Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Unwanted window popups [RESOLVED]


  • This topic is locked This topic is locked

#1
julemarts

julemarts

    Member

  • Member
  • PipPip
  • 16 posts
I obtained a virus that causes windows to pop up all time, even when I am not online. "lockx" has been listed in the running program at times. I ran the adaware and trojan hunter and other programs, but it is still there. Here is the file log from Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 9:42:58 PM, on 9/29/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\S4F\FILTER7.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSFTSN.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: H&otbar - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\PROGRAM FILES\HBTOOLS\BIN\4.7.0.0\HBTHOSTIE.DLL (file missing)
O4 - HKLM\..\Run: [USBMonit.exe] "C:\WINDOWS\SYSTEM\USBMonit.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [S4F] "C:\Program Files\S4F\Filter7.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [HbTools] C:\Program Files\HbTools\Bin\4.7.0.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [IENW32.EXE] C:\WINDOWS\IENW32.EXE /s
O4 - HKLM\..\RunServices: [IPYB.EXE] C:\WINDOWS\SYSTEM\IPYB.EXE /s
O4 - HKLM\..\RunServices: [CRNP32.EXE] C:\WINDOWS\SYSTEM\CRNP32.EXE /s
O4 - HKLM\..\RunServices: [APICL32.EXE] C:\WINDOWS\APICL32.EXE /s
O4 - HKLM\..\RunServices: [CRDL32.EXE] C:\WINDOWS\CRDL32.EXE /s
O4 - HKLM\..\RunServices: [SDKLS32.EXE] C:\WINDOWS\SDKLS32.EXE /s
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...4.21/ttinst.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensave.../sinstaller.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (HbtInstObj) - http://installs.hotb...ams/hbtools.cab

Thanks for any help you can provide !
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.
  • 0

#3
julemarts

julemarts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Here is the latest Hijack This log.

Yes, I am still having the problem. Thanks again for any help

Julemarts.

----------------

Logfile of HijackThis v1.99.1
Scan saved at 10:16:52 PM, on 10/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\S4F\FILTER7.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\SYSTEM\0E3IDNLQ.EXE
C:\WINDOWS\SYSTEM\CXDXREGT.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSFTSN.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\PROGRAM FILES\SURFSIDEKICK 3\SSKBHO.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\SYSTEM\communicator.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\SYSTEM\QLINK32.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: H&otbar - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\PROGRAM FILES\HBTOOLS\BIN\4.7.0.0\HBTHOSTIE.DLL (file missing)
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\SYSTEM\communicator.dll
O4 - HKLM\..\Run: [USBMonit.exe] "C:\WINDOWS\SYSTEM\USBMonit.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [S4F] "C:\Program Files\S4F\Filter7.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [HbTools] C:\Program Files\HbTools\Bin\4.7.0.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [0e3idnlq] C:\WINDOWS\SYSTEM\0e3idnlq.exe
O4 - HKLM\..\Run: [ZStart] C:\WINDOWS\SYSTEM\CXDXREGT.EXE DO0605
O4 - HKLM\..\Run: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - HKLM\..\Run: [stb] C:\WINDOWS\SYSTEM\stb.exe
O4 - HKLM\..\RunServices: [IENW32.EXE] C:\WINDOWS\IENW32.EXE /s
O4 - HKLM\..\RunServices: [IPYB.EXE] C:\WINDOWS\SYSTEM\IPYB.EXE /s
O4 - HKLM\..\RunServices: [CRNP32.EXE] C:\WINDOWS\SYSTEM\CRNP32.EXE /s
O4 - HKLM\..\RunServices: [APICL32.EXE] C:\WINDOWS\APICL32.EXE /s
O4 - HKLM\..\RunServices: [CRDL32.EXE] C:\WINDOWS\CRDL32.EXE /s
O4 - HKLM\..\RunServices: [SDKLS32.EXE] C:\WINDOWS\SDKLS32.EXE /s
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - HKCU\..\RunServices: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServices: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - Startup: Zstart.lnk = C:\WINDOWS\TEMP\zxinst12.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...4.21/ttinst.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensave.../sinstaller.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://<a style='text-decoration: none; border-bottom: 3px double;' href="http://www.qklinkser...oad games&st=1" onmouseover="window.status='Search for: download.games'; self.ql_skeyphrase='download%20games'; if(window.event) self.ql_sevent=window.event.srcElement; self.ql_timeout = setTimeout('ql_doMouseOver(1)', 1000); self.ql_isOverLink=true; return true;" onclick="if(self.ql_timeout) clearTimeout(self.ql_timeout); self.ql_isOverTip = false; ql_closeiframe(); self.ql_skeyphrase='download%20games'; window.status='Search for: download.games';return true;" onmouseout="window.status=''; if(self.ql_timeout) clearTimeout(self.ql_timeout); self.ql_isOverTip = false; setTimeout('ql_closeiframe()', 1500); ">download.games</a>.yahoo.com/games/<a style='text-decoration: none; border-bottom: 3px double;' href="http://www.qklinkser...web games&st=1" onmouseover="window.status='Search for: web_games'; self.ql_skeyphrase='web%20games'; if(window.event) self.ql_sevent=window.event.srcElement; self.ql_timeout = setTimeout('ql_doMouseOver(1)', 1000); self.ql_isOverLink=true; return true;" onclick="if(self.ql_timeout) clearTimeout(self.ql_timeout); self.ql_isOverTip = false; ql_closeiframe(); self.ql_skeyphrase='web%20games'; window.status='Search for: web_games';return true;" onmouseout="window.status=''; if(self.ql_timeout) clearTimeout(self.ql_timeout); self.ql_isOverTip = false; setTimeout('ql_closeiframe()', 1500); ">web_games</a>/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (HbtInstObj) - http://installs.hotb...ams/hbtools.cab
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\SYSTEM\QLINK32.DLL
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Your log has become a bit busier since the first time you posted it. Let's get you fixed up. :tazz:


Please click Start -> Control Panel -> Add/Remove programs and remove these programs if listed.

Web Tools from HotBar
Surf Side Kick
Shopper Reports




Next, please follow these steps:
  • Please make sure that you can View Hidden Files
    • Click Start -> My Computer
    • Select Tools -> Folder options
    • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
    • Also make sure that 'Display the contents of system folders' is checked.
    • For more info on how to show hidden files click here.


  • Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\PROGRAM FILES\SURFSIDEKICK 3\SSKBHO.DLL
    O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\SYSTEM\communicator.dll
    O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\SYSTEM\QLINK32.DLL
    O3 - Toolbar: H&otbar - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\PROGRAM FILES\HBTOOLS\BIN\4.7.0.0\HBTHOSTIE.DLL (file missing)
    O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\SYSTEM\communicator.dll
    O4 - HKLM\..\Run: [HbTools] C:\Program Files\HbTools\Bin\4.7.0.0\HbtOEAddOn.exe
    O4 - HKLM\..\Run: [0e3idnlq] C:\WINDOWS\SYSTEM\0e3idnlq.exe
    O4 - HKLM\..\Run: [ZStart] C:\WINDOWS\SYSTEM\CXDXREGT.EXE DO0605
    O4 - HKLM\..\Run: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
    O4 - HKLM\..\Run: [stb] C:\WINDOWS\SYSTEM\stb.exe
    O4 - HKLM\..\RunServices: [IENW32.EXE] C:\WINDOWS\IENW32.EXE /s
    O4 - HKLM\..\RunServices: [IPYB.EXE] C:\WINDOWS\SYSTEM\IPYB.EXE /s
    O4 - HKLM\..\RunServices: [CRNP32.EXE] C:\WINDOWS\SYSTEM\CRNP32.EXE /s
    O4 - HKLM\..\RunServices: [APICL32.EXE] C:\WINDOWS\APICL32.EXE /s
    O4 - HKLM\..\RunServices: [CRDL32.EXE] C:\WINDOWS\CRDL32.EXE /s
    O4 - HKLM\..\RunServices: [SDKLS32.EXE] C:\WINDOWS\SDKLS32.EXE /s
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
    O4 - HKCU\..\RunServices: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
    O4 - Startup: Zstart.lnk = C:\WINDOWS\TEMP\zxinst12.exe
    O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
    O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (HbtInstObj) - http://installs.hotb...ams/hbtools.cab
    O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\SYSTEM\QLINK32.DLL



  • Please reboot your computer in SafeMode by doing the following:
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    • Instead of Windows loading as normal, a menu should appear
    • Select the first option, to run Windows in Safe Mode.
    • If you have trouble getting into Safe mode go here for more info.



  • Once in Safe mode, delete these files or directories (Do not be concerned if they do not exist):


    C:\WINDOWS\SYSTEM\IPYB.EXE
    C:\WINDOWS\SYSTEM\CRNP32.EXE
    C:\WINDOWS\SYSTEM\communicator.dll
    C:\WINDOWS\SYSTEM\QLINK32.DLL
    C:\WINDOWS\SYSTEM\0e3idnlq.exe
    C:\WINDOWS\SYSTEM\CXDXREGT.EXE
    C:\WINDOWS\SYSTEM\stb.exe
    C:\WINDOWS\IENW32.EXE
    C:\WINDOWS\APICL32.EXE
    C:\WINDOWS\CRDL32.EXE
    C:\WINDOWS\SDKLS32.EXE
    C:\PROGRAM FILES\HBTOOLS
    C:\PROGRAM FILES\HOTBAR
    C:\PROGRAM FILES\SHOPPER REPORTS
    C:\PROGRAM FILES\SURFSIDEKICK 3

Reboot your computer to go back to normal mode.



Please download and install Cleanup 4.0

Now run CleanUp
IMPORTANT!
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp


Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select YES
  • Close CleanUp



Please download the trial version of WebRoot SpySweeper
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

Also post a new hijackthis log.
  • 0

#5
julemarts

julemarts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Thanks for the help. It was tedious, but I think we are making progress.

Here is the HijackThis file:

Logfile of HijackThis v1.99.1
Scan saved at 10:28:54 PM, on 10/4/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\S4F\FILTER7.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSFTSN.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [S4F] "C:\Program Files\S4F\Filter7.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServices: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...4.21/ttinst.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab



And here is the Session Log from WebRoot SpySweeper:

********
9:10 PM: |··· Start of Session, 10/4/05 9:10:11 PM ···|
9:10 PM: Spy Sweeper started
9:10 PM: Sweep initiated using definitions version 549
9:10 PM: Starting Memory Sweep
9:11 PM: Sweep Canceled
********
8:53 PM: |··· Start of Session, 10/4/05 8:53:30 PM ···|
8:53 PM: Spy Sweeper started
8:53 PM: Sweep initiated using definitions version 549
8:53 PM: Starting Memory Sweep
8:53 PM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MSGSRV32.EXE
8:53 PM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MMTASK.TSK
8:54 PM: Found Adware: icannnews
8:54 PM: Detected running threat: C:\WINDOWS\SYSTEM\LXDIS11n.dll (ID = 157088)
8:55 PM: Detected running threat: C:\WINDOWS\SYSTEM\htsjvset.dll (ID = 157088)
8:59 PM: Memory Sweep Complete, Elapsed Time: 00:06:18
8:59 PM: Starting Registry Sweep
8:59 PM: Found Adware: winad
8:59 PM: HKLM\software\adtools service\ (2 subtraces) (ID = 103252)
8:59 PM: Found Adware: adtools
8:59 PM: HKLM\software\adtools service\ (2 subtraces) (ID = 103252)
9:00 PM: Found Adware: coolwebsearch (cws)
9:00 PM: HKCR\clsid\{66deb589-b6d4-e95e-2e36-26287464cd11}\ (2 subtraces) (ID = 107502)
9:00 PM: HKLM\software\classes\clsid\{66deb589-b6d4-e95e-2e36-26287464cd11}\ (2 subtraces) (ID = 108889)
9:00 PM: Found Adware: cws_ns3
9:00 PM: HKCR\clsid\{0b5c5d8e-38cb-964c-0902-24d9e96e6f3b}\ (2 subtraces) (ID = 117603)
9:00 PM: HKCR\clsid\{576846ba-17e1-4625-e44e-433dc7152ed6}\ (2 subtraces) (ID = 118641)
9:00 PM: HKCR\clsid\{cc6b2b65-2d60-cc2d-b4a6-7c0945964771}\ (2 subtraces) (ID = 119048)
9:00 PM: HKCR\clsid\{eceaf197-b6ef-9e38-0846-ff3bb03983ad}\ (2 subtraces) (ID = 119305)
9:00 PM: HKLM\software\classes\clsid\{0b5c5d8e-38cb-964c-0902-24d9e96e6f3b}\ (2 subtraces) (ID = 119483)
9:00 PM: HKLM\software\classes\clsid\{576846ba-17e1-4625-e44e-433dc7152ed6}\ (2 subtraces) (ID = 120488)
9:00 PM: HKLM\software\classes\clsid\{cc6b2b65-2d60-cc2d-b4a6-7c0945964771}\ (2 subtraces) (ID = 120885)
9:00 PM: HKLM\software\classes\clsid\{eceaf197-b6ef-9e38-0846-ff3bb03983ad}\ (2 subtraces) (ID = 121136)
9:01 PM: Found Adware: hotbar
9:01 PM: HKCR\appid\weatherontray.exe\ (1 subtraces) (ID = 127217)
9:01 PM: HKCR\appid\{0507fdde-f3b7-49f5-9e8f-c557e991f39b}\ (1 subtraces) (ID = 127218)
9:01 PM: HKCR\clsid\{0ab71193-ec19-4d70-85c2-e46e2ff02755}\ (20 subtraces) (ID = 127227)
9:01 PM: HKCR\clsid\{1e0004ec-5df0-48c7-a8f0-fbb0488a3d94}\ (11 subtraces) (ID = 127231)
9:01 PM: HKCR\clsid\{3fa917b9-df69-477f-9e4f-b60d929de79f}\ (23 subtraces) (ID = 127235)
9:01 PM: HKCR\clsid\{7e66936c-fea0-4984-ad26-7b6661ac5b2e}\ (26 subtraces) (ID = 127239)
9:01 PM: HKCR\clsid\{31a59636-0fa3-4a56-954d-db7ad02840d8}\ (14 subtraces) (ID = 127242)
9:01 PM: HKCR\clsid\{40d8240a-e3a0-4d59-ac55-0443120188d1}\ (11 subtraces) (ID = 127244)
9:01 PM: HKCR\clsid\{66b90adb-0be3-40ae-8680-84a6f0577ca0}\ (17 subtraces) (ID = 127246)
9:01 PM: HKCR\clsid\{74cc49f7-eb32-4a08-b204-948962a6e3db}\ (11 subtraces) (ID = 127248)
9:01 PM: HKCR\clsid\{a14c0d8d-e753-4e73-9e2b-4070791d8940}\ (10 subtraces) (ID = 127261)
9:01 PM: HKCR\clsid\{c2baa4c9-ae1e-4605-ae2f-a1c49a30d881}\ (11 subtraces) (ID = 127267)
9:01 PM: HKCR\clsid\{fa16bce1-5e36-472a-8466-e0cdd5ce00e6}\ (10 subtraces) (ID = 127272)
9:01 PM: HKCR\hbcoresrv.dynamicprop.1\ (3 subtraces) (ID = 127276)
9:01 PM: HKCR\hbcoresrv.dynamicprop\ (5 subtraces) (ID = 127277)
9:01 PM: HKCR\hbtcoresrv.hbtcoreservices.1\ (3 subtraces) (ID = 127291)
9:01 PM: HKCR\hbtcoresrv.hbtcoreservices\ (5 subtraces) (ID = 127292)
9:01 PM: HKCR\hbtcoresrv.lfgax.1\ (3 subtraces) (ID = 127293)
9:01 PM: HKCR\hbtcoresrv.lfgax\ (5 subtraces) (ID = 127294)
9:01 PM: HKCR\hbthostie.bho.1\ (3 subtraces) (ID = 127295)
9:01 PM: HKCR\hbthostie.bho\ (5 subtraces) (ID = 127296)
9:01 PM: HKCR\hbthostol.hbtmailanim.1\ (3 subtraces) (ID = 127297)
9:01 PM: HKCR\hbthostol.hbtmailanim\ (5 subtraces) (ID = 127298)
9:01 PM: HKCR\hbthostol.hbtwebmailsend.1\ (3 subtraces) (ID = 127299)
9:01 PM: HKCR\hbthostol.hbtwebmailsend\ (5 subtraces) (ID = 127300)
9:01 PM: HKCR\hbtinstie.hbinstobj.1\ (3 subtraces) (ID = 127301)
9:01 PM: HKCR\hbtinstie.hbinstobj\ (5 subtraces) (ID = 127302)
9:01 PM: HKCR\hbtools.hbtcommband.1\ (3 subtraces) (ID = 127306)
9:01 PM: HKCR\hbtools.hbtcommband\ (5 subtraces) (ID = 127307)
9:01 PM: HKCR\hbtools.hbttravelcomparebar.1\ (3 subtraces) (ID = 127308)
9:01 PM: HKCR\hbtools.hbttravelcomparebar\ (5 subtraces) (ID = 127309)
9:01 PM: HKCR\hbtsrv.hbtcoreservices.1\ (3 subtraces) (ID = 127310)
9:01 PM: HKCR\hbtsrv.hbtcoreservices\ (5 subtraces) (ID = 127311)
9:01 PM: HKCR\hbttoolbar.hbthtmlmenuui.1\ (3 subtraces) (ID = 127312)
9:01 PM: HKCR\hbttoolbar.hbthtmlmenuui\ (5 subtraces) (ID = 127313)
9:01 PM: HKCR\hbttoolbar.hbttoolbarctl.1\ (3 subtraces) (ID = 127314)
9:01 PM: HKCR\hbttoolbar.hbttoolbarctl\ (5 subtraces) (ID = 127315)
9:01 PM: HKCR\hbttools.hbmain.1\ (3 subtraces) (ID = 127316)
9:01 PM: HKCR\hbttools.hbmain\ (5 subtraces) (ID = 127317)
9:01 PM: HKCR\interface\{3f04cbf7-cd62-4403-b090-b432dedcb159}\ (8 subtraces) (ID = 127325)
9:01 PM: HKCR\interface\{34f4d917-31e4-464c-b8b3-84c1ce76b395}\ (8 subtraces) (ID = 127334)
9:01 PM: HKCR\interface\{8578d35e-c6c0-4808-9a80-0f6c29a2c423}\ (8 subtraces) (ID = 127339)
9:01 PM: HKCR\interface\{bc190da5-0187-4d99-b3ac-6c45ea1b9324}\ (8 subtraces) (ID = 127353)
9:01 PM: HKCR\rprtspsclient.psexecuter.1\ (3 subtraces) (ID = 127362)
9:01 PM: HKCR\rprtspsclient.psexecuter\ (5 subtraces) (ID = 127363)
9:01 PM: HKCR\shprrprts.hbax.1\ (3 subtraces) (ID = 127365)
9:01 PM: HKCR\shprrprts.hbax\ (5 subtraces) (ID = 127366)
9:01 PM: HKCR\shprrprts.hbinfoband.1\ (3 subtraces) (ID = 127369)
9:01 PM: HKCR\shprrprts.hbinfoband\ (5 subtraces) (ID = 127370)
9:01 PM: HKCR\shprrprts.iebutton.1\ (3 subtraces) (ID = 127371)
9:01 PM: HKCR\shprrprts.iebutton\ (5 subtraces) (ID = 127372)
9:01 PM: HKCR\shprrprts.iebuttona.1\ (3 subtraces) (ID = 127373)
9:01 PM: HKCR\shprrprts.iebuttona\ (5 subtraces) (ID = 127374)
9:01 PM: HKCR\shprrprts.smrtshprctl.1\ (3 subtraces) (ID = 127375)
9:01 PM: HKCR\shprrprts.smrtshprctl\ (5 subtraces) (ID = 127376)
9:01 PM: HKLM\software\classes\appid\weatherontray.exe\ (1 subtraces) (ID = 127380)
9:01 PM: HKLM\software\classes\appid\{0507fdde-f3b7-49f5-9e8f-c557e991f39b}\ (1 subtraces) (ID = 127381)
9:01 PM: HKLM\software\classes\clsid\{0ab71193-ec19-4d70-85c2-e46e2ff02755}\ (20 subtraces) (ID = 127393)
9:01 PM: HKLM\software\classes\clsid\{1e0004ec-5df0-48c7-a8f0-fbb0488a3d94}\ (11 subtraces) (ID = 127396)
9:01 PM: HKLM\software\classes\clsid\{3fa917b9-df69-477f-9e4f-b60d929de79f}\ (23 subtraces) (ID = 127399)
9:01 PM: HKLM\software\classes\clsid\{7e66936c-fea0-4984-ad26-7b6661ac5b2e}\ (26 subtraces) (ID = 127402)
9:01 PM: HKLM\software\classes\clsid\{31a59636-0fa3-4a56-954d-db7ad02840d8}\ (14 subtraces) (ID = 127405)
9:01 PM: HKLM\software\classes\clsid\{40d8240a-e3a0-4d59-ac55-0443120188d1}\ (11 subtraces) (ID = 127407)
9:01 PM: HKLM\software\classes\clsid\{66b90adb-0be3-40ae-8680-84a6f0577ca0}\ (17 subtraces) (ID = 127409)
9:01 PM: HKLM\software\classes\clsid\{74cc49f7-eb32-4a08-b204-948962a6e3db}\ (11 subtraces) (ID = 127411)
9:01 PM: HKLM\software\classes\clsid\{460ac4db-b0de-4626-a0f0-175dd84dcb9b}\ (2 subtraces) (ID = 127416)
9:01 PM: HKLM\software\classes\clsid\{a14c0d8d-e753-4e73-9e2b-4070791d8940}\ (10 subtraces) (ID = 127425)
9:01 PM: HKLM\software\classes\clsid\{c2baa4c9-ae1e-4605-ae2f-a1c49a30d881}\ (11 subtraces) (ID = 127431)
9:01 PM: HKLM\software\classes\clsid\{ed8525ea-2bfc-4440-bd8a-20efb9d5e541}\ (11 subtraces) (ID = 127436)
9:01 PM: HKLM\software\classes\clsid\{fa16bce1-5e36-472a-8466-e0cdd5ce00e6}\ (10 subtraces) (ID = 127437)
9:01 PM: HKLM\software\classes\hbcoresrv.dynamicprop\ (5 subtraces) (ID = 127441)
9:01 PM: HKLM\software\classes\hbtcoresrv.hbtcoreservices.1\ (3 subtraces) (ID = 127457)
9:01 PM: HKLM\software\classes\hbtcoresrv.hbtcoreservices\ (5 subtraces) (ID = 127458)
9:01 PM: HKLM\software\classes\hbtcoresrv.lfgax.1\ (3 subtraces) (ID = 127459)
9:01 PM: HKLM\software\classes\hbtcoresrv.lfgax\ (5 subtraces) (ID = 127460)
9:01 PM: HKLM\software\classes\hbthostie.bho.1\ (3 subtraces) (ID = 127461)
9:01 PM: HKLM\software\classes\hbthostie.bho\ (5 subtraces) (ID = 127462)
9:01 PM: HKLM\software\classes\hbthostol.hbtmailanim.1\ (3 subtraces) (ID = 127463)
9:01 PM: HKLM\software\classes\hbthostol.hbtmailanim\ (5 subtraces) (ID = 127464)
9:01 PM: HKLM\software\classes\hbthostol.hbtwebmailsend.1\ (3 subtraces) (ID = 127465)
9:01 PM: HKLM\software\classes\hbthostol.hbtwebmailsend\ (5 subtraces) (ID = 127466)
9:01 PM: HKLM\software\classes\hbtinstie.hbinstobj.1\ (3 subtraces) (ID = 127467)
9:01 PM: HKLM\software\classes\hbtinstie.hbinstobj\ (5 subtraces) (ID = 127468)
9:01 PM: HKLM\software\classes\hbtools.hbtcommband.1\ (3 subtraces) (ID = 127472)
9:01 PM: HKLM\software\classes\hbtools.hbtcommband\ (5 subtraces) (ID = 127473)
9:01 PM: HKLM\software\classes\hbtools.hbttravelcomparebar.1\ (3 subtraces) (ID = 127474)
9:01 PM: HKLM\software\classes\hbtools.hbttravelcomparebar\ (5 subtraces) (ID = 127475)
9:01 PM: HKLM\software\classes\hbtsrv.hbtcoreservices.1\ (3 subtraces) (ID = 127476)
9:01 PM: HKLM\software\classes\hbtsrv.hbtcoreservices\ (5 subtraces) (ID = 127477)
9:01 PM: HKLM\software\classes\hbttoolbar.hbthtmlmenuui.1\ (3 subtraces) (ID = 127478)
9:01 PM: HKLM\software\classes\hbttoolbar.hbthtmlmenuui\ (5 subtraces) (ID = 127479)
9:01 PM: HKLM\software\classes\hbttoolbar.hbttoolbarctl.1\ (3 subtraces) (ID = 127480)
9:01 PM: HKLM\software\classes\hbttoolbar.hbttoolbarctl\ (5 subtraces) (ID = 127481)
9:01 PM: HKLM\software\classes\hbttools.hbmain.1\ (3 subtraces) (ID = 127482)
9:01 PM: HKLM\software\classes\hbttools.hbmain\ (5 subtraces) (ID = 127483)
9:01 PM: HKLM\software\classes\interface\{3f04cbf7-cd62-4403-b090-b432dedcb159}\ (8 subtraces) (ID = 127490)
9:01 PM: HKLM\software\classes\interface\{34f4d917-31e4-464c-b8b3-84c1ce76b395}\ (8 subtraces) (ID = 127499)
9:01 PM: HKLM\software\classes\interface\{8578d35e-c6c0-4808-9a80-0f6c29a2c423}\ (8 subtraces) (ID = 127503)
9:01 PM: HKLM\software\classes\interface\{bc190da5-0187-4d99-b3ac-6c45ea1b9324}\ (8 subtraces) (ID = 127514)
9:01 PM: HKLM\software\classes\rprtspsclient.psexecuter.1\ (3 subtraces) (ID = 127521)
9:01 PM: HKLM\software\classes\rprtspsclient.psexecuter\ (5 subtraces) (ID = 127522)
9:01 PM: HKLM\software\classes\shprrprts.hbax.1\ (3 subtraces) (ID = 127524)
9:01 PM: HKLM\software\classes\shprrprts.hbax\ (5 subtraces) (ID = 127525)
9:01 PM: HKLM\software\classes\shprrprts.hbinfoband.1\ (3 subtraces) (ID = 127528)
9:01 PM: HKLM\software\classes\shprrprts.hbinfoband\ (5 subtraces) (ID = 127529)
9:01 PM: HKLM\software\classes\shprrprts.iebutton.1\ (3 subtraces) (ID = 127530)
9:01 PM: HKLM\software\classes\shprrprts.iebutton\ (5 subtraces) (ID = 127531)
9:01 PM: HKLM\software\classes\shprrprts.iebuttona.1\ (3 subtraces) (ID = 127532)
9:01 PM: HKLM\software\classes\shprrprts.iebuttona\ (5 subtraces) (ID = 127533)
9:01 PM: HKLM\software\classes\shprrprts.smrtshprctl.1\ (3 subtraces) (ID = 127534)
9:01 PM: HKLM\software\classes\shprrprts.smrtshprctl\ (5 subtraces) (ID = 127535)
9:01 PM: HKLM\software\classes\typelib\{4cf5a3c1-07a2-4336-9b54-6870452ebde1}\ (9 subtraces) (ID = 127537)
9:01 PM: HKLM\software\classes\typelib\{71e9cf40-af72-4b55-bd3f-1fea2a0eaea6}\ (9 subtraces) (ID = 127542)
9:01 PM: HKLM\software\classes\typelib\{71efe583-62fe-4419-9918-ca3b683f7b36}\ (9 subtraces) (ID = 127543)
9:01 PM: HKLM\software\classes\typelib\{793af621-5cd0-4b92-b765-6712f6aaf48e}\ (9 subtraces) (ID = 127545)
9:01 PM: HKLM\software\classes\typelib\{9967a873-40f3-4c7e-9239-6c8760f19f61}\ (9 subtraces) (ID = 127547)
9:01 PM: HKLM\software\classes\typelib\{45397063-d7d0-47c2-9508-26487608a298}\ (9 subtraces) (ID = 127549)
9:01 PM: HKLM\software\classes\typelib\{b9f51d42-cca0-4408-bb02-d433d1865a3a}\ (9 subtraces) (ID = 127552)
9:01 PM: HKLM\software\classes\typelib\{f8ee014f-b34c-4544-8e45-95a7971d323b}\ (9 subtraces) (ID = 127558)
9:01 PM: HKLM\software\classes\wallpaper.wallpapermanager\ (5 subtraces) (ID = 127559)
9:01 PM: HKU\.DEFAULT\software\hbtools\ (256 subtraces) (ID = 127563)
9:01 PM: HKLM\software\hbtools\ (70 subtraces) (ID = 127564)
9:01 PM: HKU\.DEFAULT\software\microsoft\internet explorer\explorer bars\{7e66936c-fea0-4984-ad26-7b6661ac5b2e}\ (2 subtraces) (ID = 127568)
9:01 PM: HKLM\software\microsoft\internet explorer\explorer bars\{7e66936c-fea0-4984-ad26-7b6661ac5b2e}\ (1 subtraces) (ID = 127569)
9:01 PM: HKU\.DEFAULT\software\microsoft\internet explorer\explorer bars\{66b90adb-0be3-40ae-8680-84a6f0577ca0}\ (2 subtraces) (ID = 127570)
9:01 PM: HKU\.DEFAULT\software\microsoft\internet explorer\explorer bars\{2178c864-b8bc-41ae-a1fb-eb6a32f87eb1}\ (2 subtraces) (ID = 127571)
9:01 PM: HKU\.DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping\ || {946b3e9e-e21a-49c8-9f63-900533fafe14} (ID = 127575)
9:01 PM: HKU\.DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping\ || {e77eda01-3c56-4a96-8d08-02b42891c169} (ID = 127576)
9:01 PM: HKLM\software\microsoft\internet explorer\extensions\{946b3e9e-e21a-49c8-9f63-900533fafe14}\ (6 subtraces) (ID = 127577)
9:01 PM: HKLM\software\microsoft\internet explorer\extensions\{946b3e9e-e21a-49c8-9f63-900533fafe14}\ || buttontext (ID = 127578)
9:01 PM: HKLM\software\microsoft\internet explorer\extensions\{946b3e9e-e21a-49c8-9f63-900533fafe14}\ || default visible (ID = 127579)
9:01 PM: HKLM\software\microsoft\internet explorer\extensions\{946b3e9e-e21a-49c8-9f63-900533fafe14}\ || hoticon (ID = 127580)
9:01 PM: HKLM\software\microsoft\internet explorer\extensions\{946b3e9e-e21a-49c8-9f63-900533fafe14}\ || icon (ID = 127581)
9:01 PM: HKLM\software\microsoft\internet explorer\extensions\{e77eda01-3c56-4a96-8d08-02b42891c169}\ (6 subtraces) (ID = 127582)
9:01 PM: HKU\.DEFAULT\software\microsoft\internet explorer\toolbar\webbrowser\ || {74cc49f7-eb32-4a08-b204-948962a6e3db} (ID = 127586)
9:01 PM: HKLM\software\microsoft\office\outlook\addins\hbthostol.hbtmailanim\ (4 subtraces) (ID = 127590)
9:01 PM: HKLM\software\microsoft\windows\currentversion\run\ || hbtools (ID = 127613)
9:01 PM: HKU\.DEFAULT\software\shopperreports\ (4 subtraces) (ID = 127631)
9:01 PM: HKCR\typelib\{4cf5a3c1-07a2-4336-9b54-6870452ebde1}\ (9 subtraces) (ID = 127635)
9:01 PM: HKCR\typelib\{71e9cf40-af72-4b55-bd3f-1fea2a0eaea6}\ (9 subtraces) (ID = 127640)
9:01 PM: HKCR\typelib\{71efe583-62fe-4419-9918-ca3b683f7b36}\ (9 subtraces) (ID = 127641)
9:01 PM: HKCR\typelib\{793af621-5cd0-4b92-b765-6712f6aaf48e}\ (9 subtraces) (ID = 127643)
9:01 PM: HKCR\typelib\{9967a873-40f3-4c7e-9239-6c8760f19f61}\ (9 subtraces) (ID = 127645)
9:01 PM: HKCR\typelib\{45397063-d7d0-47c2-9508-26487608a298}\ (9 subtraces) (ID = 127647)
9:01 PM: HKCR\typelib\{b9f51d42-cca0-4408-bb02-d433d1865a3a}\ (9 subtraces) (ID = 127651)
9:01 PM: HKCR\typelib\{f8ee014f-b34c-4544-8e45-95a7971d323b}\ (9 subtraces) (ID = 127657)
9:01 PM: HKCR\wallpaper.wallpapermanager.1\ (3 subtraces) (ID = 127658)
9:01 PM: HKCR\wallpaper.wallpapermanager\ (5 subtraces) (ID = 127659)
9:01 PM: Found Adware: linkmaker
9:01 PM: HKCR\clsid\{dfaa31c8-a356-4313-9d95-5edab46c5070}\ (10 subtraces) (ID = 129728)
9:01 PM: HKLM\software\classes\clsid\{dfaa31c8-a356-4313-9d95-5edab46c5070}\ (10 subtraces) (ID = 129736)
9:01 PM: Found Adware: screensavers
9:01 PM: HKCR\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (2 subtraces) (ID = 140550)
9:01 PM: HKCR\clsid\{88d758a3-d33b-45fd-91e3-67749b4057fa}\ (2 subtraces) (ID = 140551)
9:01 PM: HKLM\software\classes\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (2 subtraces) (ID = 140555)
9:01 PM: HKLM\software\classes\clsid\{88d758a3-d33b-45fd-91e3-67749b4057fa}\ (2 subtraces) (ID = 140556)
9:01 PM: HKLM\software\microsoft\code store database\distribution units\{88d758a3-d33b-45fd-91e3-67749b4057fa}\ (9 subtraces) (ID = 140566)
9:01 PM: HKLM\software\screensavers.com\ (ID = 140569)
9:02 PM: Found Adware: search fast communicator toolbar
9:02 PM: HKCR\communicator.communicator\ (3 subtraces) (ID = 140680)
9:02 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140682)
9:02 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140683)
9:02 PM: HKCR\communicator.communicatormenu button\ (3 subtraces) (ID = 140684)
9:02 PM: HKCR\communicator.communicatortoggle button\ (3 subtraces) (ID = 140685)
9:02 PM: HKLM\software\classes\communicator.communicatormenu button\ (3 subtraces) (ID = 140686)
9:02 PM: HKLM\software\classes\communicator.communicatortoggle button\ (3 subtraces) (ID = 140687)
9:02 PM: HKU\.DEFAULT\software\communicator toolbar\ (9 subtraces) (ID = 140688)
9:02 PM: HKU\.DEFAULT\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
9:02 PM: HKLM\software\classes\communicator.communicator\ (3 subtraces) (ID = 140691)
9:02 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140693)
9:02 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140694)
9:02 PM: HKU\.default\software\communicator toolbar\ (9 subtraces) (ID = 140696)
9:02 PM: HKU\.default\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140697)
9:02 PM: Found Adware: shopathomeselect
9:02 PM: HKLM\software\winsock2\layered provider sample\ (ID = 141736)
9:02 PM: Found Adware: surfsidekick
9:02 PM: HKU\.default\software\surfsidekick3\ (3 subtraces) (ID = 143387)
9:02 PM: HKU\.DEFAULT\software\surfsidekick3\ (3 subtraces) (ID = 143412)
9:02 PM: HKLM\software\surfsidekick3\ (2 subtraces) (ID = 143413)
9:02 PM: Found Adware: websearch toolbar
9:02 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\qdow_as2.dll (ID = 146497)
9:02 PM: HKLM\software\classes\adtoolsx.installer\ (3 subtraces) (ID = 147163)
9:02 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\adtoolsx.dll (ID = 147215)
9:02 PM: Found Adware: quicklink search toolbar
9:02 PM: HKLM\software\classes\typelib\{ea420048-2898-4110-88c3-1f660b0c7ff3}\ (9 subtraces) (ID = 359443)
9:02 PM: HKCR\typelib\{ea420048-2898-4110-88c3-1f660b0c7ff3}\ (9 subtraces) (ID = 359446)
9:02 PM: HKCR\quicklinks.linktracker.1\ (3 subtraces) (ID = 359448)
9:02 PM: HKCR\quicklinks.linktracker\ (3 subtraces) (ID = 359449)
9:02 PM: HKCR\quicklinks.quicklinksfilter.1\ (3 subtraces) (ID = 359450)
9:02 PM: HKCR\quicklinks.quicklinksfilter\ (3 subtraces) (ID = 359451)
9:02 PM: HKLM\software\classes\quicklinks.linktracker.1\ (3 subtraces) (ID = 359452)
9:02 PM: HKLM\software\classes\quicklinks.linktracker\ (3 subtraces) (ID = 359453)
9:02 PM: HKLM\software\classes\quicklinks.quicklinksfilter.1\ (3 subtraces) (ID = 359454)
9:02 PM: HKLM\software\classes\quicklinks.quicklinksfilter\ (3 subtraces) (ID = 359455)
9:02 PM: HKLM\software\microsoft\windows\currentversion\uninstall\quick links\ (2 subtraces) (ID = 359457)
9:02 PM: HKLM\software\ql\ (2 subtraces) (ID = 359458)
9:02 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/hbinstie.dll\ (2 subtraces) (ID = 484423)
9:02 PM: Found Adware: zenosearchassistant
9:02 PM: HKLM\software\microsoft\windows\currentversion\uninstall\zeno browser enhancer\ (2 subtraces) (ID = 513784)
9:02 PM: HKLM\software\microsoft\windows\currentversion\uninstall\related sites toolbar\ (2 subtraces) (ID = 652841)
9:02 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\hbinstie.dll (ID = 655022)
9:02 PM: HKCR\clsid\{420c35c9-e4f2-49f9-bf67-2be1ecf86989}\ (11 subtraces) (ID = 774202)
9:02 PM: HKCR\interface\{023a4648-601a-4c30-8a2e-c72ebfa99af6}\ (8 subtraces) (ID = 774214)
9:02 PM: HKCR\interface\{175816a5-219e-4079-b2f9-53c501c409ba}\ (8 subtraces) (ID = 774223)
9:02 PM: HKCR\interface\{19ebcbe0-9245-4397-bc5d-883d34782043}\ (8 subtraces) (ID = 774232)
9:02 PM: HKCR\interface\{1c1793e0-1034-4cac-837d-aa545f6961bf}\ (8 subtraces) (ID = 774241)
9:02 PM: HKCR\interface\{1e07646f-07c4-4847-a250-0ec8114f2963}\ (8 subtraces) (ID = 774250)
9:02 PM: HKCR\interface\{27c4569f-8728-4958-a920-a607cae8153c}\ (8 subtraces) (ID = 774259)
9:02 PM: HKCR\interface\{38370864-346f-4afa-8c4b-4fbff518c0bb}\ (8 subtraces) (ID = 774268)
9:02 PM: HKCR\interface\{397a208b-3d09-4b3e-93e8-ca171886612e}\ (8 subtraces) (ID = 774277)
9:02 PM: HKCR\interface\{421745e9-16df-4ee4-a758-d51f939c49cb}\ (8 subtraces) (ID = 774286)
9:02 PM: HKCR\interface\{4331ec56-0aab-499e-8757-dd2ee44ad671}\ (8 subtraces) (ID = 774295)
9:02 PM: HKCR\interface\{54286c3a-e044-4e65-bd44-528d6ae28a18}\ (8 subtraces) (ID = 774304)
9:02 PM: HKCR\interface\{5d9c84e7-fa45-49e2-a0b8-b6b5e9a4f6be}\ (8 subtraces) (ID = 774322)
9:02 PM: HKCR\interface\{5f2b9de7-f878-4762-8cfe-e9c58f082f0e}\ (8 subtraces) (ID = 774331)
9:02 PM: HKCR\interface\{8654592e-952a-4e7c-a960-304763b35fa6}\ (8 subtraces) (ID = 774349)
9:02 PM: HKCR\interface\{8a61a950-c325-4f44-ba64-273180ff3464}\ (8 subtraces) (ID = 774358)
9:02 PM: HKCR\interface\{8d5c4ec6-af8e-4b85-ba27-64babe410510}\ (8 subtraces) (ID = 774367)
9:02 PM: HKCR\interface\{8e98faf8-794f-47f9-af90-15305564ed81}\ (8 subtraces) (ID = 774376)
9:02 PM: HKCR\interface\{af15975b-1498-4740-8e6c-90af78e4198c}\ (8 subtraces) (ID = 774385)
9:02 PM: HKCR\interface\{b53d4cd4-406d-43cc-8244-7893d72236dd}\ (8 subtraces) (ID = 774394)
9:02 PM: HKCR\interface\{b671426c-5c1a-48ac-9652-bc9402b1c404}\ (8 subtraces) (ID = 774403)
9:02 PM: HKCR\interface\{b9bb3219-f84c-4060-966b-4a1e73e24226}\ (8 subtraces) (ID = 774412)
9:02 PM: HKCR\interface\{bc8c2e5f-d8b4-4997-bce3-8775c3707956}\ (8 subtraces) (ID = 774421)
9:02 PM: HKCR\interface\{d082721f-4bd4-4b8b-bb82-06753ee6174f}\ (8 subtraces) (ID = 774430)
9:02 PM: HKCR\interface\{d24f9d3c-5d4c-47f8-9ab7-632b44ad6a0d}\ (8 subtraces) (ID = 774439)
9:02 PM: HKCR\interface\{f43ec88b-b6c8-4969-a763-e2bf55602cce}\ (8 subtraces) (ID = 774448)
9:02 PM: HKCR\interface\{f786cb18-3809-4e49-bc99-9a66da47db8b}\ (8 subtraces) (ID = 774457)
9:02 PM: HKCR\interface\{f814be58-1bf9-4b50-829a-e889f86127ad}\ (8 subtraces) (ID = 774466)
9:02 PM: HKLM\software\classes\clsid\{420c35c9-e4f2-49f9-bf67-2be1ecf86989}\inprocserver32\ (2 subtraces) (ID = 774480)
9:02 PM: HKLM\software\classes\clsid\{420c35c9-e4f2-49f9-bf67-2be1ecf86989}\progid\ (1 subtraces) (ID = 774483)
9:02 PM: HKLM\software\classes\clsid\{420c35c9-e4f2-49f9-bf67-2be1ecf86989}\programmable\ (ID = 774485)
9:02 PM: HKLM\software\classes\clsid\{420c35c9-e4f2-49f9-bf67-2be1ecf86989}\typelib\ (1 subtraces) (ID = 774486)
9:02 PM: HKLM\software\classes\clsid\{420c35c9-e4f2-49f9-bf67-2be1ecf86989}\versionindependentprogid\ (1 subtraces) (ID = 774488)
9:02 PM: HKLM\software\classes\interface\{023a4648-601a-4c30-8a2e-c72ebfa99af6}\ (8 subtraces) (ID = 774490)
9:02 PM: HKLM\software\classes\interface\{175816a5-219e-4079-b2f9-53c501c409ba}\ (8 subtraces) (ID = 774499)
9:02 PM: HKLM\software\classes\interface\{19ebcbe0-9245-4397-bc5d-883d34782043}\ (8 subtraces) (ID = 774508)
9:02 PM: HKLM\software\classes\interface\{1c1793e0-1034-4cac-837d-aa545f6961bf}\ (8 subtraces) (ID = 774517)
9:02 PM: HKLM\software\classes\interface\{1e07646f-07c4-4847-a250-0ec8114f2963}\ (8 subtraces) (ID = 774526)
9:02 PM: HKLM\software\classes\interface\{27c4569f-8728-4958-a920-a607cae8153c}\ (8 subtraces) (ID = 774535)
9:02 PM: HKLM\software\classes\interface\{38370864-346f-4afa-8c4b-4fbff518c0bb}\ (8 subtraces) (ID = 774544)
9:02 PM: HKLM\software\classes\interface\{397a208b-3d09-4b3e-93e8-ca171886612e}\ (8 subtraces) (ID = 774553)
9:02 PM: HKLM\software\classes\interface\{421745e9-16df-4ee4-a758-d51f939c49cb}\ (8 subtraces) (ID = 774562)
9:02 PM: HKLM\software\classes\interface\{4331ec56-0aab-499e-8757-dd2ee44ad671}\ (8 subtraces) (ID = 774571)
9:02 PM: HKLM\software\classes\interface\{54286c3a-e044-4e65-bd44-528d6ae28a18}\ (8 subtraces) (ID = 774580)
9:02 PM: HKLM\software\classes\interface\{5d9c84e7-fa45-49e2-a0b8-b6b5e9a4f6be}\ (8 subtraces) (ID = 774598)
9:02 PM: HKLM\software\classes\interface\{5f2b9de7-f878-4762-8cfe-e9c58f082f0e}\ (8 subtraces) (ID = 774607)
9:02 PM: HKLM\software\classes\interface\{601a9784-1114-4089-9b3e-cbd70dafc6ad}\ (8 subtraces) (ID = 774616)
9:02 PM: HKLM\software\classes\interface\{8654592e-952a-4e7c-a960-304763b35fa6}\ (8 subtraces) (ID = 774625)
9:02 PM: HKLM\software\classes\interface\{8a61a950-c325-4f44-ba64-273180ff3464}\ (8 subtraces) (ID = 774634)
9:02 PM: HKLM\software\classes\interface\{8d5c4ec6-af8e-4b85-ba27-64babe410510}\ (8 subtraces) (ID = 774643)
9:02 PM: HKLM\software\classes\interface\{8e98faf8-794f-47f9-af90-15305564ed81}\ (8 subtraces) (ID = 774652)
9:02 PM: HKLM\software\classes\interface\{af15975b-1498-4740-8e6c-90af78e4198c}\ (8 subtraces) (ID = 774661)
9:02 PM: HKLM\software\classes\interface\{b53d4cd4-406d-43cc-8244-7893d72236dd}\ (8 subtraces) (ID = 774670)
9:02 PM: HKLM\software\classes\interface\{b671426c-5c1a-48ac-9652-bc9402b1c404}\ (8 subtraces) (ID = 774679)
9:02 PM: HKLM\software\classes\interface\{b9bb3219-f84c-4060-966b-4a1e73e24226}\ (8 subtraces) (ID = 774688)
9:02 PM: HKLM\software\classes\interface\{bc8c2e5f-d8b4-4997-bce3-8775c3707956}\ (8 subtraces) (ID = 774697)
9:02 PM: HKLM\software\classes\interface\{d082721f-4bd4-4b8b-bb82-06753ee6174f}\ (8 subtraces) (ID = 774706)
9:02 PM: HKLM\software\classes\interface\{d24f9d3c-5d4c-47f8-9ab7-632b44ad6a0d}\ (8 subtraces) (ID = 774715)
9:02 PM: HKLM\software\classes\interface\{f43ec88b-b6c8-4969-a763-e2bf55602cce}\ (8 subtraces) (ID = 774724)
9:02 PM: HKLM\software\classes\interface\{f786cb18-3809-4e49-bc99-9a66da47db8b}\ (8 subtraces) (ID = 774733)
9:02 PM: HKLM\software\classes\interface\{f814be58-1bf9-4b50-829a-e889f86127ad}\ (8 subtraces) (ID = 774742)
9:02 PM: HKLM\software\microsoft\windows\currentversion\run\ || browserupdatesched (ID = 835886)
9:02 PM: Registry Sweep Complete, Elapsed Time:00:03:08
9:02 PM: Starting Cookie Sweep
9:02 PM: Found Spy Cookie: partypoker cookie
9:02 PM: martin stromberger@partypoker[1].txt (ID = 3111)
9:02 PM: Found Spy Cookie: touchclarity cookie
9:02 PM: martin stromberger@partypoker.touchclarity[1].txt (ID = 3567)
9:02 PM: Found Spy Cookie: paypopup cookie
9:02 PM: martin stromberger@paypopup[1].txt (ID = 3119)
9:02 PM: Found Spy Cookie: 888 cookie
9:02 PM: martin stromberger@888[1].txt (ID = 2019)
9:02 PM: Found Spy Cookie: addynamix cookie
9:02 PM: martin stromberger@ads.addynamix[2].txt (ID = 2062)
9:03 PM: Found Spy Cookie: websponsors cookie
9:03 PM: martin stromberger@a.websponsors[2].txt (ID = 3665)
9:03 PM: Found Spy Cookie: falkag cookie
9:03 PM: martin stromberger@as1.falkag[2].txt (ID = 2650)
9:03 PM: Found Spy Cookie: ru4 cookie
9:03 PM: martin stromberger@edge.ru4[2].txt (ID = 3269)
9:03 PM: Found Spy Cookie: rn11 cookie
9:03 PM: martin stromberger@rn11[2].txt (ID = 3261)
9:03 PM: Found Spy Cookie: hbmediapro cookie
9:03 PM: martin stromberger@adopt.hbmediapro[2].txt (ID = 2768)
9:03 PM: Found Spy Cookie: yieldmanager cookie
9:03 PM: martin stromberger@ad.yieldmanager[1].txt (ID = 3751)
9:03 PM: Cookie Sweep Complete, Elapsed Time: 00:00:05
9:03 PM: Starting File Sweep
9:03 PM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because
it is being used by another process
********
7:55 PM: |··· Start of Session, 10/4/05 7:55:42 PM ···|
7:55 PM: Spy Sweeper started
7:55 PM: Sweep initiated using definitions version 549
7:55 PM: Starting Memory Sweep
7:56 PM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MSGSRV32.EXE
7:56 PM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MMTASK.TSK
7:57 PM: Found Adware: icannnews
7:57 PM: Detected running threat: C:\WINDOWS\SYSTEM\LXDIS11n.dll (ID = 157088)
7:57 PM: Detected running threat: C:\WINDOWS\SYSTEM\htsjvset.dll (ID = 157088)
8:49 PM: Found: Memory-resident threat icannnews, version 1.0.0.0
8:49 PM: Detected running threat: icannnews
8:53 PM: |··· End of Session, 10/4/05 8:53:29 PM ···|
********
7:53 PM: |··· Start of Session, 10/4/05 7:53:46 PM ···|
7:53 PM: Spy Sweeper started
7:55 PM: |··· End of Session, 10/4/05 7:55:42 PM ···|


Thanks again for any help!
  • 0

#6
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Your log looks much better. :tazz:

Please fix this line with Hijackthis.

O15 - Trusted IP range: 206.161.125.149


Did Spysweeper run to completion and remove everything that it found? Usually the log shows those actions and I don't see it here. I just want to make sure it removed everything that it found.

How are things working for you now? Any more popups?
  • 0

#7
julemarts

julemarts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
No, I am not getting Popups anymore. It's great, thanks for your help!

However, I can't delete O15 - Trusted IP range: 206.161.125.149 using HijackThis. Any ideas on how to get rid of it?

Thanks.
  • 0

#8
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Download(right click and select Save file as or Save link as): DelDomains.inf
http://mvps.org/winh.../DelDomains.inf

To use: Close all open browsers
Right-click DelDomains.inf and select: Install

That should remove that last 015 line.


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:tazz: :)
  • 0

#9
julemarts

julemarts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Thanks again for your help ! Your advice worked.

I seem to have only one more issue: my Internet Explorer home page always get reset to yahoo.com. Can you help change that? My HijackThis log is below:

Also, I've tried to make a donation, but my PayPal account doesn't seem to work right. I'm still trying....

Logfile of HijackThis v1.99.1
Scan saved at 7:27:10 PM, on 10/6/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\S4F\FILTER7.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSFTSN.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [S4F] "C:\Program Files\S4F\Filter7.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
  • 0

#10
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Sure! You should be able to do this right through Internet Explorer options. Open up IE and click on Tools -> Internet Options. Under the General tab you can specify what you want your homepage to be set to.

You can also use hijackthis to fix these lines.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/


You'll still have to set up the page that you want to be your home page in IE options, but at least you can remove Yahoo this way.

If for some reason that doesn't work let me know.
  • 0

#11
julemarts

julemarts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I still can't get rid of Yahoo as my home page. I try to reset via Internet Options, but it resets itself somehow. Any ideas? Here is the Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 11:23:29 PM, on 10/8/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\S4F\FILTER7.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSFTSN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [S4F] "C:\Program Files\S4F\Filter7.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServices: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
  • 0

#12
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
It's Spysweeper. Disable it and make sure these processes are ended.

SPYSWEEPER.EXE
WRSSSDK.EXE


Then try it again.
  • 0

#13
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP