59 PM: optimize.exe_tobedeleted (ID = 4010252)
7:59 PM: m67m.inf (ID = 4021654)
7:59 PM: nsvs.dll (ID = 4003184)
7:59 PM: hwjsvkk.xml (ID = 4003073)
7:59 PM: Warning: Failed to read file "c:\windows\system32\msdirectx.sys". System Error. Code: 5.
Access is denied
7:59 PM: hwjsvkk1.xml (ID = 4003074)
8:00 PM: 0006_regular[1].cab (ID = 4010731)
8:00 PM: m67m.inf (ID = 4021654)
8:00 PM: 00092737.exe (ID = 4003213)
8:00 PM: hwjsvku2.xml (ID = 4003078)
8:00 PM: ldhiuhu1.xml (ID = 4003077)
8:00 PM: kuqtfsu1.xml (ID = 4003077)
8:00 PM: 00092786.old (ID = 4003120)
8:00 PM: 00092764.old (ID = 4003125)
8:00 PM: wmv1920.dbd (ID = 4003124)
8:00 PM: Found Adware: weirdontheweb
8:00 PM: dc38.exe (ID = 4036746)
8:00 PM: kuqtfsu.xml (ID = 4003076)
8:00 PM: ldhiuhu.xml (ID = 4003076)
8:00 PM: wmv2007.dbd (ID = 4003125)
8:00 PM: 00094407.old (ID = 4003125)
8:00 PM: wingenerics.dll (ID = 3994816)
8:00 PM: 00092825.old (ID = 4003119)
8:00 PM: ldhiuhk2.xml (ID = 4003075)
8:00 PM: dc2.exe (ID = 3994628)
8:00 PM: hwjsvku.xml (ID = 4003076)
8:00 PM: nsvsvc.exe (ID = 4003185)
8:00 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || Nsv (ID = 0)
8:00 PM: 00092801.exe (ID = 4003171)
8:00 PM: 00094213.old (ID = 4003125)
8:00 PM: unstall.exe (ID = 4021808)
8:00 PM: setup.inf (ID = 3994785)
8:00 PM: dc4.exe (ID = 3994674)
8:00 PM: Warning: Failed to read file "c:\windows\optimize.exe". System Error. Code: 5.
Access is denied
8:00 PM: kuqtfsk.xml (ID = 4003073)
8:00 PM: kuqtfsk1.xml (ID = 4003074)
8:00 PM: Found Adware: shopathomeselect
8:00 PM: 52a4hese.dll (ID = 4023414)
8:00 PM: kuqtfs.exe (ID = 4003046)
8:00 PM: Found Adware: sexfiles dialers
8:00 PM: dating.lnk (ID = 4023177)
8:00 PM: Found Adware: powerscan
8:00 PM: power scan.lnk (ID = 4020087)
8:00 PM: weirdontheweb.url (ID = 4036745)
8:00 PM: hwjsvkk2.xml (ID = 4003075)
8:00 PM: m67m.inf (ID = 4021654)
8:00 PM: ldhiuhu2.xml (ID = 4003078)
8:00 PM: ldhiuhk.xml (ID = 4003073)
8:00 PM: kuqtfsk2.xml (ID = 4003075)
8:00 PM: kuqtfsu2.xml (ID = 4003078)
8:00 PM: ldhiuhdk.xml (ID = 4003072)
8:00 PM: kuqtfsdk.xml (ID = 4003072)
8:00 PM: 00094400.ddx (ID = 4003112)
8:00 PM: sepsd.bin (ID = 4023140)
8:00 PM: osd149f.osd (ID = 4005609)
8:00 PM: v3cab.inf (ID = 4005639)
8:00 PM: old8.tmp (ID = 4005609)
8:00 PM: seta.tmp (ID = 4005609)
8:00 PM: hwjsvkdk.xml (ID = 4003072)
8:00 PM: 00094403.ddx (ID = 4003117)
8:00 PM: wmv1125.ddx (ID = 4003117)
8:00 PM: 00094409.ddx (ID = 4003116)
8:00 PM: wmv1909.ddx (ID = 4003116)
8:00 PM: 00093972.ddx (ID = 4003112)
8:00 PM: 00093758.ddx (ID = 4003112)
8:00 PM: wmv0904.ddx (ID = 4003116)
8:00 PM: 00094401.ddx (ID = 4003112)
8:00 PM: 00094194.ddx (ID = 4003112)
8:00 PM: 00092968.ddx (ID = 4003112)
8:00 PM: 00092997.ddx (ID = 4003112)
8:00 PM: 00092969.ddx (ID = 4003112)
8:00 PM: osd149f.osd (ID = 4005609)
8:00 PM: 00094195.ddx (ID = 4003112)
8:00 PM: 00093602.ddx (ID = 4003112)
8:00 PM: 00092939.ddx (ID = 4003112)
8:00 PM: 00092940.ddx (ID = 4003112)
8:00 PM: 00092941.ddx (ID = 4003112)
8:00 PM: 00092942.ddx (ID = 4003112)
8:00 PM: 00092970.ddx (ID = 4003112)
8:00 PM: 00092971.ddx (ID = 4003112)
8:00 PM: 00092995.ddx (ID = 4003112)
8:00 PM: 00092998.ddx (ID = 4003112)
8:00 PM: 00092999.ddx (ID = 4003112)
8:00 PM: 00093000.ddx (ID = 4003112)
8:00 PM: 00094196.ddx (ID = 4003116)
8:00 PM: 00094197.ddx (ID = 4003112)
8:00 PM: 00094198.ddx (ID = 4003111)
8:00 PM: 00093971.ddx (ID = 4003112)
8:00 PM: 00094208.ddx (ID = 4003117)
8:00 PM: 00094214.ddx (ID = 4003116)
8:00 PM: osd149f.osd (ID = 4005609)
8:00 PM: 00092795.ddx (ID = 4003112)
8:00 PM: 00092796.ddx (ID = 4003112)
8:00 PM: 00092782.ddx (ID = 4003112)
8:00 PM: 00092783.ddx (ID = 4003112)
8:00 PM: 00092784.ddx (ID = 4003112)
8:00 PM: 00092785.ddx (ID = 4003112)
8:00 PM: 00092819.ddx (ID = 4003112)
8:00 PM: 00092820.ddx (ID = 4003112)
8:00 PM: 00092797.ddx (ID = 4003116)
8:00 PM: 00092798.ddx (ID = 4003112)
8:00 PM: 00092799.ddx (ID = 4003111)
8:00 PM: 00093480.ddx (ID = 4003112)
8:00 PM: 00093567.ddx (ID = 4003112)
8:00 PM: 00093476.ddx (ID = 4003112)
8:00 PM: 00093477.ddx (ID = 4003112)
8:00 PM: 00092821.ddx (ID = 4003112)
8:00 PM: 00092822.ddx (ID = 4003112)
8:00 PM: 00092823.ddx (ID = 4003112)
8:00 PM: 00092824.ddx (ID = 4003112)
8:00 PM: 00093973.ddx (ID = 4003112)
8:00 PM: 00093974.ddx (ID = 4003112)
8:00 PM: 00093975.ddx (ID = 4003112)
8:00 PM: 00093976.ddx (ID = 4003112)
8:00 PM: 00094136.ddx (ID = 4003112)
8:00 PM: 00094137.ddx (ID = 4003112)
8:00 PM: 00092966.ddx (ID = 4003112)
8:00 PM: 00093721.ddx (ID = 4003112)
8:00 PM: 00093722.ddx (ID = 4003112)
8:00 PM: 00092910.ddx (ID = 4003112)
8:00 PM: 00092911.ddx (ID = 4003112)
8:00 PM: 00092912.ddx (ID = 4003112)
8:00 PM: 00092913.ddx (ID = 4003112)
8:00 PM: 00092914.ddx (ID = 4003112)
8:00 PM: 00092915.ddx (ID = 4003112)
8:00 PM: 00092937.ddx (ID = 4003112)
8:00 PM: 00092938.ddx (ID = 4003112)
8:00 PM: 00092967.ddx (ID = 4003112)
8:00 PM: 00092996.ddx (ID = 4003112)
8:00 PM: 00094138.ddx (ID = 4003112)
8:00 PM: 00094139.ddx (ID = 4003112)
8:00 PM: 00094140.ddx (ID = 4003112)
8:00 PM: 00094141.ddx (ID = 4003112)
8:00 PM: 00094204.ddx (ID = 4003112)
8:00 PM: 00094205.ddx (ID = 4003112)
8:00 PM: 00093569.ddx (ID = 4003112)
8:00 PM: 00093570.ddx (ID = 4003112)
8:00 PM: 00093571.ddx (ID = 4003112)
8:00 PM: 00094206.ddx (ID = 4003112)
8:00 PM: 00093572.ddx (ID = 4003112)
8:00 PM: 00094207.ddx (ID = 4003112)
8:00 PM: 00094318.ddx (ID = 4003112)
8:00 PM: 00094319.ddx (ID = 4003112)
8:00 PM: 00094209.ddx (ID = 4003117)
8:00 PM: 00094210.ddx (ID = 4003117)
8:00 PM: 00094211.ddx (ID = 4003117)
8:00 PM: osd149f.osd (ID = 4005609)
8:00 PM: 00093600.ddx (ID = 4003112)
8:00 PM: 00092745.ddx (ID = 4003112)
8:00 PM: 00092746.ddx (ID = 4003112)
8:00 PM: 00092747.ddx (ID = 4003116)
8:00 PM: 00092748.ddx (ID = 4003112)
8:00 PM: 00092749.ddx (ID = 4003111)
8:00 PM: 00092755.ddx (ID = 4003112)
8:00 PM: 00092756.ddx (ID = 4003112)
8:00 PM: 00092759.ddx (ID = 4003117)
8:00 PM: 00092765.ddx (ID = 4003116)
8:00 PM: 00092750.ddx (ID = 4003112)
8:00 PM: 00092751.ddx (ID = 4003112)
8:00 PM: 00092752.ddx (ID = 4003116)
8:00 PM: 00092753.ddx (ID = 4003112)
8:00 PM: 00092754.ddx (ID = 4003111)
8:00 PM: 00092789.ddx (ID = 4003112)
8:00 PM: 00092790.ddx (ID = 4003112)
8:00 PM: 00092791.ddx (ID = 4003116)
8:00 PM: 00092792.ddx (ID = 4003112)
8:00 PM: 00092793.ddx (ID = 4003111)
8:00 PM: 00092757.ddx (ID = 4003112)
8:00 PM: 00092758.ddx (ID = 4003112)
8:00 PM: 00092780.ddx (ID = 4003112)
8:00 PM: 00092781.ddx (ID = 4003112)
8:00 PM: 00092760.ddx (ID = 4003117)
8:00 PM: 00092761.ddx (ID = 4003117)
8:00 PM: 00094212.ddx (ID = 4003117)
8:00 PM: 00092762.ddx (ID = 4003117)
8:00 PM: 00092763.ddx (ID = 4003117)
8:00 PM: 00094402.ddx (ID = 4003117)
8:00 PM: 00092766.ddx (ID = 4003116)
8:00 PM: 00094215.ddx (ID = 4003116)
8:00 PM: 00093601.ddx (ID = 4003112)
8:00 PM: 00094408.ddx (ID = 4003116)
8:00 PM: 00093478.ddx (ID = 4003112)
8:00 PM: 00093479.ddx (ID = 4003112)
8:00 PM: 00093481.ddx (ID = 4003112)
8:00 PM: 00093568.ddx (ID = 4003112)
8:00 PM: 00093603.ddx (ID = 4003112)
8:00 PM: 00093638.ddx (ID = 4003112)
8:00 PM: 00093639.ddx (ID = 4003112)
8:00 PM: 00093640.ddx (ID = 4003112)
8:00 PM: 00093641.ddx (ID = 4003112)
8:00 PM: 00093692.ddx (ID = 4003112)
8:00 PM: 00093693.ddx (ID = 4003112)
8:00 PM: 00093694.ddx (ID = 4003112)
8:00 PM: 00093695.ddx (ID = 4003112)
8:00 PM: 00093723.ddx (ID = 4003112)
8:00 PM: 00093724.ddx (ID = 4003112)
8:00 PM: 00093756.ddx (ID = 4003112)
8:00 PM: 00093757.ddx (ID = 4003112)
8:00 PM: 00093759.ddx (ID = 4003112)
8:00 PM: 00094320.ddx (ID = 4003112)
8:00 PM: 00094321.ddx (ID = 4003112)
8:00 PM: 00094322.ddx (ID = 4003112)
8:00 PM: 00094323.ddx (ID = 4003112)
8:00 PM: 00094398.ddx (ID = 4003112)
8:00 PM: 00094399.ddx (ID = 4003112)
8:00 PM: wmv0204.ddx (ID = 4003112)
8:00 PM: wmv0504.ddx (ID = 4003112)
8:00 PM: wmv0412.ddx (ID = 4003112)
8:00 PM: wmv0106.ddx (ID = 4003111)
8:00 PM: wmv0315.ddx (ID = 4003112)
8:00 PM: wmv1204.ddx (ID = 4003112)
8:00 PM: 00094404.ddx (ID = 4003117)
8:00 PM: 00094405.ddx (ID = 4003117)
8:00 PM: 00094406.ddx (ID = 4003117)
8:01 PM: File Sweep Complete, Elapsed Time: 00:02:41
8:01 PM: Full Sweep has completed. Elapsed time 00:05:09
8:01 PM: Traces Found: 1028
8:01 PM: Removal process initiated
8:02 PM: Quarantining All Traces: delfin
8:02 PM: Quarantining All Traces: purityscan
8:02 PM: Quarantining All Traces: apropos
8:02 PM: Quarantining All Traces: elitebar
8:02 PM: Quarantining All Traces: drsnsrch.com hijacker
8:02 PM: Quarantining All Traces: istbar
8:02 PM: Quarantining All Traces: 180search assistant
8:02 PM: Quarantining All Traces: networkessentials
8:02 PM: Quarantining All Traces: popup killer
8:02 PM: Quarantining All Traces: roings search enhancment
8:03 PM: Quarantining All Traces: bho_sep
8:03 PM: Quarantining All Traces: surfaccuracy
8:03 PM: Quarantining All Traces: surf accuracy
8:03 PM: Quarantining All Traces: targetsaver
8:03 PM: Quarantining All Traces: targetsoft
8:03 PM: Quarantining All Traces: teenxxx (tinybar)
8:03 PM: Quarantining All Traces: trojan-backdoor-soundcheck
8:03 PM: Quarantining All Traces: abetterinternet
8:03 PM: Quarantining All Traces: winad
8:03 PM: Quarantining All Traces: yoursitebar
8:03 PM: Quarantining All Traces: dealhelper
8:03 PM: Quarantining All Traces: internetoptimizer
8:03 PM: Quarantining All Traces: weirdontheweb
8:03 PM: Quarantining All Traces: shopathomeselect
8:03 PM: Quarantining All Traces: sexfiles dialers
8:03 PM: Quarantining All Traces: powerscan
8:03 PM: Preparing to restart your computer. Please wait...
8:03 PM: Removal process completed. Elapsed time 00:01:55
********
7:54 PM: |··· Start of Session, Thursday, July 14, 2005 ···|
7:54 PM: Spy Sweeper started
7:54 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000001. Read of address 00000001
7:55 PM: Processing Hosts File Alerts
7:55 PM: Fixed Hosts File entry: onlineaccounts2.abbeynational.co.uk
7:55 PM: Fixed Hosts File entry: www3.aibgbonline.co.uk
7:55 PM: Fixed Hosts File entry: www.bank.alliance-leicester.co.uk
7:55 PM: Fixed Hosts File entry: login.iblogin.com
7:55 PM: Fixed Hosts File entry: ww2.bankofscotlandhalifax-online.co.uk
7:55 PM: Fixed Hosts File entry: inet.barclays.co.uk
7:55 PM: Fixed Hosts File entry: iibank.barclays.co.uk
7:55 PM: Fixed Hosts File entry: iibank.cahoot.com
7:55 PM: Fixed Hosts File entry: www3.coventrybuildingsociety.co.uk
7:55 PM: Fixed Hosts File entry: ww.hsbc.co.uk
7:55 PM: Fixed Hosts File entry: login.ebank.offshore.hsbc.co.je
7:55 PM: Fixed Hosts File entry: ww3.online-offshore.lloydstsb.com
7:55 PM: Fixed Hosts File entry: ww3.online-business.lloydstsb.co.uk
7:55 PM: Fixed Hosts File entry: ww3.online.lloydstsb.co.uk
7:55 PM: Fixed Hosts File entry: ob2.nationet.com
7:55 PM: Fixed Hosts File entry: ww3.onlinebanking.natwestoffshore.com
7:55 PM: Fixed Hosts File entry: ww1.nwolb.com
7:55 PM: Fixed Hosts File entry: ww1.onlinebanking.iombank.com
7:55 PM: Fixed Hosts File entry: ww1.www.rbsdigital.com
7:55 PM: Fixed Hosts File entry: welcome.smile.co.uk
7:55 PM: Fixed Hosts File entry: login.365online.com
7:55 PM: Fixed Hosts File entry: wvw.citizensbankonline.com
7:55 PM: Fixed Hosts File entry: esecure.regionsnet.com
7:55 PM: Fixed Hosts File entry: rollb.associatedbank.com
7:55 PM: Fixed Hosts File entry: upb.unionplanters.com
7:55 PM: Fixed Hosts File entry: www.onlinebanking.huntington.com
7:55 PM: Fixed Hosts File entry: inet.southtrustonlinebanking.com
7:55 PM: Fixed Hosts File entry: logon.personal.wamu.com
7:55 PM: Fixed Hosts File entry: login.compassweb.com
7:55 PM: Fixed Hosts File entry: logon.firstmeritib.com
7:55 PM: Fixed Hosts File entry: login.ccfcuonline.org
7:55 PM: Fixed Hosts File entry: ww3.etimebanker.bankofthewest.com
7:55 PM: Fixed Hosts File entry: ww2.onlinebanking.lasallebank.com
7:55 PM: Fixed Hosts File entry: wvw.totallyfreebanking.com
7:55 PM: Fixed Hosts File entry: www.online.wellsfargo.com
7:55 PM: Fixed Hosts File entry: www.onlinebanking.bankofoklahoma.com
7:55 PM: Fixed Hosts File entry: accounts4.keybank.com
7:55 PM: Fixed Hosts File entry: logon.bankone.com
7:55 PM: Fixed Hosts File entry: www.secure.tdbanknorth.com
7:55 PM: Fixed Hosts File entry: www.secure.mvnt4.com
7:55 PM: Fixed Hosts File entry: ww.mynfbonline.com
7:55 PM: Fixed Hosts File entry: login.forumcuonline.com
7:55 PM: Fixed Hosts File entry: www.eds.usersonlnet.com
7:55 PM: Fixed Hosts File entry: www.onlineid.bankofamerica.com
7:55 PM: Fixed Hosts File entry: wvw.e-gold.com
7:55 PM: Fixed Hosts File entry: pcbs.peoples.com
7:55 PM: Fixed Hosts File entry: www.global1.onlinebank.com
7:55 PM: Fixed Hosts File entry: ww2.mybranch.lafcu.com
7:55 PM: Fixed Hosts File entry: login.webbanking.comerica.com
7:55 PM: Fixed Hosts File entry: web.banking.firsttennessee.com
7:55 PM: Fixed Hosts File entry: logon.members1st.org
7:55 PM: Fixed Hosts File entry: www.cib.ibanking-services.com
7:55 PM: Fixed Hosts File entry: www.miwebbusbank.ebanking-services.com
7:55 PM: Fixed Hosts File entry: wvw.paypal.com
7:55 PM: Fixed Hosts File entry: www.signin.ebay.com
7:55 PM: Fixed Hosts File entry: wvw.etrade.com
7:55 PM: Fixed Hosts File entry: ww4.fleethomelink.fleet.com
7:55 PM: Fixed Hosts File entry: ww3.connect.skyfi.com
7:55 PM: Fixed Hosts File entry: www6.usbank.com
7:55 PM: Fixed Hosts File entry: www.bvi.bancodevalencia.es
7:55 PM: Fixed Hosts File entry: extrant.banesto.es
7:55 PM: Fixed Hosts File entry: banesnt.banesto.es
7:55 PM: Fixed Hosts File entry: activia.caixagalicia.es
7:55 PM: Fixed Hosts File entry: www.bancae.caixapenedes.com
7:55 PM: Fixed Hosts File entry: login.caixasabadell.net
7:55 PM: Fixed Hosts File entry: oii.cajamadrid.es
7:55 PM: Fixed Hosts File entry: login.cajamar.es
7:55 PM: Fixed Hosts File entry: login.ccm.es
7:55 PM: Fixed Hosts File entry: ww.unicaja.es
7:55 PM: Fixed Hosts File entry: www5.bancopopular.es
7:55 PM: Fixed Hosts File entry: ww3.bbvanet.com
7:55 PM: Fixed Hosts File entry: ww.bayernlb.de
7:55 PM: Fixed Hosts File entry: ww2.berliner-volksbank.de
7:55 PM: Fixed Hosts File entry: ww7.homebanking-berlin.de
7:55 PM: Fixed Hosts File entry: portal09.commerzbanking.de
7:55 PM: Fixed Hosts File entry: www.meine.deutsche-bank.de
7:55 PM: Fixed Hosts File entry: ww2.dresdner-privat.de
7:55 PM: Fixed Hosts File entry: ww.e-banking.helaba.de
7:55 PM: Fixed Hosts File entry: ww.hsh-nordbank.de
7:55 PM: Fixed Hosts File entry: www.my.hypovereinsbank.de
7:55 PM: Fixed Hosts File entry: ww3.homebanking-berlin.de
7:55 PM: Fixed Hosts File entry: www.banking.lbbw.de
7:55 PM: Fixed Hosts File entry: lrp.sparkasse-banking.de
7:55 PM: Fixed Hosts File entry: ww3.homebanking-niedersachsen.de
7:55 PM: Fixed Hosts File entry: www.onlinebanking.norisbank.de
7:55 PM: Fixed Hosts File entry: www.banking.postbank.de
7:55 PM: Fixed Hosts File entry: wvw.internetbanking.gad.de
7:55 PM: Fixed Hosts File entry: ww1.portal.izb.de
7:55 PM: Fixed Hosts File entry: wvw.kunden-service.lbs.de
7:55 PM: Fixed Hosts File entry: ibanking.seb.de
7:55 PM: Fixed Hosts File entry: bw7.sparkasse-banking.de
7:55 PM: Fixed Hosts File entry: ww2.homebanking-sparkasse.de
7:55 PM: Fixed Hosts File entry: ww2.vr-networld-ebanking.de
7:55 PM: Fixed Hosts File entry: ww.bics.fr
7:55 PM: Fixed Hosts File entry: www.co.caixabank.fr
7:55 PM: Fixed Hosts File entry: ww.creditmutuel.fr
7:55 PM: Fixed Hosts File entry: internetbank.intesabci.it
7:55 PM: Fixed Hosts File entry: ww.extensive.bancalombarda.it
7:55 PM: Fixed Hosts File entry: wvw.csebanking.it
7:55 PM: Fixed Hosts File entry: www.mybank.bybank.it
7:55 PM: Fixed Hosts File entry: ww.isideonline.it
7:55 PM: Fixed Hosts File entry: ww3.sella.it
7:55 PM: Fixed Hosts File entry: ww2.anz.com
7:55 PM: Fixed Hosts File entry: fni.asbbank.co.nz
7:55 PM: Fixed Hosts File entry: fastnetoffice.asbbank.co.nz
7:55 PM: Fixed Hosts File entry: ww1.bendigobank.com.au
7:55 PM: Fixed Hosts File entry: ww2.netbank.commbank.com.au
7:55 PM: Fixed Hosts File entry: lb.national.com.au
7:55 PM: Fixed Hosts File entry: ww2.nbnz.co.nz
7:55 PM: Fixed Hosts File entry: ww2.teacherscreditunion.com.au
7:55 PM: Fixed Hosts File entry: ollb.westpac.com.au
7:55 PM: Fixed Hosts File entry: isec.westpactrust.co.nz
7:55 PM: Fixed Hosts File entry: ww5.bmo.com
7:55 PM: Fixed Hosts File entry: ww.cibconline.cibc.com
7:55 PM: Fixed Hosts File entry: ww1.royalbank.com
7:55 PM: Fixed Hosts File entry: ww2.scotiaonline.scotiabank.com
7:55 PM: |··· End of Session, Thursday, July 14, 2005 ···|
  • 0

#6
lil_lost
Posted 14 July 2005 - 06:35 PM

lil_lost

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
I ran HJT and I can see it is till here in some places. No worries I am not going to mess with it. I know I hate it when people do that and I am helping them. I am however going to research some of the stuff on the log.

AVG is still pulling up some Trojans so I am going to get rid of those. I will keep checking back here to see what you have to say hopefully we can meet up again and get this tackled.
  • 0

#7
don77
Posted 14 July 2005 - 06:54 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Please post a HJT log, It was unable to clean a few things that we need to get a look at
  • 0

#8
lil_lost
Posted 14 July 2005 - 06:59 PM

lil_lost

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
I have an old version of HJT I cant seem to DL the latest one. Let me try from another PC. Be right back with that hopefully
  • 0

#9
lil_lost
Posted 14 July 2005 - 07:03 PM

lil_lost

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:02:56 PM, on 07/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ouip\iomu.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [VID INTERNET WEB DRIVERS FOR WIN32] phqghu.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 4.2\THGuard.exe
O4 - HKLM\..\RunServices: [WEB DRIVERS FOR WIN32] phqgh.exe
O4 - HKLM\..\RunServices: [ Microsoft Windows Security Center] mswin32.exe
O4 - HKLM\..\RunServices: [VID INTERNET WEB DRIVERS FOR WIN32] phqghu.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [VID INTERNET WEB DRIVERS FOR WIN32] phqghu.exe
O4 - HKCU\..\Run: [Oust] C:\Program Files\ouip\iomu.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: http://www.windowsupdate.com
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.shar...ver/Install.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol....oach_core_1.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Managing FAT and NTFS partitions (Defragmentation Manager) - Unknown owner - C:\WINDOWS\System32\dfrgfat16.exe (file missing)
O23 - Service: Local Security Authority Server (LSA Server) - Unknown owner - C:\WINDOWS\System32\lsasrv.exe (file missing)
O23 - Service: MAPI Mail Client (MAPI) - Unknown owner - C:\WINDOWS\System32\mapi32.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows Process Moniter - Unknown owner - C:\WINDOWS\winmon.exe (file missing)
  • 0

#10
don77
Posted 14 July 2005 - 07:06 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Why are you running 2 Anti Virus programs ? Is Nortons working properly ?
I m looking over you log now But I was curious if you can access Nortons web site ?
  • 0

Advertisements

#11
lil_lost
Posted 14 July 2005 - 07:10 PM

lil_lost

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
I am working on this computer for someone.

It has Norton 2003 on it BUT it is not functioning at all and wasnt when I started on it. So I loaded AVG and that is what is running. Which is good because the Norton was clueless it was even infected.

I think I can access their site. yes it appears that I can.
  • 0

#12
don77
Posted 14 July 2005 - 07:25 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
OK Good, Nortons has a Removal tool for this I would like to try first, If no luck we will go with the manul method of killing this,

Download this fxmytbar Save it to your Desk Top

Disable system Restore http://service1.syma...src=sec_doc_nam

Disconnect from the internet, unplug Phone line or cable,

Locate the file that you just downloaded.
Double-click the fxmytbar.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer.
Run the removal tool again to ensure that the system is clean.
Reenable System Restore.
Plug back in phone line or cable, Check Nortons for updates and run a full system scan with it please,

In the folder that was created with the removal tool there should be a log showing what it found and deleted, Please post that back with a fresh HJT log please
  • 0

#13
lil_lost
Posted 14 July 2005 - 07:43 PM

lil_lost

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
fxmytbar found no traces, the log is empty

The computer is still disconnected from the internet and I updated it manually since I already had the files burned. When I launch Norton I get an ActiveX error. Then it goes into the page but the column that normally gives you the dates and status of the components just says refreshing and will not change. I will go ahead and try to run the scan. There is also still one Trojan I cannot get rid of, it is in msdirectx.sys and will not delete. I am trying to track down the process to stop it and delete it.
  • 0

#14
lil_lost
Posted 14 July 2005 - 07:52 PM

lil_lost

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Norton will not run at all either.
  • 0

#15
don77
Posted 14 July 2005 - 07:57 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts

There is also still one Trojan I cannot get rid of, it is in msdirectx.sys and will not delete. I am trying to track down the process to stop it and delete it.


Thats the one we are after right now, Give me a couple minutes,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP