Thank you so much
Spy Sweeper log:
********
8:25 AM: | Start of Session, Saturday, November 12, 2005 |
8:25 AM: Spy Sweeper started
8:25 AM: Sweep initiated using definitions version 572
8:25 AM: Starting Memory Sweep
8:25 AM: Found Adware: virtumonde
8:25 AM: Detected running threat: C:\WINDOWS\system32\ddayw.dll (ID = 77)
8:27 AM: Memory Sweep Complete, Elapsed Time: 00:02:19
8:27 AM: Starting Registry Sweep
8:27 AM: Found Adware: winantispyware 2005
8:27 AM: HKLM\software\winfixer2005\ (1 subtraces) (ID = 813086)
8:27 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\program files\common files\winsoftware\fcrxml.dll (ID = 819066)
8:27 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\program files\common files\winsoftware\prcheck.dll (ID = 819067)
8:27 AM: HKCR\uwfxpcheck.uwfxpcheck.1\ (3 subtraces) (ID = 970282)
8:27 AM: HKCR\uwfxpcheck.uwfxpcheck\ (5 subtraces) (ID = 970286)
8:27 AM: HKCR\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\ (14 subtraces) (ID = 970474)
8:27 AM: HKCR\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\ (9 subtraces) (ID = 970551)
8:27 AM: HKLM\software\classes\uwfxpcheck.uwfxpcheck.1\ (3 subtraces) (ID = 970710)
8:27 AM: HKLM\software\classes\uwfxpcheck.uwfxpcheck\ (5 subtraces) (ID = 970714)
8:27 AM: HKLM\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\ (14 subtraces) (ID = 970909)
8:27 AM: HKLM\software\classes\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\ (9 subtraces) (ID = 970986)
8:27 AM: HKU\S-1-5-21-3691353938-4231171917-1034322868-1005\software\microsoft\windows\currentversion\run\ || winfixer2005 (ID = 813065)
8:28 AM: Registry Sweep Complete, Elapsed Time:00:00:19
8:28 AM: Starting Cookie Sweep
8:28 AM: Found Spy Cookie: primaryads cookie
8:28 AM:
[email protected][2].txt (ID = 3190)
8:28 AM: Found Spy Cookie: yieldmanager cookie
8:28 AM:
[email protected][1].txt (ID = 3751)
8:28 AM: Found Spy Cookie: adrevolver cookie
8:28 AM: june@adrevolver[1].txt (ID = 2088)
8:28 AM: june@adrevolver[3].txt (ID = 2088)
8:28 AM: Found Spy Cookie: pointroll cookie
8:28 AM:
[email protected][1].txt (ID = 3148)
8:28 AM: Found Spy Cookie: advertising cookie
8:28 AM: june@advertising[1].txt (ID = 2175)
8:28 AM: Found Spy Cookie: atlas dmt cookie
8:28 AM: june@atdmt[2].txt (ID = 2253)
8:28 AM: Found Spy Cookie: belnk cookie
8:28 AM:
[email protected][2].txt (ID = 2293)
8:28 AM: Found Spy Cookie: banner cookie
8:28 AM: june@banner[1].txt (ID = 2276)
8:28 AM: june@belnk[2].txt (ID = 2292)
8:28 AM: Found Spy Cookie: casalemedia cookie
8:28 AM: june@casalemedia[2].txt (ID = 2354)
8:28 AM: Found Spy Cookie: clickbank cookie
8:28 AM: june@clickbank[1].txt (ID = 2398)
8:28 AM:
[email protected][1].txt (ID = 2293)
8:28 AM: Found Spy Cookie: nuker cookie
8:28 AM: june@nuker[1].txt (ID = 3085)
8:28 AM: Found Spy Cookie: questionmarket cookie
8:28 AM: june@questionmarket[1].txt (ID = 3217)
8:28 AM: Found Spy Cookie: realmedia cookie
8:28 AM: june@realmedia[2].txt (ID = 3235)
8:28 AM: Found Spy Cookie: servedby advertising cookie
8:28 AM:
[email protected][2].txt (ID = 3335)
8:28 AM: Found Spy Cookie: trafficmp cookie
8:28 AM: june@trafficmp[1].txt (ID = 3581)
8:28 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:28 AM: Starting File Sweep
8:28 AM: c:\program files\common files\winsoftware (2 subtraces) (ID = -2147476682)
8:29 AM: a0003186.sys (ID = 188536)
8:36 AM: dfdr.sys (ID = 188536)
8:38 AM: File Sweep Complete, Elapsed Time: 00:10:23
8:38 AM: Full Sweep has completed. Elapsed time 00:13:06
8:38 AM: Traces Found: 99
2:09 PM: The Spy Communication shield has blocked access to: download.winfixer.com
2:09 PM: The Spy Communication shield has blocked access to: download.winfixer.com
2:09 PM: The Spy Communication shield has blocked access to: download.winfixer.com
2:09 PM: The Spy Communication shield has blocked access to: download.winfixer.com
3:02 PM: The Spy Communication shield has blocked access to: download.winfixer.com
3:02 PM: The Spy Communication shield has blocked access to: download.winfixer.com
3:02 PM: The Spy Communication shield has blocked access to: download.winfixer.com
3:02 PM: The Spy Communication shield has blocked access to: download.winfixer.com
3:09 PM: Removal process initiated
3:10 PM: Quarantining All Traces: virtumonde
3:10 PM: virtumonde is in use. It will be removed on reboot.
3:10 PM: C:\WINDOWS\system32\ddayw.dll is in use. It will be removed on reboot.
3:10 PM: Quarantining All Traces: winantispyware 2005
3:10 PM: Quarantining All Traces: adrevolver cookie
3:10 PM: Quarantining All Traces: advertising cookie
3:10 PM: Quarantining All Traces: atlas dmt cookie
3:10 PM: Quarantining All Traces: banner cookie
3:10 PM: Quarantining All Traces: belnk cookie
3:10 PM: Quarantining All Traces: casalemedia cookie
3:10 PM: Quarantining All Traces: clickbank cookie
3:10 PM: Quarantining All Traces: nuker cookie
3:10 PM: Quarantining All Traces: pointroll cookie
3:10 PM: Quarantining All Traces: primaryads cookie
3:10 PM: Quarantining All Traces: questionmarket cookie
3:10 PM: Quarantining All Traces: realmedia cookie
3:10 PM: Quarantining All Traces: servedby advertising cookie
3:10 PM: Quarantining All Traces: trafficmp cookie
3:10 PM: Quarantining All Traces: yieldmanager cookie
3:10 PM: Preparing to restart your computer. Please wait...
3:10 PM: Removal process completed. Elapsed time 00:00:54
3:16 PM: Warning: Access is denied
3:17 PM: BHO Shield: found: -- BHO installation denied at user request
3:17 PM: BHO Shield: found: -- BHO installation denied at user request
********
8:03 AM: | Start of Session, Saturday, November 12, 2005 |
8:03 AM: Spy Sweeper started
8:03 AM: Sweep initiated using definitions version 572
8:03 AM: Starting Memory Sweep
8:04 AM: Found Adware: virtumonde
8:04 AM: Detected running threat: C:\WINDOWS\system32\ddayw.dll (ID = 77)
8:06 AM: Memory Sweep Complete, Elapsed Time: 00:02:47
8:06 AM: Starting Registry Sweep
8:06 AM: Found Adware: winantispyware 2005
8:06 AM: HKLM\software\winfixer2005\ (1 subtraces) (ID = 813086)
8:06 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\program files\common files\winsoftware\fcrxml.dll (ID = 819066)
8:06 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\program files\common files\winsoftware\prcheck.dll (ID = 819067)
8:06 AM: HKCR\uwfxpcheck.uwfxpcheck.1\ (3 subtraces) (ID = 970282)
8:06 AM: HKCR\uwfxpcheck.uwfxpcheck\ (5 subtraces) (ID = 970286)
8:06 AM: HKCR\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\ (14 subtraces) (ID = 970474)
8:06 AM: HKCR\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\ (9 subtraces) (ID = 970551)
8:06 AM: HKLM\software\classes\uwfxpcheck.uwfxpcheck.1\ (3 subtraces) (ID = 970710)
8:06 AM: HKLM\software\classes\uwfxpcheck.uwfxpcheck\ (5 subtraces) (ID = 970714)
8:06 AM: HKLM\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\ (14 subtraces) (ID = 970909)
8:06 AM: HKLM\software\classes\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\ (9 subtraces) (ID = 970986)
8:06 AM: HKU\S-1-5-21-3691353938-4231171917-1034322868-1005\software\microsoft\windows\currentversion\run\ || winfixer2005 (ID = 813065)
8:06 AM: Registry Sweep Complete, Elapsed Time:00:00:17
8:06 AM: Starting Cookie Sweep
8:06 AM: Found Spy Cookie: primaryads cookie
8:06 AM:
[email protected][2].txt (ID = 3190)
8:06 AM: Found Spy Cookie: yieldmanager cookie
8:06 AM:
[email protected][1].txt (ID = 3751)
8:06 AM: Found Spy Cookie: adrevolver cookie
8:06 AM: june@adrevolver[1].txt (ID = 2088)
8:06 AM: june@adrevolver[3].txt (ID = 2088)
8:06 AM: Found Spy Cookie: pointroll cookie
8:06 AM:
[email protected][1].txt (ID = 3148)
8:06 AM: Found Spy Cookie: advertising cookie
8:06 AM: june@advertising[1].txt (ID = 2175)
8:06 AM: Found Spy Cookie: atlas dmt cookie
8:06 AM: june@atdmt[2].txt (ID = 2253)
8:06 AM: Found Spy Cookie: belnk cookie
8:06 AM:
[email protected][2].txt (ID = 2293)
8:06 AM: Found Spy Cookie: banner cookie
8:06 AM: june@banner[1].txt (ID = 2276)
8:06 AM: june@belnk[2].txt (ID = 2292)
8:06 AM: Found Spy Cookie: casalemedia cookie
8:06 AM: june@casalemedia[2].txt (ID = 2354)
8:06 AM: Found Spy Cookie: clickbank cookie
8:06 AM: june@clickbank[1].txt (ID = 2398)
8:06 AM:
[email protected][1].txt (ID = 2293)
8:06 AM: Found Spy Cookie: nuker cookie
8:06 AM: june@nuker[1].txt (ID = 3085)
8:06 AM: Found Spy Cookie: questionmarket cookie
8:06 AM: june@questionmarket[1].txt (ID = 3217)
8:06 AM: Found Spy Cookie: realmedia cookie
8:06 AM: june@realmedia[2].txt (ID = 3235)
8:06 AM: Found Spy Cookie: servedby advertising cookie
8:06 AM:
[email protected][2].txt (ID = 3335)
8:06 AM: Found Spy Cookie: trafficmp cookie
8:06 AM: june@trafficmp[1].txt (ID = 3581)
8:06 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:06 AM: Starting File Sweep
8:06 AM: c:\program files\common files\winsoftware (2 subtraces) (ID = -2147476682)
8:12 AM: dfdr.sys (ID = 188536)
8:12 AM: File Sweep Complete, Elapsed Time: 00:05:48
8:12 AM: Full Sweep has completed. Elapsed time 00:08:56
8:12 AM: Traces Found: 98
8:25 AM: | End of Session, Saturday, November 12, 2005 |
********
8:27 PM: | Start of Session, Friday, November 11, 2005 |
8:27 PM: Spy Sweeper started
8:27 PM: Your spyware definitions have been updated.
8:03 AM: | End of Session, Saturday, November 12, 2005 |
HiJackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 3:18:23 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell4me.com/mywayR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://mysearch.mywa...idebar.jsp?p=DER1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell4me.com/mywayR3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .AVI: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) -
http://www.crezio.co...On/AlwaysOn.CABO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoft...free/asinst.cabO16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) -
http://pictures04.ai...AIM.9.5.1.8.cabO20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe