Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help.


  • Please log in to reply

#1
Tego

Tego

    New Member

  • Member
  • Pip
  • 7 posts
Hello,

I've done a few searches over the internet, and I seem to end up here. My first problems started just a few weeks ago, and it was WinFixer...now a many things keep popping up and I thought I might ask for some help...So...

Can anyone help?...Please?

I've followed the perparation steps and have the logs from Ewido and HijackThis...

Here is The Ewido Summary:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:56:13 AM, 11/1/2005
+ Report-Checksum: A96A06F8

+ Scan result:

HKLM\SOFTWARE\Classes\ANSMTP.OBJ -> Spyware.007Spy : Cleaned with backup
HKLM\SOFTWARE\Classes\ANSMTP.OBJ\CLSID -> Spyware.007Spy : Cleaned with backup
HKLM\SOFTWARE\Classes\ANSMTP.OBJ\CurVer -> Spyware.007Spy : Cleaned with backup
HKLM\SOFTWARE\Classes\ANSMTP.OBJ.1 -> Spyware.007Spy : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{4A0F42B7-A61B-4131-BF41-BF05A2635BFD} -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{4A0F42B7-A61B-4131-BF41-BF05A2635BFD}\TypeLib\\ -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9DBDD71C-0A7F-48AC-9FFA-E102B3750B9D} -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9DBDD71C-0A7F-48AC-9FFA-E102B3750B9D}\TypeLib\\ -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C2E56E18-2F04-4AB9-9333-B2DB3C350956} -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C2E56E18-2F04-4AB9-9333-B2DB3C350956}\TypeLib\\ -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{E9CBBEED-20B6-456C-8589-CF364D9D2370} -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{E9CBBEED-20B6-456C-8589-CF364D9D2370}\TypeLib\\ -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F8C5EA77-7D72-405C-B90A-093655B0F544} -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F8C5EA77-7D72-405C-B90A-093655B0F544}\TypeLib\\ -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MiniBugTransporter.dll\\.Owner -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MiniBugTransporter.dll\\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKU\S-1-5-21-1163395192-3477723857-56604596-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{014DA6C9-189F-421A-88CD-07CFE51CFF10} -> Spyware.MySearch : Cleaned with backup
[2744] C:\WINDOWS\System\CSRSS.EXE -> Backdoor.Robobot.ac : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@ad-logics[2].txt -> Spyware.Cookie.Ad-logics : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@adbrite[1].txt -> Spyware.Cookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@ads.specificpop[1].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@cz6.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@euniverseads[2].txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@gator[1].txt -> Spyware.Cookie.Gator : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@hotlog[2].txt -> Spyware.Cookie.Hotlog : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@internetfuel[1].txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@media.fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@stat.onestat[2].txt -> Spyware.Cookie.Onestat : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@web4.realtracker[1].txt -> Spyware.Cookie.Realtracker : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Aaron Sayers\Cookies\aaron sayers@z1.adserver[2].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Counter.class-4d4f4070-646e6274.class -> Trojan.Femad : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-66a6f071-7029ef72.class -> Trojan.ClassLoader.Dummy.a : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-3bfd9b2-121ac93e.class -> Trojan.Java.Femad : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@ehg-cbs.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@images.trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@sales.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@www.burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\brandon sayers@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Cookies\Copy of brandon sayers@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Local Settings\Temporary Internet Files\Content.IE5\97A5V7DD\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\Brandon Sayers\Local Settings\Temporary Internet Files\Content.IE5\CFDZ6Q7P\WinFixer2005ScannerInstall[1].exe -> Not-A-Virus.Downloader.Agent.d : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@ad.adition[2].txt -> Spyware.Cookie.Adition : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@ads.x10[2].txt -> Spyware.Cookie.X10 : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@count.xhit[2].txt -> Spyware.Cookie.Xhit : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@ehg-cafepress.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@ehg-tickleinc.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@ehg-wizardsofthecoast.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@hg1.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Cathi Sayers\Cookies\cathi sayers@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Jay Sayers\Cookies\jay sayers@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Jay Sayers\Cookies\jay sayers@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\Common Files\Sony Shared\Visualizer\ExlGen.dll -> Dialer.Generic : Cleaned with backup
C:\Program Files\MySearch\bar\2.bin\NPMYSRCH.DLL -> Spyware.MyWay : Cleaned with backup
C:\Program Files\MySearch\bar\2.bin\S42NS.EXE -> Spyware.MyWay : Cleaned with backup
C:\Program Files\Netscape\Communicator\Program\plugins\NPMySrch.dll -> Spyware.MyWay : Cleaned with backup
C:\Program Files\Netscape\Communicator\Program\plugins\npwthost.dll -> Spyware.WildTangent : Cleaned with backup
C:\Program Files\support.com\client\lserver\backup\Ex\ExlGen.dll\90112_561f440d7_/ExlGen.dll -> Dialer.Generic : Cleaned with backup
C:\RECYCLER\S-1-5-21-1163395192-3477723857-56604596-1007\Dc22\Legend_of_Zelda__A_Link_to_the_Past_cheats[1].html -> TrojanDownloader.Inor.a : Cleaned with backup
C:\RECYCLER\S-1-5-21-1163395192-3477723857-56604596-1007\Dc24\Legend_of_Zelda__A_Link_to_the_Past[1].html -> TrojanDownloader.Inor.a : Cleaned with backup
C:\RECYCLER\S-1-5-21-1163395192-3477723857-56604596-1007\Dc24\Legend_of_Zelda__A_Link_to_the_Past_cheats[1].html -> TrojanDownloader.Inor.a : Cleaned with backup
C:\WINDOWS\system32\sstqq.dll -> TrojanDownloader.Small.bpk : Cleaned with backup
C:\WINDOWS\system32\vtuts.dll -> TrojanDownloader.Agent.yf : Cleaned with backup
C:\WINDOWS\Temp\nst3.tmp\MyWaySetup.exe -> Spyware.GoWebSite : Cleaned with backup
D:\A) Ryans folders\blee\blah\mspass.exe -> Not-A-Virus.Tool.Messen.103 : Cleaned with backup
D:\A) Ryans folders\blee\blah\mspass.zip/mspass.exe -> Not-A-Virus.Tool.Messen.103 : Cleaned with backup
D:\Other\arun.exe -> Trojan.Zapchast : Cleaned with backup
D:\Other\Billy Stuff\Install Files\i_bpk_lite.exe/Setup.exe -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup
D:\Program Files\Grokster\cd_install.exe/cd_clint.dll -> Spyware.Cydoor : Cleaned with backup
D:\Program Files\Grokster\cd_install.exe/cd_htm.dll -> Spyware.Cydoor : Cleaned with backup
D:\Program Files\My Shared Folder\TopSearch.dll -> Spyware.TopSearch : Cleaned with backup
D:\Program Files\Perfect Keylogger Lite\bpk.exe -> TrojanSpy.Perflogger.a : Cleaned with backup
D:\Program Files\Perfect Keylogger Lite\bsdhooks.dll -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup
D:\Program Files\Perfect Keylogger Lite\lview.exe -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup
D:\Program Files\Perfect Keylogger Lite\uninstall.exe -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup


::Report End



And here is the HijackThis log (done after I've followed the steps):

Logfile of HijackThis v1.99.1
Scan saved at 2:32:37 PM, on 11/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
D:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
D:\Program Files\AIM95\aim.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
D:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\HP\HP Software Update\HPWuSchd.exe
D:\Program Files\LeechGet 2004\LeechGet.exe
C:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
D:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\AIM95\aim.exe
C:\WINDOWS\explorer.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\Computer Security Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bealenet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\vtuts.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\awtss.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Nitro5x] c:\nitro5x\nitro5x.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
O4 - HKLM\..\Run: [SsAAD.exe] D:\A)RYAN~1\SsAAD.exe
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [LeechGet] "D:\Program Files\LeechGet 2004\LeechGet.exe" -intray
O4 - HKCU\..\Run: [024h Lucky Reminder] "D:\Program Files\024h Lucky Reminder\LuckyReminder.exe" /m
O4 - HKCU\..\Run: [] c:\windowsupdate\ufp\irs7\csrss.exe
O4 - HKCU\..\Run: [WinUpdateProtection] c:\windowsupdate\ufp\kl7\csrss.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download using LeechGet - file://D:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://D:\Program Files\LeechGet 2004\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://www.cncden.com
O15 - Trusted Zone: http://www.egosoft.com
O15 - Trusted Zone: http://dynamic6.gamespy.com
O15 - Trusted Zone: http://wowvault.ign.com
O15 - Trusted Zone: http://www.machall.com
O15 - Trusted Zone: http://www.nightmarearmor.com
O15 - Trusted Zone: http://www.nuklearpower.com
O15 - Trusted Zone: http://www.penny-arcade.com
O15 - Trusted Zone: http://www.psychodogstudios.net
O15 - Trusted Zone: http://www.redvsblue.com
O15 - Trusted Zone: http://www.rpgplanet.com
O15 - Trusted Zone: http://www.xenforcers.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.0.69.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.co...date/EARTPX.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard..../wowbeta/si.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - http://ccon.futurema...lobal/msc34.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{54E57B50-79FC-4FB6-A314-B98A19A1CED5}: NameServer = 207.78.118.3 198.6.1.1
O20 - Winlogon Notify: awtss - C:\WINDOWS\system32\awtss.dll
O20 - Winlogon Notify: vtuts - C:\WINDOWS\SYSTEM32\vtuts.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CWShredder Service - Unknown owner - D:\Computer Security Files\CWSshredder\cwshredder.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe



I just want to say now, Thanks for any help anyone gives.
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Howdy Tego and Welcome to GeekstoGo!

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directory as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

  • 0

#3
Tego

Tego

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you for the reply...here is the session log from WebRoot SpySweeper:

********
8:25 AM: | Start of Session, Saturday, November 05, 2005 |
8:25 AM: Spy Sweeper started
8:25 AM: Sweep initiated using definitions version 567
8:25 AM: Starting Memory Sweep
8:25 AM: Found Adware: virtumonde
8:25 AM: Detected running threat: C:\WINDOWS\system32\awtss.dll (ID = 77)
8:29 AM: Memory Sweep Complete, Elapsed Time: 00:03:29
8:29 AM: Starting Registry Sweep
8:29 AM: Found Adware: comet cursor
8:29 AM: HKCR\appid\dmserver.exe\ (1 subtraces) (ID = 106303)
8:29 AM: HKCR\appid\{bac984c9-78c8-4105-9e97-1675a4052686}\ (1 subtraces) (ID = 106304)
8:29 AM: HKLM\software\classes\appid\dmserver.exe\ (1 subtraces) (ID = 106525)
8:29 AM: HKLM\software\classes\appid\{bac984c9-78c8-4105-9e97-1675a4052686}\ (1 subtraces) (ID = 106526)
8:29 AM: Found System Monitor: ufp software
8:29 AM: HKLM\software\classes\interface\{ab14f05e-4c1d-49dc-8bd5-9e6b510b3eba}\ (8 subtraces) (ID = 129674)
8:29 AM: HKLM\software\classes\interface\{b78b0e98-0431-4a6b-8c3d-f240fe8725f5}\ (8 subtraces) (ID = 129675)
8:29 AM: Found System Monitor: stealth webpage recorder
8:29 AM: HKLM\software\blazing tools\ (ID = 142923)
8:29 AM: Found Trojan Horse: trojan-downloader-conhook
8:29 AM: HKLM\software\classes\clsid\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (3 subtraces) (ID = 833627)
8:29 AM: HKCR\clsid\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (3 subtraces) (ID = 833628)
8:29 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (ID = 833629)
8:29 AM: HKCR\clsid\{6dd0bc06-4719-4ba3-bebc-fbae6a448152}\ (12 subtraces) (ID = 954591)
8:29 AM: HKLM\software\classes\clsid\{6dd0bc06-4719-4ba3-bebc-fbae6a448152}\ (12 subtraces) (ID = 954593)
8:29 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{6dd0bc06-4719-4ba3-bebc-fbae6a448152}\ (ID = 954595)
8:29 AM: HKU\WRSS_Profile_S-1-5-21-1163395192-3477723857-56604596-1010\software\microsoft\internet explorer\toolbar\webbrowser\ || {fe6bc4ef-5676-484b-88ae-883323913256} (ID = 106731)
8:29 AM: Found System Monitor: invisible keylogger
8:29 AM: HKU\WRSS_Profile_S-1-5-21-1163395192-3477723857-56604596-1010\software\microsoft\windows\currentversion\run\ || bpk (ID = 128968)
8:29 AM: Found System Monitor: perfect keylogger
8:29 AM: HKU\WRSS_Profile_S-1-5-21-1163395192-3477723857-56604596-1010\software\blazing tools\ (3 subtraces) (ID = 136699)
8:29 AM: HKU\WRSS_Profile_S-1-5-21-1163395192-3477723857-56604596-1010\software\blazing tools\perfect keylogger\ (2 subtraces) (ID = 136700)
8:29 AM: HKU\S-1-5-21-1163395192-3477723857-56604596-1006\software\blazing tools\ (ID = 136699)
8:29 AM: Found System Monitor: ufp ice remote spy


There is also something else, Ewido keeps picking up this infection, but it seems like it can't clean it. It happens when I connect to the internet, and when I try to pull up Internet Explorer. Here is what comes up:

File: vtuts.dll
Path: C:\WINDOWS\system32
Infection: TrojanDownloader.Agent.yf

Again, Thank you for any and all help.
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Lets see a fresh HijackThis log please.
  • 0

#5
Tego

Tego

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ok, here is the new HijackThis Log...and Ewido has stopped picking up the infection now.

Logfile of HijackThis v1.99.1
Scan saved at 7:43:49 AM, on 11/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
D:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\HP\HP Software Update\HPWuSchd.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
D:\Program Files\LeechGet 2004\LeechGet.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
D:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
D:\Computer Security Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://red.clientapp...m/search/ie.htm

l
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bealenet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program

Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program

Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - (no file)
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} -

C:\WINDOWS\system32\jkhfc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office

2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Nitro5x] c:\nitro5x\nitro5x.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
O4 - HKLM\..\Run: [SsAAD.exe] D:\A)RYAN~1\SsAAD.exe
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [LeechGet] "D:\Program Files\LeechGet 2004\LeechGet.exe" -intray
O4 - HKCU\..\Run: [024h Lucky Reminder] "D:\Program Files\024h Lucky Reminder\LuckyReminder.exe"

/m
O4 - HKCU\..\Run: [] c:\windowsupdate\ufp\irs7\csrss.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital

Imaging\bin\hpqtra08.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download using LeechGet - file://D:\Program Files\LeechGet

2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\Program Files\LeechGet

2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://D:\Program Files\LeechGet 2004\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program

Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program

Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} -

C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://www.cncden.com
O15 - Trusted Zone: http://www.egosoft.com
O15 - Trusted Zone: http://dynamic6.gamespy.com
O15 - Trusted Zone: http://wowvault.ign.com
O15 - Trusted Zone: http://www.machall.com
O15 - Trusted Zone: http://www.nightmarearmor.com
O15 - Trusted Zone: http://www.nuklearpower.com
O15 - Trusted Zone: http://www.penny-arcade.com
O15 - Trusted Zone: http://www.psychodogstudios.net
O15 - Trusted Zone: http://www.redvsblue.com
O15 - Trusted Zone: http://www.rpgplanet.com
O15 - Trusted Zone: http://www.xenforcers.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -

http://www.fileplane...DC_2.1.0.69.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) -

http://simcity.ea.co...date/EARTPX.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) -

http://www.blizzard..../wowbeta/si.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) -

http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -

http://ccon.futurema...lobal/msc34.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{54E57B50-79FC-4FB6-A314-B98A19A1CED5}: NameServer

= 207.78.118.3 198.6.1.1
O20 - Winlogon Notify: awtss - C:\WINDOWS\system32\awtss.dll (file missing)
O20 - Winlogon Notify: jkhfc - C:\WINDOWS\system32\jkhfc.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: CWShredder Service - Unknown owner - D:\Computer Security

Files\CWSshredder\cwshredder.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security

suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security

suite\ewidoguard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony

Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony

Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend

Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony

Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common

Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program

Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend

Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) -

Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe"

/Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server

(Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown

owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe"

/Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media

Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony

Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) -

Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown

owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe"

/Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media

Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony

Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe



Thanks again for the help.
  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Lets try another run with SpySweeper,Vundo is still in there and so is some other garbage.

Just make sure to check SpySweeper for Updates prior to running it and let it do its thing.

Once completed,post the session log and a fresh HijackThis log please.
  • 0

#7
Tego

Tego

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I'v re-run Webroot Spysweeper, it was already update, but it did pick up some more.

Here is the Spysweeper Log:

********
1:27 PM: | Start of Session, Friday, November 11, 2005 |
1:27 PM: Spy Sweeper started
1:27 PM: Sweep initiated using definitions version 571
1:27 PM: Starting Memory Sweep
1:31 PM: Memory Sweep Complete, Elapsed Time: 00:03:57
1:31 PM: Starting Registry Sweep
1:31 PM: Registry Sweep Complete, Elapsed Time:00:00:31
1:31 PM: Starting Cookie Sweep
1:31 PM: Found Spy Cookie: yieldmanager cookie
1:31 PM: ryan@ad.yieldmanager[1].txt (ID = 3751)
1:31 PM: Found Spy Cookie: adknowledge cookie
1:31 PM: ryan@adknowledge[1].txt (ID = 2072)
1:31 PM: Found Spy Cookie: adrevolver cookie
1:31 PM: ryan@adrevolver[1].txt (ID = 2088)
1:31 PM: ryan@adrevolver[3].txt (ID = 2088)
1:31 PM: Found Spy Cookie: advertising cookie
1:31 PM: ryan@advertising[2].txt (ID = 2175)
1:31 PM: Found Spy Cookie: atlas dmt cookie
1:31 PM: ryan@atdmt[2].txt (ID = 2253)
1:31 PM: Found Spy Cookie: belnk cookie
1:31 PM: ryan@ath.belnk[2].txt (ID = 2293)
1:31 PM: Found Spy Cookie: atwola cookie
1:31 PM: ryan@atwola[1].txt (ID = 2255)
1:31 PM: Found Spy Cookie: banner cookie
1:31 PM: ryan@banner[2].txt (ID = 2276)
1:31 PM: ryan@belnk[1].txt (ID = 2292)
1:31 PM: Found Spy Cookie: casalemedia cookie
1:31 PM: ryan@casalemedia[2].txt (ID = 2354)
1:31 PM: ryan@dist.belnk[1].txt (ID = 2293)
1:31 PM: Found Spy Cookie: realmedia cookie
1:31 PM: ryan@realmedia[2].txt (ID = 3235)
1:31 PM: Found Spy Cookie: servedby advertising cookie
1:31 PM: ryan@servedby.advertising[2].txt (ID = 3335)
1:31 PM: Found Spy Cookie: tradedoubler cookie
1:31 PM: ryan@tradedoubler[1].txt (ID = 3575)
1:32 PM: brandon sayers@ad.yieldmanager[2].txt (ID = 3751)
1:32 PM: brandon sayers@adknowledge[1].txt (ID = 2072)
1:32 PM: brandon sayers@adrevolver[2].txt (ID = 2088)
1:32 PM: brandon sayers@adrevolver[3].txt (ID = 2088)
1:32 PM: Found Spy Cookie: addynamix cookie
1:32 PM: brandon sayers@ads.addynamix[1].txt (ID = 2062)
1:32 PM: Found Spy Cookie: pointroll cookie
1:32 PM: brandon sayers@ads.pointroll[1].txt (ID = 3148)
1:32 PM: brandon sayers@advertising[2].txt (ID = 2175)
1:32 PM: Found Spy Cookie: ask cookie
1:32 PM: brandon sayers@ask[1].txt (ID = 2245)
1:32 PM: brandon sayers@atdmt[1].txt (ID = 2253)
1:32 PM: brandon sayers@ath.belnk[2].txt (ID = 2293)
1:32 PM: brandon sayers@atwola[1].txt (ID = 2255)
1:32 PM: brandon sayers@banner[2].txt (ID = 2276)
1:32 PM: brandon sayers@belnk[2].txt (ID = 2292)
1:32 PM: Found Spy Cookie: burstnet cookie
1:32 PM: brandon sayers@burstnet[1].txt (ID = 2336)
1:32 PM: brandon sayers@casalemedia[1].txt (ID = 2354)
1:32 PM: brandon sayers@dist.belnk[2].txt (ID = 2293)
1:32 PM: Found Spy Cookie: ru4 cookie
1:32 PM: brandon sayers@edge.ru4[2].txt (ID = 3269)
1:32 PM: Found Spy Cookie: fastclick cookie
1:32 PM: brandon sayers@fastclick[1].txt (ID = 2651)
1:32 PM: Found Spy Cookie: gamespy cookie
1:32 PM: brandon sayers@gamespy[1].txt (ID = 2719)
1:32 PM: Found Spy Cookie: maxserving cookie
1:32 PM: brandon sayers@maxserving[1].txt (ID = 2966)
1:32 PM: Found Spy Cookie: peel network cookie
1:32 PM: brandon sayers@peel[2].txt (ID = 3127)
1:32 PM: Found Spy Cookie: questionmarket cookie
1:32 PM: brandon sayers@questionmarket[1].txt (ID = 3217)
1:32 PM: brandon sayers@realmedia[2].txt (ID = 3235)
1:32 PM: brandon sayers@servedby.advertising[2].txt (ID = 3335)
1:32 PM: Found Spy Cookie: serving-sys cookie
1:32 PM: brandon sayers@serving-sys[1].txt (ID = 3343)
1:32 PM: Found Spy Cookie: statcounter cookie
1:32 PM: brandon sayers@statcounter[1].txt (ID = 3447)
1:32 PM: Found Spy Cookie: webtrendslive cookie
1:32 PM: brandon sayers@statse.webtrendslive[1].txt (ID = 3667)
1:32 PM: Found Spy Cookie: targetnet cookie
1:32 PM: brandon sayers@targetnet[2].txt (ID = 3489)
1:32 PM: brandon sayers@tradedoubler[1].txt (ID = 3575)
1:32 PM: Found Spy Cookie: tribalfusion cookie
1:32 PM: brandon sayers@tribalfusion[2].txt (ID = 3589)
1:32 PM: Found Spy Cookie: burstbeacon cookie
1:32 PM: brandon sayers@www.burstbeacon[1].txt (ID = 2335)
1:32 PM: Cookie Sweep Complete, Elapsed Time: 00:00:06
1:32 PM: Starting File Sweep
1:43 PM: Found Adware: icondroppers
1:43 PM: soaf.ico (ID = 188048)
1:58 PM: soaf.ico (ID = 188048)
2:11 PM: File Sweep Complete, Elapsed Time: 00:39:44
2:11 PM: Full Sweep has completed. Elapsed time 00:44:28
2:11 PM: Traces Found: 48
2:12 PM: Removal process initiated
2:12 PM: Quarantining All Traces: icondroppers
2:12 PM: Quarantining All Traces: addynamix cookie
2:12 PM: Quarantining All Traces: adknowledge cookie
2:12 PM: Quarantining All Traces: adrevolver cookie
2:12 PM: Quarantining All Traces: advertising cookie
2:12 PM: Quarantining All Traces: ask cookie
2:12 PM: Quarantining All Traces: atlas dmt cookie
2:12 PM: Quarantining All Traces: atwola cookie
2:12 PM: Quarantining All Traces: banner cookie
2:12 PM: Quarantining All Traces: belnk cookie
2:12 PM: Quarantining All Traces: burstbeacon cookie
2:12 PM: Quarantining All Traces: burstnet cookie
2:12 PM: Quarantining All Traces: casalemedia cookie
2:12 PM: Quarantining All Traces: fastclick cookie
2:12 PM: Quarantining All Traces: gamespy cookie
2:12 PM: Quarantining All Traces: maxserving cookie
2:12 PM: Quarantining All Traces: peel network cookie
2:12 PM: Quarantining All Traces: pointroll cookie
2:12 PM: Quarantining All Traces: questionmarket cookie
2:12 PM: Quarantining All Traces: realmedia cookie
2:12 PM: Quarantining All Traces: ru4 cookie
2:12 PM: Quarantining All Traces: servedby advertising cookie
2:12 PM: Quarantining All Traces: serving-sys cookie
2:12 PM: Quarantining All Traces: statcounter cookie
2:12 PM: Quarantining All Traces: targetnet cookie
2:12 PM: Quarantining All Traces: tradedoubler cookie
2:12 PM: Quarantining All Traces: tribalfusion cookie
2:12 PM: Quarantining All Traces: webtrendslive cookie
2:12 PM: Quarantining All Traces: yieldmanager cookie
2:12 PM: Removal process completed. Elapsed time 00:00:19
********
8:25 AM: | Start of Session, Saturday, November 05, 2005 |
8:25 AM: Spy Sweeper started
8:25 AM: Sweep initiated using definitions version 567
8:25 AM: Starting Memory Sweep
8:25 AM: Found Adware: virtumonde
8:25 AM: Detected running threat: C:\WINDOWS\system32\awtss.dll (ID = 77)
8:29 AM: Memory Sweep Complete, Elapsed Time: 00:03:29
8:29 AM: Starting Registry Sweep
8:29 AM: Found Adware: comet cursor
8:29 AM: HKCR\appid\dmserver.exe\ (1 subtraces) (ID = 106303)
8:29 AM: HKCR\appid\{bac984c9-78c8-4105-9e97-1675a4052686}\ (1 subtraces) (ID = 106304)
8:29 AM: HKLM\software\classes\appid\dmserver.exe\ (1 subtraces) (ID = 106525)
8:29 AM: HKLM\software\classes\appid\{bac984c9-78c8-4105-9e97-1675a4052686}\ (1 subtraces) (ID = 106526)
8:29 AM: Found System Monitor: ufp software
8:29 AM: HKLM\software\classes\interface\{ab14f05e-4c1d-49dc-8bd5-9e6b510b3eba}\ (8 subtraces) (ID = 129674)
8:29 AM: HKLM\software\classes\interface\{b78b0e98-0431-4a6b-8c3d-f240fe8725f5}\ (8 subtraces) (ID = 129675)
8:29 AM: Found System Monitor: stealth webpage recorder
8:29 AM: HKLM\software\blazing tools\ (ID = 142923)
8:29 AM: Found Trojan Horse: trojan-downloader-conhook
8:29 AM: HKLM\software\classes\clsid\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (3 subtraces) (ID = 833627)
8:29 AM: HKCR\clsid\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (3 subtraces) (ID = 833628)
8:29 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (ID = 833629)
8:29 AM: HKCR\clsid\{6dd0bc06-4719-4ba3-bebc-fbae6a448152}\ (12 subtraces) (ID = 954591)
8:29 AM: HKLM\software\classes\clsid\{6dd0bc06-4719-4ba3-bebc-fbae6a448152}\ (12 subtraces) (ID = 954593)
8:29 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{6dd0bc06-4719-4ba3-bebc-fbae6a448152}\ (ID = 954595)
8:29 AM: HKU\WRSS_Profile_S-1-5-21-1163395192-3477723857-56604596-1010\software\microsoft\internet explorer\toolbar\webbrowser\ || {fe6bc4ef-5676-484b-88ae-883323913256} (ID = 106731)
8:29 AM: Found System Monitor: invisible keylogger
8:29 AM: HKU\WRSS_Profile_S-1-5-21-1163395192-3477723857-56604596-1010\software\microsoft\windows\currentversion\run\ || bpk (ID = 128968)
8:29 AM: Found System Monitor: perfect keylogger
8:29 AM: HKU\WRSS_Profile_S-1-5-21-1163395192-3477723857-56604596-1010\software\blazing tools\ (3 subtraces) (ID = 136699)
8:29 AM: HKU\WRSS_Profile_S-1-5-21-1163395192-3477723857-56604596-1010\software\blazing tools\perfect keylogger\ (2 subtraces) (ID = 136700)
8:29 AM: HKU\S-1-5-21-1163395192-3477723857-56604596-1006\software\blazing tools\ (ID = 136699)
8:29 AM: Found System Monitor: ufp ice remote spy
8:29 AM: HKU\S-1-5-21-1163395192-3477723857-56604596-1006\software\microsoft\windows\currentversion\run\ || winupdateprotection (ID = 789488)
8:29 AM: Found System Monitor: ufp keylogger buddy
8:29 AM: HKU\S-1-5-21-1163395192-3477723857-56604596-1006\software\microsoft\windows\currentversion\run\ || winupdateprotection (ID = 793129)
8:29 AM: Registry Sweep Complete, Elapsed Time:00:00:29
8:29 AM: Starting Cookie Sweep
8:29 AM: Found Spy Cookie: 2o7.net cookie
8:29 AM: ryan@2o7[1].txt (ID = 1957)
8:29 AM: Found Spy Cookie: yieldmanager cookie
8:29 AM: ryan@ad.yieldmanager[1].txt (ID = 3751)
8:29 AM: Found Spy Cookie: adknowledge cookie
8:29 AM: ryan@adknowledge[2].txt (ID = 2072)
8:29 AM: Found Spy Cookie: adrevolver cookie
8:29 AM: ryan@adrevolver[1].txt (ID = 2088)
8:29 AM: ryan@adrevolver[3].txt (ID = 2088)
8:29 AM: Found Spy Cookie: addynamix cookie
8:29 AM: ryan@ads.addynamix[1].txt (ID = 2062)
8:29 AM: Found Spy Cookie: pointroll cookie
8:29 AM: ryan@ads.pointroll[1].txt (ID = 3148)
8:29 AM: Found Spy Cookie: advertising cookie
8:29 AM: ryan@advertising[2].txt (ID = 2175)
8:29 AM: Found Spy Cookie: atwola cookie
8:29 AM: ryan@ar.atwola[1].txt (ID = 2256)
8:29 AM: Found Spy Cookie: falkag cookie
8:29 AM: ryan@as-us.falkag[2].txt (ID = 2650)
8:29 AM: Found Spy Cookie: ask cookie
8:29 AM: ryan@ask[1].txt (ID = 2245)
8:29 AM: Found Spy Cookie: atlas dmt cookie
8:29 AM: ryan@atdmt[1].txt (ID = 2253)
8:29 AM: Found Spy Cookie: belnk cookie
8:29 AM: ryan@ath.belnk[2].txt (ID = 2293)
8:29 AM: ryan@atwola[1].txt (ID = 2255)
8:29 AM: Found Spy Cookie: banner cookie
8:29 AM: ryan@banner[2].txt (ID = 2276)
8:29 AM: ryan@belnk[2].txt (ID = 2292)
8:29 AM: Found Spy Cookie: casalemedia cookie
8:29 AM: ryan@casalemedia[2].txt (ID = 2354)
8:29 AM: Found Spy Cookie: directtrack cookie
8:29 AM: ryan@directtrack[1].txt (ID = 2527)
8:29 AM: ryan@dist.belnk[1].txt (ID = 2293)
8:29 AM: Found Spy Cookie: ru4 cookie
8:29 AM: ryan@edge.ru4[2].txt (ID = 3269)
8:29 AM: Found Spy Cookie: fastclick cookie
8:29 AM: ryan@fastclick[1].txt (ID = 2651)
8:29 AM: Found Spy Cookie: go2net.com cookie
8:29 AM: ryan@go2net[1].txt (ID = 2730)
8:29 AM: Found Spy Cookie: mashka cookie
8:29 AM: ryan@mashka[1].txt (ID = 2949)
8:29 AM: Found Spy Cookie: nextag cookie
8:29 AM: ryan@nextag[1].txt (ID = 5014)
8:29 AM: Found Spy Cookie: shop@home cookie
8:29 AM: ryan@offers.shopathomeselect[1].txt (ID = 3368)
8:29 AM: Found Spy Cookie: peel network cookie
8:29 AM: ryan@peel[2].txt (ID = 3127)
8:29 AM: Found Spy Cookie: questionmarket cookie
8:29 AM: ryan@questionmarket[1].txt (ID = 3217)
8:29 AM: ryan@rapidresponse.directtrack[2].txt (ID = 2528)
8:29 AM: Found Spy Cookie: realmedia cookie
8:29 AM: ryan@realmedia[1].txt (ID = 3235)
8:29 AM: Found Spy Cookie: servedby advertising cookie
8:29 AM: ryan@servedby.advertising[1].txt (ID = 3335)
8:29 AM: Found Spy Cookie: sexlist cookie
8:29 AM: ryan@sexlist[1].txt (ID = 3353)
8:29 AM: Found Spy Cookie: reliablestats cookie
8:29 AM: ryan@stats1.reliablestats[1].txt (ID = 3254)
8:29 AM: Found Spy Cookie: targetnet cookie
8:29 AM: ryan@targetnet[2].txt (ID = 3489)
8:29 AM: Found Spy Cookie: tradedoubler cookie
8:29 AM: ryan@tradedoubler[1].txt (ID = 3575)
8:29 AM: Found Spy Cookie: trafficmp cookie
8:29 AM: ryan@trafficmp[2].txt (ID = 3581)
8:29 AM: Found Spy Cookie: tribalfusion cookie
8:29 AM: ryan@tribalfusion[2].txt (ID = 3589)
8:29 AM: Found Spy Cookie: winantiviruspro cookie
8:29 AM: ryan@www.winantiviruspro[2].txt (ID = 3690)
8:29 AM: Found Spy Cookie: adserver cookie
8:29 AM: ryan@z1.adserver[1].txt (ID = 2142)
8:29 AM: Found Spy Cookie: zedo cookie
8:29 AM: ryan@zedo[1].txt (ID = 3762)
8:29 AM: Found Spy Cookie: about cookie
8:29 AM: aaron sayers@about[1].txt (ID = 2037)
8:29 AM: Found Spy Cookie: ad-rotator cookie
8:29 AM: aaron sayers@ad-rotator[2].txt (ID = 2051)
8:29 AM: aaron sayers@adknowledge[1].txt (ID = 2072)
8:29 AM: Found Spy Cookie: ads.adsag cookie
8:29 AM: aaron sayers@ads.adsag[1].txt (ID = 2108)
8:29 AM: Found Spy Cookie: apmebf cookie
8:29 AM: aaron sayers@apmebf[1].txt (ID = 2229)
8:29 AM: aaron sayers@ask[1].txt (ID = 2245)
8:29 AM: aaron sayers@atwola[2].txt (ID = 2255)
8:29 AM: Found Spy Cookie: azjmp cookie
8:29 AM: aaron sayers@azjmp[2].txt (ID = 2270)
8:29 AM: Found Spy Cookie: banners cookie
8:29 AM: aaron sayers@banners[1].txt (ID = 2282)
8:29 AM: aaron sayers@belnk[1].txt (ID = 2292)
8:29 AM: Found Spy Cookie: bravenet cookie
8:29 AM: aaron sayers@bravenet[2].txt (ID = 2322)
8:29 AM: Found Spy Cookie: enhance cookie
8:29 AM: aaron sayers@c.enhance[2].txt (ID = 2614)
8:29 AM: Found Spy Cookie: gostats cookie
8:29 AM: aaron sayers@c3.gostats[2].txt (ID = 2748)
8:29 AM: Found Spy Cookie: tickle cookie
8:29 AM: aaron sayers@cookie.tickle[1].txt (ID = 3530)
8:29 AM: Found Spy Cookie: go.com cookie
8:29 AM: aaron sayers@disney.go[1].txt (ID = 2729)
8:29 AM: aaron sayers@dist.belnk[2].txt (ID = 2293)
8:29 AM: Found Spy Cookie: domainsponsor cookie
8:29 AM: aaron sayers@domainsponsor[1].txt (ID = 2533)
8:29 AM: Found Spy Cookie: adbureau cookie
8:29 AM: aaron sayers@etype.adbureau[1].txt (ID = 2060)
8:29 AM: Found Spy Cookie: exitexchange cookie
8:29 AM: aaron sayers@exitexchange[1].txt (ID = 2633)
8:29 AM: aaron sayers@experts.about[2].txt (ID = 2038)
8:29 AM: Found Spy Cookie: gamespy cookie
8:29 AM: aaron sayers@gamespy[2].txt (ID = 2719)
8:29 AM: aaron sayers@gostats[2].txt (ID = 2747)
8:29 AM: aaron sayers@go[1].txt (ID = 2728)
8:29 AM: aaron sayers@history1900s.about[1].txt (ID = 2038)
8:29 AM: Found Spy Cookie: tripod cookie
8:29 AM: aaron sayers@htmlgear.tripod[1].txt (ID = 3592)
8:29 AM: Found Spy Cookie: kount cookie
8:29 AM: aaron sayers@kount[1].txt (ID = 2911)
8:29 AM: aaron sayers@landing.domainsponsor[1].txt (ID = 2535)
8:29 AM: Found Spy Cookie: maxserving cookie
8:29 AM: aaron sayers@maxserving[2].txt (ID = 2966)
8:29 AM: Found Spy Cookie: mygeek cookie
8:29 AM: aaron sayers@mygeek[1].txt (ID = 3041)
8:29 AM: aaron sayers@nextag[1].txt (ID = 5014)
8:29 AM: aaron sayers@partners.mygeek[1].txt (ID = 3042)
8:29 AM: aaron sayers@politicalhumor.about[2].txt (ID = 2038)
8:29 AM: Found Spy Cookie: qsrch cookie
8:29 AM: aaron sayers@qsrch[1].txt (ID = 3215)
8:29 AM: aaron sayers@realmedia[2].txt (ID = 3235)
8:29 AM: Found Spy Cookie: rightmedia cookie
8:29 AM: aaron sayers@rightmedia[2].txt (ID = 3259)
8:29 AM: Found Spy Cookie: servlet cookie
8:29 AM: aaron sayers@servlet[2].txt (ID = 3345)
8:29 AM: Found Spy Cookie: clicktracks cookie
8:29 AM: aaron sayers@stats2.clicktracks[1].txt (ID = 2407)
8:29 AM: aaron sayers@tickle[1].txt (ID = 3529)
8:29 AM: Found Spy Cookie: tmpad cookie
8:29 AM: aaron sayers@tmpad[1].txt (ID = 3545)
8:29 AM: aaron sayers@tripod[1].txt (ID = 3591)
8:29 AM: Found Spy Cookie: vendaregroup cookie
8:29 AM: aaron sayers@vendaregroup[1].txt (ID = 3634)
8:29 AM: Found Spy Cookie: affiliatefuel.com cookie
8:29 AM: aaron sayers@www.affiliatefuel[1].txt (ID = 2202)
8:29 AM: Found Spy Cookie: mp3downloading cookie
8:29 AM: aaron sayers@www.mp3downloading[1].txt (ID = 3017)
8:29 AM: Found Spy Cookie: screensavers.com cookie
8:29 AM: aaron sayers@www.screensavers[2].txt (ID = 3298)
8:29 AM: Found Spy Cookie: starpulse cookie
8:29 AM: aaron sayers@www.starpulse[1].txt (ID = 3440)
8:29 AM: aaron sayers@xbox.gamespy[1].txt (ID = 2719)
8:29 AM: Found Spy Cookie: xiti cookie
8:29 AM: aaron sayers@xiti[1].txt (ID = 3717)
8:29 AM: aaron sayers@xmlsearch.mygeek[1].txt (ID = 3042)
8:29 AM: aaron sayers@zedo[2].txt (ID = 3762)
8:29 AM: brandon sayers@2o7[1].txt (ID = 1957)
8:29 AM: Found Spy Cookie: 3 cookie
8:29 AM: brandon sayers@3[1].txt (ID = 1959)
8:29 AM: Found Spy Cookie: 64.62.232 cookie
8:29 AM: brandon sayers@64.62.232[2].txt (ID = 1987)
8:29 AM: Found Spy Cookie: websponsors cookie
8:29 AM: brandon sayers@a.websponsors[2].txt (ID = 3665)
8:29 AM: brandon sayers@ad.yieldmanager[2].txt (ID = 3751)
8:29 AM: Found Spy Cookie: adecn cookie
8:29 AM: brandon sayers@adecn[2].txt (ID = 2063)
8:29 AM: brandon sayers@adknowledge[2].txt (ID = 2072)
8:29 AM: Found Spy Cookie: adlegend cookie
8:29 AM: brandon sayers@adlegend[1].txt (ID = 2074)
8:29 AM: Found Spy Cookie: hbmediapro cookie
8:29 AM: brandon sayers@adopt.hbmediapro[2].txt (ID = 2768)
8:29 AM: Found Spy Cookie: specificclick.com cookie
8:29 AM: brandon sayers@adopt.specificclick[2].txt (ID = 3400)
8:29 AM: Found Spy Cookie: adprofile cookie
8:29 AM: brandon sayers@adprofile[2].txt (ID = 2084)
8:29 AM: brandon sayers@adrevolver[1].txt (ID = 2088)
8:29 AM: brandon sayers@adrevolver[2].txt (ID = 2088)
8:29 AM: Found Spy Cookie: cc214142 cookie
8:29 AM: brandon sayers@ads.cc214142[1].txt (ID = 2367)
8:29 AM: brandon sayers@ads.pointroll[1].txt (ID = 3148)
8:29 AM: Found Spy Cookie: adultfriendfinder cookie
8:29 AM: brandon sayers@adultfriendfinder[2].txt (ID = 2165)
8:29 AM: brandon sayers@advertising[2].txt (ID = 2175)
8:29 AM: brandon sayers@ar.atwola[1].txt (ID = 2256)
8:29 AM: brandon sayers@as-us.falkag[1].txt (ID = 2650)
8:29 AM: Found Spy Cookie: askmen cookie
8:29 AM: brandon sayers@askmen[1].txt (ID = 2247)
8:29 AM: brandon sayers@ask[1].txt (ID = 2245)
8:29 AM: brandon sayers@atdmt[2].txt (ID = 2253)
8:29 AM: brandon sayers@ath.belnk[2].txt (ID = 2293)
8:29 AM: brandon sayers@atwola[2].txt (ID = 2255)
8:29 AM: brandon sayers@azjmp[1].txt (ID = 2270)
8:29 AM: brandon sayers@banners[1].txt (ID = 2282)
8:29 AM: brandon sayers@banner[2].txt (ID = 2276)
8:29 AM: brandon sayers@belnk[1].txt (ID = 2292)
8:29 AM: Found Spy Cookie: burstnet cookie
8:29 AM: brandon sayers@burstnet[1].txt (ID = 2336)
8:29 AM: Found Spy Cookie: barelylegal cookie
8:29 AM: brandon sayers@c.fsx[1].txt (ID = 2286)
8:29 AM: brandon sayers@casalemedia[1].txt (ID = 2354)
8:29 AM: Found Spy Cookie: contextuads cookie
8:29 AM: brandon sayers@contextuads[1].txt (ID = 2461)
8:29 AM: brandon sayers@directtrack[2].txt (ID = 2527)
8:29 AM: brandon sayers@dist.belnk[1].txt (ID = 2293)
8:29 AM: Found Spy Cookie: dist cookie
8:29 AM: brandon sayers@dist[1].txt (ID = 4648)
8:29 AM: brandon sayers@fastclick[1].txt (ID = 2651)
8:29 AM: brandon sayers@gamespy[2].txt (ID = 2719)
8:29 AM: brandon sayers@gostats[2].txt (ID = 2747)
8:29 AM: Found Spy Cookie: homestore cookie
8:29 AM: brandon sayers@homestore[1].txt (ID = 2793)
8:29 AM: brandon sayers@mashka[1].txt (ID = 2949)
8:29 AM: brandon sayers@maxserving[1].txt (ID = 2966)
8:29 AM: brandon sayers@nextag[2].txt (ID = 5014)
8:29 AM: Found Spy Cookie: offeroptimizer cookie
8:29 AM: brandon sayers@offeroptimizer[2].txt (ID = 3087)
8:29 AM: Found Spy Cookie: tvguide cookie
8:29 AM: brandon sayers@partners.tvguide[1].txt (ID = 3600)
8:29 AM: Found Spy Cookie: passion cookie
8:29 AM: brandon sayers@passion[1].txt (ID = 3113)
8:29 AM: brandon sayers@pc.gamespy[2].txt (ID = 2719)
8:29 AM: brandon sayers@peel[2].txt (ID = 3127)
8:29 AM: Found Spy Cookie: pokerroom cookie
8:29 AM: brandon sayers@pokerroom[1].txt (ID = 3149)
8:29 AM: brandon sayers@questionmarket[1].txt (ID = 3217)
8:29 AM: brandon sayers@rapidresponse.directtrack[2].txt (ID = 2528)
8:29 AM: brandon sayers@realmedia[2].txt (ID = 3235)
8:29 AM: brandon sayers@rsi.tvguide[1].txt (ID = 3600)
8:29 AM: brandon sayers@sdc.tvguide[1].txt (ID = 3600)
8:29 AM: brandon sayers@servedby.advertising[2].txt (ID = 3335)
8:29 AM: Found Spy Cookie: serving-sys cookie
8:29 AM: brandon sayers@serving-sys[1].txt (ID = 3343)
8:29 AM: brandon sayers@servlet[1].txt (ID = 3345)
8:29 AM: Found Spy Cookie: statcounter cookie
8:29 AM: brandon sayers@statcounter[1].txt (ID = 3447)
8:29 AM: brandon sayers@stats1.reliablestats[1].txt (ID = 3254)
8:29 AM: brandon sayers@tradedoubler[2].txt (ID = 3575)
8:29 AM: brandon sayers@trafficmp[1].txt (ID = 3581)
8:29 AM: brandon sayers@tribalfusion[2].txt (ID = 3589)
8:29 AM: brandon sayers@tvguide[2].txt (ID = 3599)
8:29 AM: Found Spy Cookie: ugo cookie
8:29 AM: brandon sayers@ugo[1].txt (ID = 3608)
8:29 AM: brandon sayers@web.ask[2].txt (ID = 2246)
8:29 AM: Found Spy Cookie: webpower cookie
8:29 AM: brandon sayers@webpower[1].txt (ID = 3660)
8:29 AM: Found Spy Cookie: burstbeacon cookie
8:29 AM: brandon sayers@www.burstbeacon[2].txt (ID = 2335)
8:29 AM: brandon sayers@www.gamespy[2].txt (ID = 2719)
8:29 AM: Found Spy Cookie: hermoment.com cookie
8:29 AM: brandon sayers@www.hermoment[1].txt (ID = 2774)
8:29 AM: brandon sayers@www.nextag[1].txt (ID = 5015)
8:29 AM: brandon sayers@www.winantiviruspro[2].txt (ID = 3690)
8:29 AM: Found Spy Cookie: claxonmedia cookie
8:29 AM: brandon sayers@www1.claxonmedia[1].txt (ID = 2388)
8:29 AM: brandon sayers@www2.claxonmedia[2].txt (ID = 2389)
8:29 AM: brandon sayers@www2.hermoment[1].txt (ID = 2774)
8:29 AM: brandon sayers@www3.claxonmedia[1].txt (ID = 2387)
8:29 AM: brandon sayers@xbox.gamespy[1].txt (ID = 2719)
8:29 AM: brandon sayers@z1.adserver[1].txt (ID = 2142)
8:29 AM: brandon sayers@zedo[1].txt (ID = 3762)
8:29 AM: Copy of brandon sayers@ath.belnk[1].txt (ID = 2293)
8:29 AM: Copy of brandon sayers@belnk[1].txt (ID = 2292)
8:29 AM: Copy of brandon sayers@dist.belnk[1].txt (ID = 2293)
8:29 AM: Cookie Sweep Complete, Elapsed Time: 00:00:11
8:29 AM: Starting File Sweep
8:29 AM: Found Adware: bullguard popup ad
8:29 AM: c:\windows\temp\bullguard (1 subtraces) (ID = -2147476409)
8:29 AM: Found System Monitor: spy agent
8:29 AM: c:\windows\syscache (3 subtraces) (ID = -2147480296)
8:29 AM: c:\windowsupdate\ufp (6 subtraces) (ID = -2147472209)
8:36 AM: Found System Monitor: spyanywhere
8:36 AM: libimg.dll (ID = 76348)
8:39 AM: bulldownload.exe (ID = 52017)
8:47 AM: dm.inf (ID = 53552)
8:48 AM: Found System Monitor: ufp 007 spy
8:48 AM: unins000.exe (ID = 48061)
8:49 AM: Found Adware: apropos
8:49 AM: exec.exe (ID = 50118)
8:51 AM: Found Adware: cws-aboutblank
8:51 AM: blank.htm (ID = 54894)
9:01 AM: spyagent4.exe (ID = 76384)
9:01 AM: bpk.chm (ID = 72405)
9:02 AM: downloads.url (ID = 72428)
9:03 AM: Warning: Unhandled Archive Type
9:04 AM: Warning: Unhandled Archive Type
9:04 AM: Warning: Unhandled Archive Type
9:04 AM: Warning: Unhandled Archive Type
9:04 AM: Warning: Unhandled Archive Type
9:04 AM: Warning: Unhandled Archive Type
9:04 AM: Warning: Unhandled Archive Type
9:04 AM: Warning: Unhandled Archive Type
9:06 AM: Warning: Unhandled Archive Type
9:06 AM: Warning: Unhandled Archive Type
9:13 AM: Warning: Unhandled Archive Type
9:13 AM: Warning: Unhandled Archive Type
9:13 AM: Warning: Unhandled Archive Type
9:13 AM: Warning: Unhandled Archive Type
9:16 AM: Warning: Unhandled Archive Type
9:30 AM: BHO Shield: found: -- BHO installation allowed at user request
10:29 AM: uninstall bulletproof ftp (client).lnk (ID = 48061)
10:30 AM: File Sweep Complete, Elapsed Time: 02:01:08
10:30 AM: Full Sweep has completed. Elapsed time 02:05:19
10:30 AM: Traces Found: 267
10:40 AM: Removal process initiated
10:41 AM: Quarantining All Traces: cws-aboutblank
10:41 AM: Quarantining All Traces: invisible keylogger
10:41 AM: Quarantining All Traces: perfect keylogger
10:41 AM: Quarantining All Traces: spy agent
10:41 AM: Quarantining All Traces: spyanywhere
10:41 AM: Quarantining All Traces: stealth webpage recorder
10:41 AM: Quarantining All Traces: ufp 007 spy
10:41 AM: Quarantining All Traces: ufp ice remote spy
10:41 AM: Quarantining All Traces: ufp keylogger buddy
10:41 AM: Quarantining All Traces: ufp software
10:41 AM: Quarantining All Traces: virtumonde
10:42 AM: virtumonde is in use. It will be removed on reboot.
10:42 AM: C:\WINDOWS\system32\awtss.dll is in use. It will be removed on reboot.
10:42 AM: Quarantining All Traces: apropos
10:42 AM: Quarantining All Traces: comet cursor
10:42 AM: Quarantining All Traces: trojan-downloader-conhook
10:42 AM: Quarantining All Traces: bullguard popup ad
10:42 AM: Quarantining All Traces: 2o7.net cookie
10:42 AM: Quarantining All Traces: 3 cookie
10:42 AM: Quarantining All Traces: 64.62.232 cookie
10:42 AM: Quarantining All Traces: about cookie
10:42 AM: Quarantining All Traces: adbureau cookie
10:42 AM: Quarantining All Traces: addynamix cookie
10:42 AM: Quarantining All Traces: adecn cookie
10:42 AM: Quarantining All Traces: adknowledge cookie
10:42 AM: Quarantining All Traces: adlegend cookie
10:42 AM: Quarantining All Traces: adprofile cookie
10:42 AM: Quarantining All Traces: adrevolver cookie
10:42 AM: Quarantining All Traces: ad-rotator cookie
10:42 AM: Quarantining All Traces: ads.adsag cookie
10:42 AM: Quarantining All Traces: adserver cookie
10:42 AM: Quarantining All Traces: adultfriendfinder cookie
10:42 AM: Quarantining All Traces: advertising cookie
10:42 AM: Quarantining All Traces: affiliatefuel.com cookie
10:42 AM: Quarantining All Traces: apmebf cookie
10:42 AM: Quarantining All Traces: ask cookie
10:42 AM: Quarantining All Traces: askmen cookie
10:42 AM: Quarantining All Traces: atlas dmt cookie
10:42 AM: Quarantining All Traces: atwola cookie
10:42 AM: Quarantining All Traces: azjmp cookie
10:42 AM: Quarantining All Traces: banner cookie
10:42 AM: Quarantining All Traces: banners cookie
10:42 AM: Quarantining All Traces: barelylegal cookie
10:42 AM: Quarantining All Traces: belnk cookie
10:42 AM: Quarantining All Traces: bravenet cookie
10:42 AM: Quarantining All Traces: burstbeacon cookie
10:42 AM: Quarantining All Traces: burstnet cookie
10:42 AM: Quarantining All Traces: casalemedia cookie
10:42 AM: Quarantining All Traces: cc214142 cookie
10:42 AM: Quarantining All Traces: claxonmedia cookie
10:42 AM: Quarantining All Traces: clicktracks cookie
10:42 AM: Quarantining All Traces: contextuads cookie
10:42 AM: Quarantining All Traces: directtrack cookie
10:42 AM: Quarantining All Traces: dist cookie
10:42 AM: Quarantining All Traces: domainsponsor cookie
10:42 AM: Quarantining All Traces: enhance cookie
10:42 AM: Quarantining All Traces: exitexchange cookie
10:42 AM: Quarantining All Traces: falkag cookie
10:42 AM: Quarantining All Traces: fastclick cookie
10:42 AM: Quarantining All Traces: gamespy cookie
10:42 AM: Quarantining All Traces: go.com cookie
10:42 AM: Quarantining All Traces: go2net.com cookie
10:42 AM: Quarantining All Traces: gostats cookie
10:42 AM: Quarantining All Traces: hbmediapro cookie
10:42 AM: Quarantining All Traces: hermoment.com cookie
10:42 AM: Quarantining All Traces: homestore cookie
10:42 AM: Quarantining All Traces: kount cookie
10:42 AM: Quarantining All Traces: mashka cookie
10:42 AM: Quarantining All Traces: maxserving cookie
10:42 AM: Quarantining All Traces: mp3downloading cookie
10:42 AM: Quarantining All Traces: mygeek cookie
10:42 AM: Quarantining All Traces: nextag cookie
10:42 AM: Quarantining All Traces: offeroptimizer cookie
10:42 AM: Quarantining All Traces: passion cookie
10:42 AM: Quarantining All Traces: peel network cookie
10:42 AM: Quarantining All Traces: pointroll cookie
10:42 AM: Quarantining All Traces: pokerroom cookie
10:42 AM: Quarantining All Traces: qsrch cookie
10:42 AM: Quarantining All Traces: questionmarket cookie
10:42 AM: Quarantining All Traces: realmedia cookie
10:42 AM: Quarantining All Traces: reliablestats cookie
10:42 AM: Quarantining All Traces: rightmedia cookie
10:42 AM: Quarantining All Traces: ru4 cookie
10:42 AM: Quarantining All Traces: screensavers.com cookie
10:42 AM: Quarantining All Traces: servedby advertising cookie
10:42 AM: Quarantining All Traces: serving-sys cookie
10:42 AM: Quarantining All Traces: servlet cookie
10:42 AM: Quarantining All Traces: sexlist cookie
10:42 AM: Quarantining All Traces: shop@home cookie
10:42 AM: Quarantining All Traces: specificclick.com cookie
10:42 AM: Quarantining All Traces: starpulse cookie
10:42 AM: Quarantining All Traces: statcounter cookie
10:42 AM: Quarantining All Traces: targetnet cookie
10:42 AM: Quarantining All Traces: tickle cookie
10:42 AM: Quarantining All Traces: tmpad cookie
10:42 AM: Quarantining All Traces: tradedoubler cookie
10:42 AM: Quarantining All Traces: trafficmp cookie
10:42 AM: Quarantining All Traces: tribalfusion cookie
10:42 AM: Quarantining All Traces: tripod cookie
10:42 AM: Quarantining All Traces: tvguide cookie
10:42 AM: Quarantining All Traces: ugo cookie
10:42 AM: Quarantining All Traces: vendaregroup cookie
10:42 AM: Quarantining All Traces: webpower cookie
10:42 AM: Quarantining All Traces: websponsors cookie
10:42 AM: Quarantining All Traces: winantiviruspro cookie
10:42 AM: Quarantining All Traces: xiti cookie
10:42 AM: Quarantining All Traces: yieldmanager cookie
10:42 AM: Quarantining All Traces: zedo cookie
10:42 AM: Warning: Launched explorer.exe
10:42 AM: Warning: Quarantine process could not restart Explorer.
10:44 AM: Removal process completed. Elapsed time 00:03:32
1:23 PM: Your spyware definitions have been updated.
1:27 PM: Deletion from quarantine initiated
1:27 PM: Processing: 2o7.net cookie
1:27 PM: Processing: 3 cookie
1:27 PM: Processing: 64.62.232 cookie
1:27 PM: Processing: about cookie
1:27 PM: Processing: adbureau cookie
1:27 PM: Processing: addynamix cookie
1:27 PM: Processing: adecn cookie
1:27 PM: Processing: adknowledge cookie
1:27 PM: Processing: adlegend cookie
1:27 PM: Processing: adprofile cookie
1:27 PM: Processing: adrevolver cookie
1:27 PM: Processing: ad-rotator cookie
1:27 PM: Processing: ads.adsag cookie
1:27 PM: Processing: adserver cookie
1:27 PM: Processing: adultfriendfinder cookie
1:27 PM: Processing: advertising cookie
1:27 PM: Processing: affiliatefuel.com cookie
1:27 PM: Processing: apmebf cookie
1:27 PM: Processing: apropos
1:27 PM: Processing: ask cookie
1:27 PM: Processing: askmen cookie
1:27 PM: Processing: atlas dmt cookie
1:27 PM: Processing: atwola cookie
1:27 PM: Processing: azjmp cookie
1:27 PM: Processing: banner cookie
1:27 PM: Processing: banners cookie
1:27 PM: Processing: barelylegal cookie
1:27 PM: Processing: belnk cookie
1:27 PM: Processing: bravenet cookie
1:27 PM: Processing: bullguard popup ad
1:27 PM: Processing: burstbeacon cookie
1:27 PM: Processing: burstnet cookie
1:27 PM: Processing: casalemedia cookie
1:27 PM: Processing: cc214142 cookie
1:27 PM: Processing: claxonmedia cookie
1:27 PM: Processing: clicktracks cookie
1:27 PM: Processing: comet cursor
1:27 PM: Processing: contextuads cookie
1:27 PM: Processing: cws-aboutblank
1:27 PM: Processing: directtrack cookie
1:27 PM: Processing: dist cookie
1:27 PM: Processing: domainsponsor cookie
1:27 PM: Processing: enhance cookie
1:27 PM: Processing: exitexchange cookie
1:27 PM: Processing: falkag cookie
1:27 PM: Processing: fastclick cookie
1:27 PM: Processing: gamespy cookie
1:27 PM: Processing: go.com cookie
1:27 PM: Processing: go2net.com cookie
1:27 PM: Processing: gostats cookie
1:27 PM: Processing: hbmediapro cookie
1:27 PM: Processing: hermoment.com cookie
1:27 PM: Processing: homestore cookie
1:27 PM: Processing: invisible keylogger
1:27 PM: Processing: kount cookie
1:27 PM: Processing: mashka cookie
1:27 PM: Processing: maxserving cookie
1:27 PM: Processing: mp3downloading cookie
1:27 PM: Processing: mygeek cookie
1:27 PM: Processing: nextag cookie
1:27 PM: Processing: offeroptimizer cookie
1:27 PM: Processing: passion cookie
1:27 PM: Processing: peel network cookie
1:27 PM: Processing: perfect keylogger
1:27 PM: Processing: pointroll cookie
1:27 PM: Processing: pokerroom cookie
1:27 PM: Processing: qsrch cookie
1:27 PM: Processing: questionmarket cookie
1:27 PM: Processing: realmedia cookie
1:27 PM: Processing: reliablestats cookie
1:27 PM: Processing: rightmedia cookie
1:27 PM: Processing: ru4 cookie
1:27 PM: Processing: screensavers.com cookie
1:27 PM: Processing: servedby advertising cookie
1:27 PM: Processing: serving-sys cookie
1:27 PM: Processing: servlet cookie
1:27 PM: Processing: sexlist cookie
1:27 PM: Processing: shop@home cookie
1:27 PM: Processing: specificclick.com cookie
1:27 PM: Processing: spy agent
1:27 PM: Processing: spyanywhere
1:27 PM: Processing: starpulse cookie
1:27 PM: Processing: statcounter cookie
1:27 PM: Processing: stealth webpage recorder
1:27 PM: Processing: targetnet cookie
1:27 PM: Processing: tickle cookie
1:27 PM: Processing: tmpad cookie
1:27 PM: Processing: tradedoubler cookie
1:27 PM: Processing: trafficmp cookie
1:27 PM: Processing: tribalfusion cookie
1:27 PM: Processing: tripod cookie
1:27 PM: Processing: trojan-downloader-conhook
1:27 PM: Processing: tvguide cookie
1:27 PM: Processing: ufp 007 spy
1:27 PM: Processing: ufp ice remote spy
1:27 PM: Processing: ufp software
1:27 PM: Processing: ugo cookie
1:27 PM: Processing: vendaregroup cookie
1:27 PM: Processing: virtumonde
1:27 PM: Processing: webpower cookie
1:27 PM: Processing: websponsors cookie
1:27 PM: Processing: winantiviruspro cookie
1:27 PM: Processing: xiti cookie
1:27 PM: Processing: yieldmanager cookie
1:27 PM: Processing: zedo cookie
1:27 PM: Deletion from quarantine completed. Elapsed time 00:00:02
1:27 PM: | End of Session, Friday, November 11, 2005 |
********
8:15 AM: | Start of Session, Saturday, November 05, 2005 |
8:15 AM: Spy Sweeper started
8:21 AM: Your spyware definitions have been updated.
8:25 AM: | End of Session, Saturday, November 05, 2005 |


And here is another hijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:16:26 PM, on 11/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
D:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
D:\Program Files\LeechGet 2004\LeechGet.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\AIM95\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\A) Ryans folders\sonicistage\Omgjbox.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SsDbConnection.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Computer Security Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bealenet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Nitro5x] c:\nitro5x\nitro5x.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
O4 - HKLM\..\Run: [SsAAD.exe] D:\A)RYAN~1\SsAAD.exe
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [LeechGet] "D:\Program Files\LeechGet 2004\LeechGet.exe" -intray
O4 - HKCU\..\Run: [024h Lucky Reminder] "D:\Program Files\024h Lucky Reminder\LuckyReminder.exe" /m
O4 - HKCU\..\Run: [] c:\windowsupdate\ufp\irs7\csrss.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_3
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download using LeechGet - file://D:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://D:\Program Files\LeechGet 2004\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://www.cncden.com
O15 - Trusted Zone: http://www.egosoft.com
O15 - Trusted Zone: http://dynamic6.gamespy.com
O15 - Trusted Zone: http://wowvault.ign.com
O15 - Trusted Zone: http://www.machall.com
O15 - Trusted Zone: http://www.nightmarearmor.com
O15 - Trusted Zone: http://www.nuklearpower.com
O15 - Trusted Zone: http://www.penny-arcade.com
O15 - Trusted Zone: http://www.psychodogstudios.net
O15 - Trusted Zone: http://www.redvsblue.com
O15 - Trusted Zone: http://www.rpgplanet.com
O15 - Trusted Zone: http://www.xenforcers.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.0.69.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.co...date/EARTPX.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard..../wowbeta/si.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - http://ccon.futurema...lobal/msc34.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{54E57B50-79FC-4FB6-A314-B98A19A1CED5}: NameServer = 207.78.118.3 198.6.1.1
O20 - Winlogon Notify: awtss - C:\WINDOWS\system32\awtss.dll (file missing)
O20 - Winlogon Notify: jkhfc - C:\WINDOWS\
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CWShredder Service - Unknown owner - D:\Computer Security Files\CWSshredder\cwshredder.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe



Again, Thanks for any help.
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,go into Safe Mode-> Locate and Delete this folder

c:\windowsupdate


Have HijackThis fix all these enrties

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com

O2 - BHO: (no name) - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - (no file)

O4 - HKCU\..\Run: [] c:\windowsupdate\ufp\irs7\csrss.exe

O15 - Trusted Zone: http://www.cncden.com
O15 - Trusted Zone: http://www.egosoft.com
O15 - Trusted Zone: http://dynamic6.gamespy.com
O15 - Trusted Zone: http://wowvault.ign.com
O15 - Trusted Zone: http://www.machall.com
O15 - Trusted Zone: http://www.nightmarearmor.com
O15 - Trusted Zone: http://www.nuklearpower.com
O15 - Trusted Zone: http://www.penny-arcade.com
O15 - Trusted Zone: http://www.psychodogstudios.net
O15 - Trusted Zone: http://www.redvsblue.com
O15 - Trusted Zone: http://www.rpgplanet.com
O15 - Trusted Zone: http://www.xenforcers.com
<--- Unless you know why these are there!!

O20 - Winlogon Notify: awtss - C:\WINDOWS\system32\awtss.dll (file missing)

O20 - Winlogon Notify: jkhfc - C:\WINDOWS\

O23 - Service: CWShredder Service - Unknown owner - D:\Computer Security Files\CWSshredder\cwshredder.exe (file missing)


Restart Normal and have the PC scanned here
http://support.f-sec.../home/ols.shtml


Post back with a fresh HijackThis log and the results of the Online Scan.
  • 0

#9
Tego

Tego

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks again, I've done as you've asked. When in Safe Mode, I only found a fold with the name "windowsupdate". It was empty but I deleted it anyway.

Those sites you list were put there by me.

Other then the folder thing, HijackThis picked up and deleted all you listed.

Here is the results of the oline scan:

C:\Documents and Settings\Aaron Sayers\Temporary Internet Files\Content.IE5\S1ER016N\deliver46860[1].html Exploit.HTML.Mht(?)

C:\RECYCLER\S-1-5-21-1163395192-3477723857-56604596-1007\Dc18\CA67E969.html Trojan-Downloader.JS.FlingStone

C:\WINDOWS\AST.exe Trojan-Downloader.Win32.VB.ah

C:\WINDOWS\system\lsvchost.exe Trojan-DDoS.Win32.Boxed.w

C:\WINDOWS\system\msupdate.exe Backdoor.Win32.Agent.hy

C:\WINDOWS\system32\com32b.exe Backdoor.Win32.Agent.hy

C:\WINDOWS\system32\scprupa.exe Backdoor.Win32.Robobot.ac

C:\WINDOWS\system32\upd32d.exe Trojan-Downloader.Win32.Agent.po

C:\WINDOWS\system32\vtuts.dll Trojan-Downloader.Win32.Agent.yf

C:\WINDOWS\system32\vtutt.dll Trojan-Downloader.Win32.ConHook.l

D:\Other\install.exe Backdoor.Win32.Robobot.ac


And here is the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:05:54 PM, on 11/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
D:\Program Files\Logitech\iTouch\iTouch.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
D:\Program Files\LeechGet 2004\LeechGet.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
D:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
D:\Computer Security Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bealenet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Nitro5x] c:\nitro5x\nitro5x.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
O4 - HKLM\..\Run: [SsAAD.exe] D:\A)RYAN~1\SsAAD.exe
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [LeechGet] "D:\Program Files\LeechGet 2004\LeechGet.exe" -intray
O4 - HKCU\..\Run: [024h Lucky Reminder] "D:\Program Files\024h Lucky Reminder\LuckyReminder.exe" /m
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download using LeechGet - file://D:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://D:\Program Files\LeechGet 2004\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.0.69.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.co...date/EARTPX.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard..../wowbeta/si.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - http://ccon.futurema...lobal/msc34.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{54E57B50-79FC-4FB6-A314-B98A19A1CED5}: NameServer = 207.78.118.3 198.6.1.1
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
  • 0

#10
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Im so sorry for these delays,real life pulled me away for the week!

Post a fresh HijackThis log and lets go from there,I see we have some nasties to get rid of as well from the F-Secure scan.
  • 0

#11
Tego

Tego

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here's the fresh Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:55:01 AM, on 11/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
D:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
D:\Program Files\LeechGet 2004\LeechGet.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Computer Security Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bealenet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program

Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program

Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office

2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Nitro5x] c:\nitro5x\nitro5x.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
O4 - HKLM\..\Run: [SsAAD.exe] D:\A)RYAN~1\SsAAD.exe
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [LeechGet] "D:\Program Files\LeechGet 2004\LeechGet.exe" -intray
O4 - HKCU\..\Run: [024h Lucky Reminder] "D:\Program Files\024h Lucky Reminder\LuckyReminder.exe"

/m
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital

Imaging\bin\hpqtra08.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download using LeechGet - file://D:\Program Files\LeechGet

2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\Program Files\LeechGet

2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://D:\Program Files\LeechGet 2004\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program

Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program

Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} -

C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -

http://www.fileplane...DC_2.1.0.69.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) -

http://simcity.ea.co...date/EARTPX.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) -

http://www.blizzard..../wowbeta/si.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) -

http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) -

http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -

http://ccon.futurema...lobal/msc34.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{54E57B50-79FC-4FB6-A314-B98A19A1CED5}: NameServer

= 207.78.118.3 198.6.1.1
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security

suite\ewidoctrl.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony

Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony

Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend

Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony

Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common

Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program

Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend

Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) -

Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe"

/Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server

(Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown

owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe"

/Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media

Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony

Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) -

Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown

owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe"

/Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media

Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony

Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe


I don't know how many times I've said it, but thanks again.
  • 0

#12
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Download Pocket KillBox from here:
http://www.atribune....ads/KillBox.exe


Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam


Open Pocket Killbox-> Copy&Paste each entry below into Killbox

C:\Documents and Settings\Aaron Sayers\Temporary Internet Files\Content.IE5\S1ER016N\deliver46860[1].html
C:\RECYCLER\S-1-5-21-1163395192-3477723857-56604596-1007\Dc18\CA67E969.html
C:\WINDOWS\AST.exe
C:\WINDOWS\system\lsvchost.exe
C:\WINDOWS\system\msupdate.exe
C:\WINDOWS\system32\com32b.exe
C:\WINDOWS\system32\scprupa.exe
C:\WINDOWS\system32\upd32d.exe
C:\WINDOWS\system32\vtuts.dll
C:\WINDOWS\system32\vtutt.dll
D:\Other\install.exe


As you paste each entry into Killbox,please place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"


Click the Red Circle with the White X in the Middle to Delete


From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Restart Normal and Update SpySweeper-> Scan the System and Save the Session log.

Post that Session log along with the results of WinPFind in the next reply.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP