Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

IE/Firefox opens without clicking [RESOLVED]


  • This topic is locked This topic is locked

#1
pcdawg

pcdawg

    New Member

  • Member
  • Pip
  • 7 posts
My brother downloaded something and bam....some viscious malware/adware keeps making IE and firefox browser windows pop-up every once in a while even if i am not using any browsers...

Followed the faq by installing those recommended tools (removed some virus/trojans/spyware/adwares) but still didnt solve the problems.


Any help is appreciated!!!


Here's the hijacklist...

Logfile of HijackThis v1.99.1
Scan saved at 1:19:29 PM, on 02/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\AnalogX\PortMapper\pmapper.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\PChan\Desktop\spywaretools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.pulse24.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://hispeed.rogers.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft

Internet Explorer provided by Rogers Hi-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer

= webproxy.queensu.ca:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = 127.0.0.1;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program

Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-ca\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program

Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program

Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe"

runtime
O4 - HKLM\..\Run: [FlashIcon] C:\Program Files\Generic\USB Card Reader Driver

v2.3\FlashIcon.exe
O4 - HKLM\..\Run: [msresearch] C:\windows\msresearch.exe
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: PMapper.lnk = C:\Program Files\AnalogX\PortMapper\pmapper.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI

Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program

Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image

Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Instant Messenger ™ -

{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...com/housecall/x

scan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\j22q0cf5ef2.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec

Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program

Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner -

C:\WINDOWS\system32\UAService7.exe
  • 0

Advertisements


#2
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
Welcome to GeeksToGo :tazz:

could you please post a fresh HijackThis log with wordwrap turned off? To turn word wrap off, go to the format menu and uncheck it.
  • 0

#3
pcdawg

pcdawg

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
No problem...heres the new one with word wrap off...

Logfile of HijackThis v1.99.1
Scan saved at 7:05:19 PM, on 02/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\AnalogX\PortMapper\pmapper.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\PChan\Desktop\spywaretools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pulse24.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hispeed.rogers.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy.queensu.ca:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-ca\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [FlashIcon] C:\Program Files\Generic\USB Card Reader Driver v2.3\FlashIcon.exe
O4 - HKLM\..\Run: [msresearch] C:\windows\msresearch.exe
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: PMapper.lnk = C:\Program Files\AnalogX\PortMapper\pmapper.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\j22q0cf5ef2.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

Edited by pcdawg, 02 November 2005 - 06:06 PM.

  • 0

#4
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
You have a Look2Me infection

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply, as well as a new HijackThis log

Edited by Avohir, 02 November 2005 - 06:41 PM.

  • 0

#5
pcdawg

pcdawg

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Right now...nothing is popping up...*knock on wood* ....but here are the logs as requested...

SpySweeper log

********
8:07 PM: | Start of Session, November 2, 2005 |
8:07 PM: Spy Sweeper started
8:07 PM: Sweep initiated using definitions version 564
8:07 PM: Starting Memory Sweep
8:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:09 PM: Found Adware: icannnews
8:09 PM: Detected running threat: C:\WINDOWS\system32\j22q0cf5ef2.dll (ID = 83)
8:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:10 PM: Detected running threat: C:\WINDOWS\system32\mfjint40.dll (ID = 83)
8:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:11 PM: Memory Sweep Complete, Elapsed Time: 00:04:04
8:11 PM: Starting Registry Sweep
8:12 PM: Found Adware: websearch toolbar
8:12 PM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (8 subtraces) (ID = 146518)
8:12 PM: Found Adware: winad
8:12 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediapassx.dll\ (ID = 147192)
8:12 PM: Found Adware: sp2ms
8:12 PM: HKLM\software\microsoft\windows\currentversion\run\ || msresearch (ID = 754357)
8:12 PM: HKLM\software\microsoft\windows\currentversion\run\ || sp2update (ID = 787992)
8:12 PM: Registry Sweep Complete, Elapsed Time:00:00:15
8:12 PM: Starting Cookie Sweep
8:12 PM: Found Spy Cookie: enhance cookie
8:12 PM: system@c.enhance[1].txt (ID = 2614)
8:12 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:12 PM: Starting File Sweep
8:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:13 PM: Found Adware: targetsaver
8:13 PM: dc3.exe (ID = 166444)
8:13 PM: Found Adware: shopathomeselect
8:13 PM: gah95on6.ini (ID = 75741)
8:14 PM: kdlmjh8r.dat (ID = 75677)
8:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:33 PM: tm97pj39.dat (ID = 75645)
8:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: e.rn11.com
8:41 PM: The Spy Communication shield has blocked access to: e.rn11.com
8:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 PM: File Sweep Complete, Elapsed Time: 00:40:45
8:53 PM: Full Sweep has completed. Elapsed time 00:45:08
8:53 PM: Traces Found: 19
8:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 PM: Removal process initiated
8:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:54 PM: Quarantining All Traces: websearch toolbar
8:54 PM: Quarantining All Traces: icannnews
8:54 PM: icannnews is in use. It will be removed on reboot.
8:54 PM: C:\WINDOWS\system32\j22q0cf5ef2.dll is in use. It will be removed on reboot.
8:54 PM: C:\WINDOWS\system32\mfjint40.dll is in use. It will be removed on reboot.
8:54 PM: Quarantining All Traces: shopathomeselect
8:54 PM: Quarantining All Traces: sp2ms
8:54 PM: Quarantining All Traces: targetsaver
8:54 PM: Quarantining All Traces: winad
8:54 PM: Quarantining All Traces: enhance cookie
8:54 PM: Warning: Launched explorer.exe
8:54 PM: Warning: Quarantine process could not restart Explorer.
8:54 PM: Removal process completed. Elapsed time 00:01:23
********
8:05 PM: | Start of Session, November 2, 2005 |
8:05 PM: Spy Sweeper started
8:06 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
8:07 PM: Your spyware definitions have been updated.
8:07 PM: | End of Session, November 2, 2005 |


HJT log

Logfile of HijackThis v1.99.1
Scan saved at 9:04:43 PM, on 02/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\AnalogX\PortMapper\pmapper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\PChan\Desktop\spywaretools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pulse24.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hispeed.rogers.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy.queensu.ca:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-ca\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [FlashIcon] C:\Program Files\Generic\USB Card Reader Driver v2.3\FlashIcon.exe
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [msresearch] C:\windows\msresearch.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: PMapper.lnk = C:\Program Files\AnalogX\PortMapper\pmapper.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
  • 0

#6
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
Please download the Suspicious File Packer from here:
http://www.safer-net...g/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following list of bad files into the Suspicious File Packer window:

C:\windows\sp2update00.exe
C:\windows\msresearch.exe


Allow SFP to pack the files. This will generate a CAB archive on your desktop. Please email the files to me at:

Avohir(at)gmail(dot)com

replace at with @ and dot with .
  • 0

#7
pcdawg

pcdawg

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Dl-ed applied and emailed!!

So far everything is working!! :tazz:

Thanks ...let me know...
  • 0

#8
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
You can reenable TeaTimer once your system is clean.

Open HijackThis and put checkmarks next to the following entries:

O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe
O4 - HKLM\..\Run: [msresearch] C:\windows\msresearch.exe

then close all other open windows and click "fix checked"

next, open up My Computer and delete the following files:

C:\windows\sp2update00.exe
C:\windows\msresearch.exe

then reboot and post a fresh HijackThis log
  • 0

#9
pcdawg

pcdawg

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Done...and here's the report

Logfile of HijackThis v1.99.1
Scan saved at 8:55:06 PM, on 03/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\AnalogX\PortMapper\pmapper.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\PChan\Desktop\spywaretools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pulse24.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hispeed.rogers.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy.queensu.ca:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-ca\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [FlashIcon] C:\Program Files\Generic\USB Card Reader Driver v2.3\FlashIcon.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: PMapper.lnk = C:\Program Files\AnalogX\PortMapper\pmapper.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
  • 0

#10
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
that looks good, how's it running?
  • 0

#11
pcdawg

pcdawg

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Very good!!

Wow....and i thought that my computer was done for since i couldnt get rid of those viruses/malware and thought it was time to re-format....

also should i keep all those programs i dl-ed all in my computer running? or a few will do?

Thanks!!

Edited by pcdawg, 03 November 2005 - 08:29 PM.

  • 0

#12
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
you can delete suspicious file packer. If you want to keep spysweeper, the trial expires in a few days, so you will have to buy a subscription for it to be of any use.

I'm glad we could help :tazz:

I notice you have a service for symantec, but I dont see any associated startups. It is very important that you have an anti-virus installed. If symantec is no longer installed, I reccomend either AVG or Avast!, as they are both free anti-viruses of high quality.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and Spyware Aid's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0

#13
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP