Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Major Problems? [RESOLVED]

Started by Fecal Scientist , Nov 24 2005 02:05 AM

This topic is locked

#1
Fecal Scientist

Posted 24 November 2005 - 02:05 AM

Member

Member
17 posts

First let me say thanks for the great website and for hopefully fixing my problem(s).

My computer is not feeling very well!! I have run all of the following - Ewido, Spysweeper, SBsearch and destroy, Microsoft Antispyware, Spy Doctor, Trojan Hunter, Freedom Security Scan, Clean Up!, CWShredder, Pandascan, McAfee. Now it seems they all come back clean yet I am still having issues. When I go to start and click on My Computer nothing comes up but the stupid flashlight. Also when I type in a web address it takes about 3-5 minutes before the site is actually on the screen. I am running a hi-speed cable modem. Another note is that when I went to update my Ipod my computer isnt recognizing it anymore usually when I plug in the Ipod the Itunes software comes up automatically. Now when I open Itunes the program it stops responding altogether. Here is my HiJackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 2:56:53 AM, on 11/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Rewards Network\brndisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Carrie Dearden\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [REWARDS NETWORK] C:\Program Files\Rewards Network\brntray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AccessMedia P2P Loader] "C:\Program Files\p2pnetworks\amp2pl.exe" /H
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [MyAccessMedia] "C:\DOCUME~1\CARRIE~1\LOCALS~1\Temp\tmp2F.exe" -Remove
O4 - HKLM\..\Run: [loader32] C:\Documents and Settings\Carrie Dearden\Application Data\SysDown\sys00772.exe
O4 - HKLM\..\Run: [*jpegplay] C:\WINDOWS\Cursors\jpegplay.exe
O4 - HKLM\..\Run: [*keydb] C:\WINDOWS\addins\keydb.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [wqwm] C:\PROGRA~1\COMMON~1\wqwm\wqwmm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: lass414 - https://onlinegames....ses/lass414.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt1_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog2.games.sn...yog/y/fs9_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst3_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Reversi - http://download.game...nts/y/rt0_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://mirror.worldw...ut/brickout.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldw...3/pool/pool.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Puzzle Control) - http://mirror.worldw...gsaw/jigsaw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay10...es/MsnPUpld.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry....yFamilyTree.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/do...py/iesnoopy.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126148021106
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7BC394DE-07B8-412B-9F98-52E7E7A4ABD4} (Pencil Wars Control) - http://mirror.worldw...y/territory.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {8BDF4BDB-7C40-4DC8-B2DD-138D8059698C} (Focus Control) - http://mirror.worldw...focus/focus.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldw...v40/sol/sol.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside....cherControl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0727.dll
O16 - DPF: {A1A961DA-2BA6-4032-859E-01AC35357163} - http://www.one2one.c...ass/one2one.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldw...man/hangman.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldw...ty/tilecity.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com.../autopricer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5EF1E59-8AFD-425A-9F30-817FD6507215} (Darts Control) - http://mirror.worldw...darts/darts.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livesc03.righ...l/java/RntX.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldw...ool/h2hpool.cab
O16 - DPF: {FB37AE65-64F4-4D27-AB4F-AFF3DA2441A0} - http://download.acce...mtinstaller.cab
O20 - Winlogon Notify: binxml - C:\DOCUME~1\CARRIE~1\LOCALS~1\Temp\lmxnib.dat (file missing)
O20 - Winlogon Notify: chk - chke.dll (file missing)
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\oteaut32.dll (file missing)
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: Anti-Leech ALIE - {1484763F-456A-66E0-DABF-FD7BCE6541ED} - c:\program files\anti-leech\alie\mtmtni2.dll (file missing)
O21 - SSODL: EA.COM - {8F7DFA68-F263-E58A-6727-92755C758831} - c:\progra~1\eacom\update\xdyhyq32.dll (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#2
didom

Posted 26 November 2005 - 06:51 AM

Member 1K

Member
1,919 posts

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

Click the Free Trial link under to "SpySweeper" to download the program.
Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
- Sweep Memory
- Sweep Registry
- Sweep Cookies
- Sweep All User Accounts
- Enable Direct Disk Sweeping
- Sweep Contents of Compressed Files
- Sweep for Rootkits
- Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

#3
Fecal Scientist

Posted 27 November 2005 - 12:19 AM

Member

Topic Starter
Member
17 posts

Here are the results of SpySweeper:
********
12:26 AM: | Start of Session, Sunday, November 27, 2005 |
12:26 AM: Spy Sweeper started
12:26 AM: Sweep initiated using definitions version 575
12:26 AM: Starting Memory Sweep
12:28 AM: Memory Sweep Complete, Elapsed Time: 00:02:43
12:28 AM: Starting Registry Sweep
12:29 AM: Found Adware: addestroyer
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\vb and vba program settings\addestroyer\ (3 subtraces) (ID = 102749)
12:29 AM: Found Adware: commonname
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\commonname\ (2 subtraces) (ID = 106881)
12:29 AM: Found Adware: dealhelper
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\dealhelper\ (6 subtraces) (ID = 124790)
12:29 AM: Found Adware: downloadware
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\downloadware\ (15 subtraces) (ID = 125353)
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\medialoads\ (9 subtraces) (ID = 125355)
12:29 AM: Found Adware: e2g
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\ptech\ (1 subtraces) (ID = 125528)
12:29 AM: Found Adware: ebates money maker
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 125587)
12:29 AM: Found Adware: webrebates
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\extensions\{6685509e-b47b-4f47-8e16-9a5f3a62f683}\ (6 subtraces) (ID = 125589)
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\extensions\{6685509e-b47b-4f47-8e16-9a5f3a62f683}\ (6 subtraces) (ID = 125589)
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\menuext\ebates\ (2 subtraces) (ID = 125590)
12:29 AM: Found Adware: ist software
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {5f1abcdb-a875-46c1-8345-b72a4567e486} (ID = 127195)
12:29 AM: Found Adware: hotbar
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585)
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587)
12:29 AM: Found Adware: ieplugin
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\intexp\ (8 subtraces) (ID = 128173)
12:29 AM: Found Adware: drsnsrch.com hijack
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\main\ || search page (ID = 128207)
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\searchurl\ (ID = 128212)
12:29 AM: Found Adware: internetoptimizer
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\avenue media\ (ID = 128887)
12:29 AM: Found Adware: ist istbar
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\istbar\ (17 subtraces) (ID = 129109)
12:29 AM: Found Adware: networkessentials
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\hopper\ (15 subtraces) (ID = 136157)
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\updater\ (2 subtraces) (ID = 136178)
12:29 AM: Found Adware: search-exe hijacker
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\search\ || searchassistant (ID = 140932)
12:29 AM: Found Adware: ist sidefind
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\explorer bars\{8cba1b49-8144-4721-a7b1-64c578c9eed7}\ (1 subtraces) (ID = 141777)
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
12:29 AM: Found Adware: tvmedia
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\windows\currentversion\run\ || tv media (ID = 145312)
12:29 AM: Found Adware: virtualbouncer
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\vb and vba program settings\vbouncer\ (3 subtraces) (ID = 145564)
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\menuext\web rebates\ (2 subtraces) (ID = 146297)
12:29 AM: Found Adware: websearch toolbar
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146464)
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467)
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\windows\currentversion\run\ || wintools (ID = 146484)
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\toolbar\ (32 subtraces) (ID = 146513)
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\wintools\ (15 subtraces) (ID = 146514)
12:29 AM: Found Adware: websearch.com hijacker
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\main\ || search bar (ID = 146561)
12:29 AM: Found Adware: winactive
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\winactive\ (4 subtraces) (ID = 147148)
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 392934)
12:29 AM: Found Adware: cydoor
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\cydoor\ (17 subtraces) (ID = 639126)
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\toolbar\ (32 subtraces) (ID = 646239)
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\wintools\ (15 subtraces) (ID = 646241)
12:29 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\downloadware\ (15 subtraces) (ID = 775210)
12:29 AM: Registry Sweep Complete, Elapsed Time:00:00:34
12:29 AM: Starting Cookie Sweep
12:29 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:29 AM: Starting File Sweep
12:29 AM: Found Trojan Horse: infected mushrooms
12:29 AM: a0237970.dll (ID = 145092)
12:29 AM: Found Adware: azsearch toolbar
12:29 AM: a0313640.dll (ID = 50361)
12:29 AM: a0235599.dll (ID = 134099)
12:29 AM: Found Trojan Horse: trojan-backdoor-zubox
12:29 AM: a0306497.exe (ID = 156360)
12:29 AM: a0235968.dll (ID = 134099)
12:29 AM: a0307578.exe (ID = 156360)
12:29 AM: a0309593.exe (ID = 156360)
12:29 AM: a0307492.dll (ID = 156378)
12:29 AM: a0236975.dll (ID = 134099)
12:30 AM: Found Trojan Horse: trojan-downloader-vxiframe
12:30 AM: a0241177.exe (ID = 107123)
12:30 AM: Found Adware: look2me
12:30 AM: a0311617.dll (ID = 163672)
12:30 AM: a0236962.dll (ID = 145091)
12:30 AM: Found Trojan Horse: trojan-backdoor-5sec
12:30 AM: a0235618.dll (ID = 136973)
12:30 AM: a0308585.dll (ID = 156378)
12:30 AM: a0307580.dll (ID = 159)
12:30 AM: Found Adware: targetsaver
12:30 AM: a0307591.exe (ID = 193995)
12:30 AM: Found Adware: dollarrevenue
12:30 AM: a0307589.exe (ID = 193259)
12:30 AM: a0239736.exe (ID = 135515)
12:30 AM: a0235950.dll (ID = 145091)
12:30 AM: a0313639.exe (ID = 193501)
12:30 AM: a0236960.dll (ID = 136973)
12:30 AM: a0236963.dll (ID = 145092)
12:30 AM: a0310602.dll (ID = 156378)
12:30 AM: a0235942.dll (ID = 134099)
12:30 AM: a0235623.dll (ID = 134099)
12:31 AM: a0306492.dll (ID = 156378)
12:31 AM: a0237969.dll (ID = 145091)
12:31 AM: a0237971.dll (ID = 136973)
12:31 AM: a0307585.dll (ID = 156378)
12:31 AM: Found Trojan Horse: trojan-downloader-procounter.biz
12:31 AM: a0235622.exe (ID = 134487)
12:31 AM: a0307570.dll (ID = 156378)
12:31 AM: a0235938.exe (ID = 147405)
12:31 AM: a0235953.dll (ID = 145091)
12:31 AM: a0235638.exe (ID = 147405)
12:31 AM: a0235945.exe (ID = 147405)
12:31 AM: a0235944.exe (ID = 153799)
12:31 AM: a0235605.exe (ID = 147405)
12:31 AM: Found Trojan Horse: trojan-downloader-asdbiz.biz
12:31 AM: a0235639.exe (ID = 134509)
12:31 AM: a0235609.exe (ID = 147405)
12:31 AM: a0235981.exe (ID = 134509)
12:31 AM: a0235969.exe (ID = 153799)
12:31 AM: a0235954.exe (ID = 147405)
12:31 AM: a0237979.exe (ID = 147405)
12:31 AM: a0235963.dll (ID = 145091)
12:31 AM: Found Adware: spysheriff
12:31 AM: a0235983.exe (ID = 131225)
12:31 AM: a0235982.exe (ID = 131225)
12:31 AM: Found Adware: apropos
12:31 AM: a0307588.exe (ID = 185940)
12:31 AM: a0236979.exe (ID = 147405)
12:31 AM: a0237972.dll (ID = 134099)
12:31 AM: a0237991.exe (ID = 134487)
12:31 AM: a0309591.dll (ID = 156378)
12:32 AM: Found Adware: one2one viewer
12:32 AM: a0313672.dll (ID = 71511)
12:32 AM: a0313671.dll (ID = 71510)
12:32 AM: a0310599.dll (ID = 163672)
12:32 AM: a0235598.dll (ID = 145108)
12:32 AM: a0235951.dll (ID = 145092)
12:32 AM: a0236978.exe (ID = 107123)
12:32 AM: Found Trojan Horse: ldpinch trojan
12:32 AM: a0235637.exe (ID = 147343)
12:32 AM: a0235757.exe (ID = 62321)
12:32 AM: a0307496.dll (ID = 163672)
12:32 AM: a0310600.exe (ID = 135515)
12:32 AM: a0310601.exe (ID = 135515)
12:32 AM: a0310596.dll (ID = 159)
12:32 AM: a0307571.dll (ID = 163672)
12:32 AM: a0307572.dll (ID = 163672)
12:32 AM: a0235630.dll (ID = 145108)
12:32 AM: a0235743.dll (ID = 62306)
12:33 AM: a0235940.dll (ID = 50361)
12:33 AM: Found Adware: purityscan
12:33 AM: a0235593.dll (ID = 146408)
12:33 AM: a0241164.dll (ID = 146408)
12:33 AM: a0235943.exe (ID = 107123)
12:33 AM: Found Trojan Horse: trojan-downloader-pr-corp
12:33 AM: a0235636.exe (ID = 147406)
12:33 AM: a0235947.exe (ID = 134509)
12:33 AM: Found Adware: members area dialer
12:33 AM: a0241126.exe (ID = 147361)
12:33 AM: a0235789.scr (ID = 62354)
12:33 AM: a0308584.dll (ID = 163672)
12:33 AM: a0235751.dll (ID = 62302)
12:34 AM: a0309589.dll (ID = 163672)
12:34 AM: a0310595.dll (ID = 163672)
12:34 AM: a0235758.dll (ID = 62330)
12:34 AM: a0307590.exe (ID = 168558)
12:34 AM: a0310598.dll (ID = 159)
12:34 AM: a0310585.dll (ID = 163672)
12:34 AM: a0311605.dll (ID = 159)
12:34 AM: a0310594.dll (ID = 159)
12:35 AM: a0313670.ocx (ID = 71505)
12:35 AM: a0235600.exe (ID = 147406)
12:35 AM: a0235754.dll (ID = 62309)
12:35 AM: a0235621.exe (ID = 147406)
12:36 AM: a0310597.dll (ID = 163672)
12:36 AM: a0235970.exe (ID = 147343)
12:36 AM: a0235957.exe (ID = 134509)
12:36 AM: a0307584.dll (ID = 163672)
12:36 AM: a0311587.dll (ID = 163672)
12:36 AM: a0313667.dll (ID = 159)
12:36 AM: a0235631.dll (ID = 134099)
12:36 AM: a0235755.exe (ID = 62317)
12:36 AM: a0235784.dll (ID = 62308)
12:36 AM: a0235965.dll (ID = 145108)
12:36 AM: a0235752.dll (ID = 62304)
12:36 AM: a0235790.dll (ID = 62276)
12:36 AM: a0313648.dll (ID = 163672)
12:36 AM: a0313666.dll (ID = 163672)
12:36 AM: a0313664.dll (ID = 163672)
12:37 AM: a0235635.exe (ID = 107123)
12:37 AM: Found Trojan Horse: trojan-backdoor-superbgirlz
12:37 AM: a0311616.dll (ID = 183971)
12:37 AM: a0235601.exe (ID = 135515)
12:37 AM: a0236974.dll (ID = 50361)
12:37 AM: a0235620.exe (ID = 147343)
12:37 AM: a0313665.dll (ID = 159)
12:37 AM: a0237973.dll (ID = 145108)
12:37 AM: a0317994.dll (ID = 163672)
12:37 AM: a0235952.dll (ID = 145092)
12:38 AM: a0235619.exe (ID = 134509)
12:38 AM: a0235787.exe (ID = 62320)
12:38 AM: a0235788.dll (ID = 62329)
12:38 AM: a0235781.dll (ID = 62303)
12:38 AM: a0235782.dll (ID = 62305)
12:38 AM: a0317513.dll (ID = 163672)
12:38 AM: a0235616.exe (ID = 134509)
12:38 AM: a0235820.dll (ID = 62276)
12:38 AM: a0235800.dll (ID = 62276)
12:38 AM: a0235810.dll (ID = 62276)
12:38 AM: a0235783.dll (ID = 62307)
12:39 AM: a0235840.dll (ID = 62276)
12:39 AM: a0235830.dll (ID = 62276)
12:39 AM: a0235785.exe (ID = 62316)
12:39 AM: a0235760.dll (ID = 62276)
12:39 AM: a0317995.dll (ID = 163672)
12:39 AM: Found Trojan Horse: trojan-backdoor-securemulti
12:39 AM: a0235946.exe (ID = 153543)
12:39 AM: a0235750.dll (ID = 62276)
12:39 AM: Found Adware: twain-tech
12:39 AM: a0313679.ini (ID = 81893)
12:39 AM: a0235984.exe (ID = 134509)
12:39 AM: a0235964.dll (ID = 145092)
12:39 AM: a0235759.scr (ID = 62355)
12:39 AM: a0235734.dll (ID = 62306)
12:39 AM: a0235780.dll (ID = 62276)
12:39 AM: a0235740.dll (ID = 62276)
12:39 AM: a0235753.dll (ID = 62306)
12:40 AM: a0235770.dll (ID = 62276)
12:40 AM: a0311597.exe (ID = 195131)
12:41 AM: a0313676.exe (ID = 195132)
12:41 AM: a0311600.exe (ID = 195128)
12:41 AM: a0317514.dll (ID = 163672)
12:41 AM: a0313675.dll (ID = 195129)
12:42 AM: a0313668.exe (ID = 156360)
12:42 AM: a0313674.exe (ID = 195130)
12:42 AM: a0311602.exe (ID = 183512)
12:42 AM: a0235624.dll (ID = 145108)
12:42 AM: Found Trojan Horse: spamrelayer_alpiok
12:42 AM: a0311603.exe (ID = 183253)
12:42 AM: a0311604.dll (ID = 182718)
12:42 AM: a0235941.dll (ID = 145108)
12:43 AM: a0235967.exe (ID = 107123)
12:43 AM: a0236964.dll (ID = 145108)
12:45 AM: Found Adware: keenvalue/perfectnav
12:45 AM: a0237974.dll (ID = 64862)
12:46 AM: a0313636.dll (ID = 145094)
12:46 AM: a0235617.dll (ID = 145094)
12:46 AM: Found Trojan Horse: 2nd-thought
12:46 AM: a0311613.lnk (ID = 48314)
12:46 AM: Found Adware: directrevenue-abetterinternet
12:46 AM: a0313663.inf (ID = 83432)
12:46 AM: a0313678.inf (ID = 81846)
12:46 AM: a0313677.inf (ID = 81859)
12:46 AM: Found System Monitor: potentially rootkit-masked files
12:46 AM: mmcacpi.sys (ID = 0)
12:46 AM: Warning: Unhandled Archive Type
1:13 AM: File Sweep Complete, Elapsed Time: 00:43:51
1:13 AM: Full Sweep has completed. Elapsed time 00:47:16
1:13 AM: Traces Found: 429
1:14 AM: Removal process initiated
1:14 AM: Quarantining All Traces: 2nd-thought
1:14 AM: Quarantining All Traces: directrevenue-abetterinternet
1:14 AM: Quarantining All Traces: ist istbar
1:14 AM: Quarantining All Traces: look2me
1:15 AM: Quarantining All Traces: potentially rootkit-masked files
1:15 AM: potentially rootkit-masked files is in use. It will be removed on reboot.
1:15 AM: mmcacpi.sys is in use. It will be removed on reboot.
1:15 AM: Quarantining All Traces: purityscan
1:15 AM: Quarantining All Traces: spamrelayer_alpiok
1:15 AM: Quarantining All Traces: spysheriff
1:15 AM: Quarantining All Traces: trojan-backdoor-5sec
1:15 AM: Quarantining All Traces: trojan-backdoor-securemulti
1:15 AM: Quarantining All Traces: trojan-backdoor-zubox
1:15 AM: Quarantining All Traces: trojan-downloader-pr-corp
1:15 AM: Quarantining All Traces: trojan-downloader-procounter.biz
1:15 AM: Quarantining All Traces: trojan-downloader-vxiframe
1:15 AM: Quarantining All Traces: websearch toolbar
1:15 AM: Quarantining All Traces: apropos
1:15 AM: Quarantining All Traces: azsearch toolbar
1:15 AM: Quarantining All Traces: commonname
1:15 AM: Quarantining All Traces: hotbar
1:15 AM: Quarantining All Traces: infected mushrooms
1:15 AM: Quarantining All Traces: internetoptimizer
1:15 AM: Quarantining All Traces: ldpinch trojan
1:15 AM: Quarantining All Traces: trojan-backdoor-superbgirlz
1:15 AM: Quarantining All Traces: trojan-downloader-asdbiz.biz
1:15 AM: Quarantining All Traces: addestroyer
1:15 AM: Quarantining All Traces: cydoor
1:15 AM: Quarantining All Traces: dealhelper
1:15 AM: Quarantining All Traces: dollarrevenue
1:15 AM: Quarantining All Traces: downloadware
1:15 AM: Quarantining All Traces: drsnsrch.com hijack
1:15 AM: Quarantining All Traces: e2g
1:15 AM: Quarantining All Traces: ebates money maker
1:15 AM: Quarantining All Traces: ieplugin
1:15 AM: Quarantining All Traces: ist sidefind
1:15 AM: Quarantining All Traces: ist software
1:15 AM: Quarantining All Traces: keenvalue/perfectnav
1:15 AM: Quarantining All Traces: members area dialer
1:15 AM: Quarantining All Traces: networkessentials
1:15 AM: Quarantining All Traces: one2one viewer
1:15 AM: Quarantining All Traces: search-exe hijacker
1:15 AM: Quarantining All Traces: targetsaver
1:15 AM: Quarantining All Traces: tvmedia
1:15 AM: Quarantining All Traces: twain-tech
1:15 AM: Quarantining All Traces: virtualbouncer
1:16 AM: Quarantining All Traces: webrebates
1:16 AM: Quarantining All Traces: websearch.com hijacker
1:16 AM: Quarantining All Traces: winactive
1:16 AM: Removal process completed. Elapsed time 00:02:01
********
2:13 AM: | Start of Session, Monday, November 21, 2005 |
2:13 AM: Spy Sweeper started
2:13 AM: Sweep initiated using definitions version 574
2:14 AM: Starting Memory Sweep
2:14 AM: Error: Access violation at address 00402BCF in module 'WRSSSDK.exe'. Read of address 06040000.
2:14 AM: Found Adware: icannnews
2:14 AM: Detected running threat: C:\WINDOWS\system32\dvtrans.dll (ID = 83)
2:15 AM: Detected running threat: C:\WINDOWS\system32\j46mlej11ho.dll (ID = 83)
2:15 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:15 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:15 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:15 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:17 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:17 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:17 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:17 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:17 AM: Memory Sweep Complete, Elapsed Time: 00:03:39
2:17 AM: Starting Registry Sweep
2:17 AM: Found Adware: ieplugin
2:17 AM: HKCR\interface\{3e589169-86ad-44fe-b426-f0bf105d5582}\ (8 subtraces) (ID = 128148)
2:17 AM: HKLM\software\classes\interface\{3e589169-86ad-44fe-b426-f0bf105d5582}\ (8 subtraces) (ID = 128167)
2:17 AM: HKLM\software\classes\typelib\{57add57b-173e-418a-8f70-17e5c9f2bcc9}\ (9 subtraces) (ID = 128169)
2:17 AM: HKCR\typelib\{57add57b-173e-418a-8f70-17e5c9f2bcc9}\ (9 subtraces) (ID = 128201)
2:17 AM: Found Adware: ist istbar
2:17 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\conflict.1\istactivex.dll (ID = 129171)
2:17 AM: Found Adware: one2one viewer
2:17 AM: HKCR\clsid\{a1a961da-2ba6-4032-859e-01ac35357163}\ (22 subtraces) (ID = 136346)
2:17 AM: HKCR\interface\{ab6e26dd-d437-4e0c-8fb9-719e578e113a}\ (8 subtraces) (ID = 136349)
2:17 AM: HKCR\interface\{de1658ef-7963-47e6-bba3-c952798a5ad9}\ (8 subtraces) (ID = 136350)
2:17 AM: HKCR\rsx.one2oneviewer\ (3 subtraces) (ID = 136351)
2:17 AM: HKLM\software\classes\clsid\{a1a961da-2ba6-4032-859e-01ac35357163}\ (22 subtraces) (ID = 136360)
2:17 AM: HKLM\software\classes\interface\{ab6e26dd-d437-4e0c-8fb9-719e578e113a}\ (8 subtraces) (ID = 136363)
2:17 AM: HKLM\software\classes\interface\{de1658ef-7963-47e6-bba3-c952798a5ad9}\ (8 subtraces) (ID = 136364)
2:17 AM: HKLM\software\classes\rsx.one2oneviewer\ (3 subtraces) (ID = 136365)
2:17 AM: HKLM\software\classes\typelib\{a6511cdb-606e-4cb7-b1aa-113fec192aa3}\ (9 subtraces) (ID = 136367)
2:17 AM: HKCR\typelib\{a6511cdb-606e-4cb7-b1aa-113fec192aa3}\ (9 subtraces) (ID = 136371)
2:17 AM: Found Adware: purityscan
2:17 AM: HKLM\software\clickspring\ (2 subtraces) (ID = 137699)
2:17 AM: Found Adware: relatedlinks bho
2:17 AM: HKCR\interface\{e82431bf-e8a2-45ca-8361-e5517588cda1}\ (7 subtraces) (ID = 139367)
2:17 AM: HKLM\software\classes\interface\{e82431bf-e8a2-45ca-8361-e5517588cda1}\ (7 subtraces) (ID = 139376)
2:17 AM: Found Adware: search-exe hijacker
2:17 AM: HKLM\software\microsoft\internet explorer\searchurl\ (ID = 140935)
2:17 AM: Found Trojan Horse: trojan-downloader-domcom
2:17 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/ipreg32.dll\ (ID = 144519)
2:17 AM: Found Adware: websearch toolbar
2:17 AM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (8 subtraces) (ID = 146518)
2:17 AM: Found Trojan Horse: trojan-backdoor-zubox
2:17 AM: HKCR\typelib\{5e2121e1-0300-11d4-8d3b-444553540000}\ (9 subtraces) (ID = 484124)
2:17 AM: HKLM\software\classes\typelib\{5e2121e1-0300-11d4-8d3b-444553540000}\ (9 subtraces) (ID = 484210)
2:17 AM: Found Trojan Horse: spamrelayer_alpiok
2:17 AM: HKCR\clsid\{1722ecff-4356-4f5b-b534-e67294fe75e9}\ (3 subtraces) (ID = 608255)
2:17 AM: HKLM\software\classes\clsid\{1722ecff-4356-4f5b-b534-e67294fe75e9}\ (3 subtraces) (ID = 609144)
2:17 AM: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || systray.excn2 (ID = 790580)
2:17 AM: Found Trojan Horse: p2pnetwork
2:17 AM: HKCR\sp2p.sp2p\ (5 subtraces) (ID = 866672)
2:17 AM: HKCR\sp2p.sp2p.1\ (3 subtraces) (ID = 866678)
2:17 AM: HKCR\appid\sp2p.exe\ (1 subtraces) (ID = 866690)
2:17 AM: HKCR\appid\{626873ac-27f3-4d48-be81-535cf2360071}\ (1 subtraces) (ID = 866696)
2:17 AM: HKCR\clsid\{dfe95408-fd86-4818-a30a-bc859d9658e1}\ (11 subtraces) (ID = 866769)
2:17 AM: HKCR\typelib\{97d860c4-f072-477b-b241-409f7cffb954}\ (9 subtraces) (ID = 866806)
2:17 AM: HKLM\software\classes\sp2p.sp2p\ (5 subtraces) (ID = 866951)
2:17 AM: HKLM\software\classes\appid\sp2p.exe\ (1 subtraces) (ID = 866969)
2:17 AM: HKLM\software\classes\clsid\{dfe95408-fd86-4818-a30a-bc859d9658e1}\ (11 subtraces) (ID = 867048)
2:17 AM: HKLM\software\classes\typelib\{97d860c4-f072-477b-b241-409f7cffb954}\ (9 subtraces) (ID = 867085)
2:17 AM: HKCR\clsid\{6368d1fc-6f5c-4f1b-b164-e67214f678e9}\ (3 subtraces) (ID = 945518)
2:17 AM: HKLM\software\classes\clsid\{6368d1fc-6f5c-4f1b-b164-e67214f678e9}\ (3 subtraces) (ID = 945546)
2:17 AM: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || systray.exbr (ID = 945548)
2:17 AM: Found Adware: addestroyer
2:17 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\vb and vba program settings\addestroyer\ (3 subtraces) (ID = 102749)
2:17 AM: Found Adware: commonname
2:17 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\commonname\ (2 subtraces) (ID = 106881)
2:18 AM: Found Adware: dealhelper
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\dealhelper\ (6 subtraces) (ID = 124790)
2:18 AM: Found Adware: downloadware
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\downloadware\ (15 subtraces) (ID = 125353)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\medialoads\ (9 subtraces) (ID = 125355)
2:18 AM: Found Adware: e2g
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\ptech\ (1 subtraces) (ID = 125528)
2:18 AM: Found Adware: ebates money maker
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 125587)
2:18 AM: Found Adware: webrebates
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\extensions\{6685509e-b47b-4f47-8e16-9a5f3a62f683}\ (6 subtraces) (ID = 125589)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\extensions\{6685509e-b47b-4f47-8e16-9a5f3a62f683}\ (6 subtraces) (ID = 125589)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\menuext\ebates\ (2 subtraces) (ID = 125590)
2:18 AM: Found Adware: ist software
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {5f1abcdb-a875-46c1-8345-b72a4567e486} (ID = 127195)
2:18 AM: Found Adware: hotbar
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\hotbar\ (1204 subtraces) (ID = 127565)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\explorer bars\{becafc17-baf9-11d4-b492-00d0b77f0a6d}\ (2 subtraces) (ID = 127573)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\explorer bars\{ff6b2fd5-093c-4d4f-bb98-5641130a9de6}\ (2 subtraces) (ID = 127574)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\intexp\ (8 subtraces) (ID = 128173)
2:18 AM: Found Adware: drsnsrch.com hijack
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\main\ || search page (ID = 128207)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\searchurl\ (ID = 128212)
2:18 AM: Found Adware: internetoptimizer
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\avenue media\ (ID = 128887)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\istbar\ (17 subtraces) (ID = 129109)
2:18 AM: Found Adware: networkessentials
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\hopper\ (15 subtraces) (ID = 136157)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\updater\ (2 subtraces) (ID = 136178)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\search\ || searchassistant (ID = 140932)
2:18 AM: Found Adware: ist sidefind
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\explorer bars\{8cba1b49-8144-4721-a7b1-64c578c9eed7}\ (1 subtraces) (ID = 141777)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
2:18 AM: Found Adware: tvmedia
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\windows\currentversion\run\ || tv media (ID = 145312)
2:18 AM: Found Adware: virtualbouncer
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\vb and vba program settings\vbouncer\ (3 subtraces) (ID = 145564)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\menuext\web rebates\ (2 subtraces) (ID = 146297)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146464)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\windows\currentversion\run\ || wintools (ID = 146484)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\toolbar\ (32 subtraces) (ID = 146513)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\wintools\ (15 subtraces) (ID = 146514)
2:18 AM: Found Adware: websearch.com hijacker
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\main\ || search bar (ID = 146561)
2:18 AM: Found Adware: winactive
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\winactive\ (4 subtraces) (ID = 147148)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 392934)
2:18 AM: Found Adware: cydoor
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\cydoor\ (17 subtraces) (ID = 639126)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\toolbar\ (32 subtraces) (ID = 646239)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\wintools\ (15 subtraces) (ID = 646241)
2:18 AM: HKU\WRSS_Profile_S-1-5-21-1313911845-72185382-2018322775-1006\software\downloadware\ (15 subtraces) (ID = 775210)
2:18 AM: Found Adware: cws-aboutblank
2:18 AM: HKU\S-1-5-21-1313911845-72185382-2018322775-1005\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)
2:18 AM: HKU\S-1-5-21-1313911845-72185382-2018322775-1005\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
2:18 AM: HKU\S-1-5-21-1313911845-72185382-2018322775-1005\software\down\ (2 subtraces) (ID = 144517)
2:18 AM: HKU\S-1-5-21-1313911845-72185382-2018322775-1005\software\mzs\mdms\ (4 subtraces) (ID = 480808)
2:18 AM: Found Trojan Horse: trojan-backdoor-us15info
2:18 AM: HKU\S-1-5-21-1313911845-72185382-2018322775-1005\software\microsoft\windows\currentversion\run\ || shell (ID = 650813)
2:18 AM: HKU\S-1-5-21-1313911845-72185382-2018322775-1005\software\mzs\mdms\mzu\ || pt (ID = 656825)
2:18 AM: Found Trojan Horse: trojan-backdoor-superbgirlz
2:18 AM: HKU\S-1-5-21-1313911845-72185382-2018322775-1005\software\classes\clsid\{4f141cba-1457-6cca-03a7-7aa21b61ea0f}\ (3 subtraces) (ID = 954563)
2:18 AM: Registry Sweep Complete, Elapsed Time:00:00:40
2:18 AM: Starting Cookie Sweep
2:18 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
2:18 AM: Starting File Sweep
2:18 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:18 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:18 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:18 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:18 AM: Found Adware: sidesearch
2:18 AM: c:\program files\lycos\sidesearch (1 subtraces) (ID = -2147480322)
2:18 AM: Found Adware: searchexe
2:18 AM: c:\program files\se (3 subtraces) (ID = -2147480358)
2:18 AM: c:\documents and settings\georgia dearden\application data\commonname (5 subtraces) (ID = -2147481224)
2:18 AM: c:\documents and settings\georgia dearden\start menu\programs\virtual bouncer (2 subtraces) (ID = -2147480099)
2:18 AM: c:\documents and settings\georgia dearden\start menu\programs\addestroyer (ID = -2147481465)
2:18 AM: Found Adware: spysheriff
2:18 AM: secure32.html (ID = 184319)
2:19 AM: rsag726e.dll (ID = 71511)
2:19 AM: rsag726d.dll (ID = 71510)
2:19 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:19 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:19 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:19 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:19 AM: Found Adware: internet washer
2:19 AM: quick.dat (ID = 63993)
2:20 AM: one2one.ocx (ID = 71505)
2:21 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:21 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:21 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:21 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:21 AM: Found Adware: look2me
2:21 AM: dnjs0117e.dll (ID = 159)
2:22 AM: j46mlej11ho.dll (ID = 159)
2:22 AM: __delete_on_reboot__myxmlr.dll (ID = 163672)
2:22 AM: dvtrans.dll (ID = 163672)
2:22 AM: ennol1531.dll (ID = 159)
2:22 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:22 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:22 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:22 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:22 AM: mfxml2.dll (ID = 159)
2:22 AM: Found Adware: topnetsearch hijacker
2:22 AM: blank.mht (ID = 134498)
2:22 AM: __delete_on_reboot__guard.tmp (ID = 159)
2:23 AM: Found Adware: brilliant digital
2:23 AM: bdeclean.exe (ID = 51737)
2:23 AM: Found Adware: twain-tech
2:23 AM: mxtarget.ini (ID = 81893)
2:23 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:23 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:23 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:23 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:24 AM: Found Adware: targetsaver
2:24 AM: wqwmp.exe (ID = 195132)
2:24 AM: class-barrel (ID = 78229)
2:24 AM: wqwmc.dll (ID = 195129)
2:24 AM: vocabulary (ID = 78283)
2:24 AM: secure32.html (ID = 184319)
2:24 AM: hammer.exe (ID = 156360)
2:24 AM: wqwml.exe (ID = 195130)
2:24 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:24 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:24 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:24 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:25 AM: bm.dat (ID = 74957)
2:25 AM: install.dat (ID = 143533)
2:25 AM: virtual bouncer.lnk (ID = 82843)
2:25 AM: Found Adware: azsearch toolbar
2:25 AM: ztoolbar.xml (ID = 50365)
2:26 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:26 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:26 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:26 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:26 AM: lbbho.ini (ID = 73732)
2:26 AM: ipreg32.inf (ID = 80471)
2:26 AM: today's specials.url (ID = 131129)
2:26 AM: Found Adware: directrevenue-abetterinternet
2:26 AM: poltt.inf (ID = 83432)
2:26 AM: mxtini.inf (ID = 81846)
2:26 AM: polmx3.inf (ID = 81859)
2:27 AM: File Sweep Complete, Elapsed Time: 00:08:33
2:27 AM: Full Sweep has completed. Elapsed time 00:13:06
2:27 AM: Traces Found: 1827
2:27 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:27 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:27 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:27 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:29 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:29 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:29 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:29 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:30 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:30 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:30 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:30 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:31 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:31 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:31 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:31 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:31 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:31 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:31 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:31 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:32 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:32 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:32 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:32 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:32 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:32 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:32 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:32 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:33 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:33 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:33 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:33 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:34 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:34 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:34 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:34 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:34 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:34 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:34 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:34 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:35 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:35 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:35 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:35 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:36 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:36 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:36 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:36 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:36 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:36 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:36 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:36 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:37 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:37 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:37 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:37 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:37 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:37 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:37 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:37 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:38 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:38 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:38 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:38 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:38 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:38 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:38 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:38 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:39 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:39 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:39 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:39 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:39 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:39 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:39 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:39 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:40 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:40 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:40 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:40 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:40 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:40 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:40 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:40 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:40 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:40 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:40 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:40 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:41 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:41 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:41 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:41 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:41 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:41 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:41 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:41 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:42 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:42 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:42 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:42 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:42 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:42 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:42 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:42 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:42 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:42 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:42 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:42 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:43 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:43 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:43 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:43 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:44 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:44 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:44 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:44 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:44 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:44 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:46 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:46 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:46 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:46 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:46 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:46 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:46 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:46 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:46 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:46 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:46 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:46 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:46 AM: Removal process initiated
2:47 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:47 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:47 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:47 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:47 AM: Quarantining All Traces: cws-aboutblank
2:47 AM: Quarantining All Traces: directrevenue-abetterinternet
2:47 AM: Quarantining All Traces: icannnews
2:47 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:47 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:47 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:47 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:47 AM: icannnews is in use. It will be removed on reboot.
2:47 AM: C:\WINDOWS\system32\dvtrans.dll is in use. It will be removed on reboot.
2:47 AM: C:\WINDOWS\system32\j46mlej11ho.dll is in use. It will be removed on reboot.
2:47 AM: Quarantining All Traces: ist istbar
2:47 AM: Quarantining All Traces: look2me
2:47 AM: look2me is in use. It will be removed on reboot.
2:47 AM: j46mlej11ho.dll is in use. It will be removed on reboot.
2:47 AM: dvtrans.dll is in use. It will be removed on reboot.
2:47 AM: ennol1531.dll is in use. It will be removed on reboot.
2:47 AM: __delete_on_reboot__guard.tmp is in use. It will be removed on reboot.
2:47 AM: Quarantining All Traces: purityscan
2:47 AM: Quarantining All Traces: spamrelayer_alpiok
2:47 AM: Quarantining All Traces: spysheriff
2:47 AM: Quarantining All Traces: trojan-backdoor-us15info
2:47 AM: Quarantining All Traces: trojan-backdoor-zubox
2:47 AM: Quarantining All Traces: websearch toolbar
2:47 AM: Quarantining All Traces: azsearch toolbar
2:47 AM: Quarantining All Traces: commonname
2:47 AM: Quarantining All Traces: hotbar
2:47 AM: Quarantining All Traces: internetoptimizer
2:47 AM: Quarantining All Traces: p2pnetwork
2:47 AM: Quarantining All Traces: searchexe
2:47 AM: Quarantining All Traces: sidesearch
2:47 AM: Quarantining All Traces: trojan-backdoor-superbgirlz
2:47 AM: Quarantining All Traces: trojan-downloader-domcom
2:47 AM: Quarantining All Traces: addestroyer
2:47 AM: Quarantining All Traces: brilliant digital
2:47 AM: Quarantining All Traces: cydoor
2:47 AM: Quarantining All Traces: dealhelper
2:47 AM: Quarantining All Traces: downloadware
2:47 AM: Quarantining All Traces: drsnsrch.com hijack
2:47 AM: Quarantining All Traces: e2g
2:47 AM: Quarantining All Traces: ebates money maker
2:47 AM: Quarantining All Traces: ieplugin
2:47 AM: Quarantining All Traces: internet washer
2:47 AM: Quarantining All Traces: ist sidefind
2:47 AM: Quarantining All Traces: ist software
2:47 AM: Quarantining All Traces: networkessentials
2:47 AM: Quarantining All Traces: one2one viewer
2:47 AM: Quarantining All Traces: relatedlinks bho
2:48 AM: Quarantining All Traces: search-exe hijacker
2:48 AM: Quarantining All Traces: targetsaver
2:48 AM: Quarantining All Traces: topnetsearch hijacker
2:48 AM: Quarantining All Traces: tvmedia
2:48 AM: Quarantining All Traces: twain-tech
2:48 AM: Quarantining All Traces: virtualbouncer
2:48 AM: Quarantining All Traces: webrebates
2:48 AM: Quarantining All Traces: websearch.com hijacker
2:48 AM: Quarantining All Traces: winactive
2:48 AM: Warning: Launched explorer.exe
2:48 AM: Warning: Quarantine process could not restart Explorer.
2:48 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:48 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:48 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:48 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:48 AM: Warning: S-1-5-21-1313911845-72185382-2018322775-1006 could not be unmapped. Error Code 5
2:48 AM: Warning: Failed to quarantine registry items for: S-1-5-21-1313911845-72185382-2018322775-1006
2:48 AM: Warning: S-1-5-21-1313911845-72185382-2018322775-1003 could not be unmapped. Error Code 5
2:48 AM: Warning: Failed to quarantine registry items for: S-1-5-21-1313911845-72185382-2018322775-1003
2:48 AM: Warning: S-1-5-21-1313911845-72185382-2018322775-1006 could not be unmapped. Error Code 5
2:48 AM: Warning: S-1-5-21-1313911845-72185382-2018322775-1003 could not be unmapped. Error Code 5
2:48 AM: Warning: S-1-5-21-1313911845-72185382-2018322775-1003 could not be unmapped. Error Code 5
2:48 AM: Warning: S-1-5-21-1313911845-72185382-2018322775-1006 could not be unmapped. Error Code 5
2:49 AM: Preparing to restart your computer. Please wait...
2:49 AM: Removal process completed. Elapsed time 00:02:49
2:50 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:50 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:50 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:50 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:56 AM: Sent error log: C:\Documents and Settings\Carrie Dearden\Application Data\Webroot\Spy Sweeper\Logs\bugreport.txt
4:43 AM: Warning: S-1-5-21-1313911845-72185382-2018322775-1006 could not be unmapped. Error Code 5
4:43 AM: Warning: S-1-5-21-1313911845-72185382-2018322775-1003 could not be unmapped. Error Code 5
4:43 AM: Warning: S-1-5-21-1313911845-72185382-2018322775-1003 could not be unmapped. Error Code 5
4:43 AM: Warning: S-1-5-21-1313911845-72185382-2018322775-1006 could not be unmapped. Error Code 5
4:44 AM: Warning: Access is denied
4:44 AM: Warning: Access is denied
4:44 AM: Warning: Access is denied
4:44 AM: Warning: Access is denied
4:44 AM: Warning: Access is denied
4:44 AM: Warning: Access is denied
4:44 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1006
4:44 AM: Warning: Access is denied
4:44 AM: Warning: Access is denied
4:44 AM: Warning: Access is denied
4:44 AM: Warning: Access is denied
4:44 AM: Warning: Access is denied
4:44 AM: Warning: Access is denied
4:44 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1003
4:44 AM: Warning: Access is denied
4:44 AM: Warning: Access is denied
4:45 AM: Warning: Access is denied
4:45 AM: Warning: Access is denied
4:45 AM: Warning: Access is denied
4:45 AM: Warning: Access is denied
4:45 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1006
4:45 AM: Warning: Access is denied
4:45 AM: Warning: Access is denied
4:45 AM: Warning: Access is denied
4:45 AM: Warning: Access is denied
4:45 AM: Warning: Access is denied
4:45 AM: Warning: Access is denied
4:45 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1003
4:45 AM: Warning: Access is denied
4:45 AM: Warning: Access is denied
4:45 AM: Warning: Access is denied
4:45 AM: Warning: Access is denied
4:45 AM: Warning: Access is denied
4:45 AM: Warning: Access is denied
4:45 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1006
4:45 AM: Warning: Access is denied
4:45 AM: Warning: Access is denied
4:45 AM: Warning: Access is denied
4:45 AM: Warning: Access is denied
4:45 AM: Warning: Access is denied
4:45 AM: Warning: Access is denied
4:45 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1003
4:45 AM: Processing Startup Alerts
4:45 AM: Removed Startup entry: Dcbl
4:48 AM: Warning: Access is denied
4:48 AM: Warning: Access is denied
4:48 AM: Warning: Access is denied
4:48 AM: Warning: Access is denied
4:48 AM: Warning: Access is denied
4:48 AM: Warning: Access is denied
4:48 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1006
4:48 AM: Warning: Access is denied
4:48 AM: Warning: Access is denied
4:48 AM: Warning: Access is denied
4:48 AM: Warning: Access is denied
4:48 AM: Warning: Access is denied
4:48 AM: Warning: Access is denied
4:48 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1003
4:50 AM: Warning: Access is denied
4:50 AM: Warning: Access is denied
4:50 AM: Warning: Access is denied
4:50 AM: Warning: Access is denied
4:50 AM: Warning: Access is denied
4:50 AM: Warning: Access is denied
4:50 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1006
4:50 AM: Warning: Access is denied
4:50 AM: Warning: Access is denied
4:50 AM: Warning: Access is denied
4:50 AM: Warning: Access is denied
4:50 AM: Warning: Access is denied
4:50 AM: Warning: Access is denied
4:50 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1003
4:50 AM: Warning: Access is denied
4:50 AM: Warning: Access is denied
4:50 AM: Warning: Access is denied
4:50 AM: Warning: Access is denied
4:50 AM: Warning: Access is denied
4:50 AM: Warning: Access is denied
4:50 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1006
4:50 AM: Warning: Access is denied
4:50 AM: Warning: Access is denied
4:50 AM: Warning: Access is denied
4:50 AM: Warning: Access is denied
4:50 AM: Warning: Access is denied
4:50 AM: Warning: Access is denied
4:50 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1003
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1006
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1003
4:51 AM: Warning: Access is denied
4:

#4
Fecal Scientist

Posted 27 November 2005 - 12:21 AM

Member

Topic Starter
Member
17 posts

********

And the rest of it---

72185382-2018322775-1003
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1006
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1003
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1006
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1003
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1006
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1003
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1006
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:51 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1003
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1006
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1003
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1006
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: Access is denied
4:52 AM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1313911845-72185382-2018322775-1003
5:02 AM: Processing Startup Alerts
5:02 AM: Allowed Startup entry: iTunesHelper
5:04 AM: Processing Startup Alerts
5:04 AM: Allowed Startup entry: QuickTime Task
3:06 AM: Warning: Access is denied
3:07 AM: Your spyware definitions have been updated.
3:08 AM: Processing Startup Alerts
3:08 AM: Removed Startup entry: Dcbl
3:34 AM: Processing Startup Alerts
3:34 AM: Allowed Startup entry: Cleanup
3:34 AM: Processing Startup Alerts
3:34 AM: Removed Startup entry: msci
3:35 AM: Processing Startup Alerts
3:35 AM: Allowed Startup entry: Cleanup
3:51 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
4:00 AM: IE Tracking Cookies Shield: Removed serving-sys cookie
4:02 AM: IE Tracking Cookies Shield: Removed serving-sys cookie
4:03 AM: IE Tracking Cookies Shield: Removed serving-sys cookie
4:17 AM: IE Tracking Cookies Shield: Removed atwola cookie
4:17 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
4:17 AM: IE Tracking Cookies Shield: Removed atwola cookie
4:19 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
4:19 AM: IE Tracking Cookies Shield: Removed atwola cookie
4:19 AM: IE Tracking Cookies Shield: Removed centrport net cookie
4:40 AM: Processing Startup Alerts
4:40 AM: Allowed Startup entry: iTunesHelper
4:59 AM: Processing Startup Alerts
4:59 AM: Allowed Startup entry: *Restore
5:27 AM: IE Tracking Cookies Shield: Removed atwola cookie
5:27 AM: IE Tracking Cookies Shield: Removed centrport net cookie
12:24 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
12:24 AM: IE Tracking Cookies Shield: Removed 64.62.232 cookie
12:24 AM: IE Tracking Cookies Shield: Removed 64.62.232 cookie
12:24 AM: IE Tracking Cookies Shield: Removed 64.62.232 cookie
12:24 AM: IE Tracking Cookies Shield: Removed go.com cookie
12:24 AM: IE Tracking Cookies Shield: Removed yieldmanager cookie
12:24 AM: IE Tracking Cookies Shield: Removed specificclick.com cookie
12:24 AM: IE Tracking Cookies Shield: Removed addynamix cookie
12:24 AM: IE Tracking Cookies Shield: Removed pointroll cookie
12:24 AM: IE Tracking Cookies Shield: Removed adultfriendfinder cookie
12:24 AM: IE Tracking Cookies Shield: Removed falkag cookie
12:24 AM: IE Tracking Cookies Shield: Removed atwola cookie
12:24 AM: IE Tracking Cookies Shield: Removed belnk cookie
12:24 AM: IE Tracking Cookies Shield: Removed casalemedia cookie
12:24 AM: IE Tracking Cookies Shield: Removed clickbank cookie
12:24 AM: IE Tracking Cookies Shield: Removed belnk cookie
12:24 AM: IE Tracking Cookies Shield: Removed ru4 cookie
12:24 AM: IE Tracking Cookies Shield: Removed go.com cookie
12:24 AM: IE Tracking Cookies Shield: Removed maxserving cookie
12:24 AM: IE Tracking Cookies Shield: Removed questionmarket cookie
12:24 AM: IE Tracking Cookies Shield: Removed go.com cookie
12:24 AM: IE Tracking Cookies Shield: Removed statcounter cookie
12:24 AM: IE Tracking Cookies Shield: Removed trafficmp cookie
12:24 AM: IE Tracking Cookies Shield: Removed tribalfusion cookie
12:24 AM: IE Tracking Cookies Shield: Removed webpower cookie
12:24 AM: IE Tracking Cookies Shield: Removed yadro cookie
12:24 AM: IE Tracking Cookies Shield: Removed adserver cookie
12:24 AM: Error: Access violation at address 005510C0 in module 'WRSSSDK.exe'. Read of address 00000034.
12:24 AM: Deleted error log without sending: C:\Documents and Settings\Carrie Dearden\Application Data\Webroot\Spy Sweeper\Logs\bugreport.txt
12:24 AM: Processing Startup Alerts
12:24 AM: Removed Startup entry: WinTools
12:24 AM: Removed Startup entry: TV Media
12:24 AM: Removed Startup entry: AIM
12:24 AM: Removed Startup entry: MSMSGS
12:26 AM: | End of Session, Sunday, November 27, 2005 |
********
2:12 AM: | Start of Session, Monday, November 21, 2005 |
2:12 AM: Spy Sweeper started
2:13 AM: Your spyware definitions have been updated.
2:13 AM: | End of Session, Monday, November 21, 2005 |

#5
Fecal Scientist

Posted 27 November 2005 - 12:23 AM

Member

Topic Starter
Member
17 posts

#6
didom

Posted 27 November 2005 - 05:16 AM

Member 1K

Member
1,919 posts

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the scan log and post it along with a new HijackThis Log in your next reply.

#7
Fecal Scientist

Posted 27 November 2005 - 03:59 PM

Member

Topic Starter
Member
17 posts

Results of PandaScan as well as new HiJackThis Log:
Incident Status Location

Adware:adware/azesearch Not disinfected C:\Documents and Settings\Carrie Dearden\Favorites\SPORTS\Auto racing.url
Adware:adware/purityscan Not disinfected C:\Documents and Settings\Carrie Dearden\Local Settings\Temp\!update.exe
Adware:adware/gator Not disinfected C:\GatorPatch.log
Adware:adware program Not disinfected C:\WINDOWS\flag.bla
Dialer:dialer generic Not disinfected C:\PROGRAM FILES\GIB
Adware:adware/sidesearch Not disinfected C:\PROGRAM FILES\Lycos
Adware:adware/downloadware Not disinfected C:\PROGRAM FILES\MLH
Adware:adware/dealhelper Not disinfected C:\PROGRAM FILES\TimeSync
Adware:adware/spywareno Not disinfected Windows Registry
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Carrie Dearden\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bae16f0-2ab4322b.zip[NewSecurityClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Carrie Dearden\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bae16f0-2ab4322b.zip[NewURLClassLoader.class]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Carrie Dearden\Local Settings\Temp\!update.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OD2RG5U7\!update-2800[1].0000
Virus:Trj/Agent.AJX Not disinfected C:\Program Files\Object Desktop\DesktopX\dxfi32.dll
Virus:Trj/Qhost.Y Not disinfected C:\WINDOWS\system32\drivers\etc\hosts.bak
Adware:Adware/CWS.Searchmeup Not disinfected C:\WINDOWS\system32\jikfdjdn.exe
Adware:Adware/CWS.Searchmeup Not disinfected C:\WINDOWS\system32\phhdiafk.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\Temp\!update.exe
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~150881.tmp
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~164008.tmp
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~518883.tmp
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~839926.tmp
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~940987.tmp
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~962451.tmp
Virus:W32/Mops.A.worm Not disinfected C:\WINDOWS\winext.exe

Logfile of HijackThis v1.99.1
Scan saved at 4:58:57 PM, on 11/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Rewards Network\brndisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Carrie Dearden\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [REWARDS NETWORK] C:\Program Files\Rewards Network\brntray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AccessMedia P2P Loader] "C:\Program Files\p2pnetworks\amp2pl.exe" /H
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [MyAccessMedia] "C:\DOCUME~1\CARRIE~1\LOCALS~1\Temp\tmp2F.exe" -Remove
O4 - HKLM\..\Run: [loader32] C:\Documents and Settings\Carrie Dearden\Application Data\SysDown\sys00772.exe
O4 - HKLM\..\Run: [*jpegplay] C:\WINDOWS\Cursors\jpegplay.exe
O4 - HKLM\..\Run: [*keydb] C:\WINDOWS\addins\keydb.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [wqwm] C:\PROGRA~1\COMMON~1\wqwm\wqwmm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: lass414 - https://onlinegames....ses/lass414.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt1_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog2.games.sn...yog/y/fs9_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst3_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Reversi - http://download.game...nts/y/rt0_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://mirror.worldw...ut/brickout.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldw...3/pool/pool.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Puzzle Control) - http://mirror.worldw...gsaw/jigsaw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay10...es/MsnPUpld.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry....yFamilyTree.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/do...py/iesnoopy.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126148021106
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7BC394DE-07B8-412B-9F98-52E7E7A4ABD4} (Pencil Wars Control) - http://mirror.worldw...y/territory.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {8BDF4BDB-7C40-4DC8-B2DD-138D8059698C} (Focus Control) - http://mirror.worldw...focus/focus.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldw...v40/sol/sol.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside....cherControl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0727.dll
O16 - DPF: {A1A961DA-2BA6-4032-859E-01AC35357163} - http://www.one2one.c...ass/one2one.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldw...man/hangman.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldw...ty/tilecity.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com.../autopricer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5EF1E59-8AFD-425A-9F30-817FD6507215} (Darts Control) - http://mirror.worldw...darts/darts.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livesc03.righ...l/java/RntX.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldw...ool/h2hpool.cab
O16 - DPF: {FB37AE65-64F4-4D27-AB4F-AFF3DA2441A0} - http://download.acce...mtinstaller.cab
O20 - Winlogon Notify: binxml - C:\DOCUME~1\CARRIE~1\LOCALS~1\Temp\lmxnib.dat (file missing)
O20 - Winlogon Notify: chk - chke.dll (file missing)
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\oteaut32.dll (file missing)
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: Anti-Leech ALIE - {1484763F-456A-66E0-DABF-FD7BCE6541ED} - blank (file missing)
O21 - SSODL: EA.COM - {8F7DFA68-F263-E58A-6727-92755C758831} - blank (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#8
didom

Posted 28 November 2005 - 11:52 AM

Member 1K

Member
1,919 posts

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Go to Start > Control Panel.
Double-click the Java icon (coffee cup) in the control panel. It will say "Java Plug-in" under the icon - please find the update button or tab in that Java control panel. Update your Java, and reboot.
After reboot, go back into the Control Panel and double-click the Java icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options on this window to clear the cache - leave ALL 3 checked:
- Downloaded Applets
- Downloaded Applications
- Other Files
Click OK on Delete Temporary Files window.
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

Step #2

Scan again with HijackThis and check the following items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O4 - HKLM\..\Run: [AccessMedia P2P Loader] "C:\Program Files\p2pnetworks\amp2pl.exe" /H
O4 - HKLM\..\Run: [MyAccessMedia] "C:\DOCUME~1\CARRIE~1\LOCALS~1\Temp\tmp2F.exe" -Remove
O4 - HKLM\..\Run: [loader32] C:\Documents and Settings\Carrie Dearden\Application Data\SysDown\sys00772.exe
O4 - HKLM\..\Run: [*jpegplay] C:\WINDOWS\Cursors\jpegplay.exe
O4 - HKLM\..\Run: [*keydb] C:\WINDOWS\addins\keydb.exe
O4 - HKCU\..\Run: [wqwm] C:\PROGRA~1\COMMON~1\wqwm\wqwmm.exe

O20 - Winlogon Notify: binxml - C:\DOCUME~1\CARRIE~1\LOCALS~1\Temp\lmxnib.dat (file missing)
O20 - Winlogon Notify: chk - chke.dll (file missing)
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\oteaut32.dll (file missing)
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)

O21 - SSODL: Anti-Leech ALIE - {1484763F-456A-66E0-DABF-FD7BCE6541ED} - blank (file missing)
O21 - SSODL: EA.COM - {8F7DFA68-F263-E58A-6727-92755C758831} - blank (file missing)
After checking these items, close all browser windows except HijackThis and click "Fix checked".

Step #3

Download Killbox: http://www.atribune....ads/KillBox.exe

Please run Killbox.exe
Select "Delete on Reboot".
Drop down from the "Options" menu you will see "Delete on Reboot" >> select "Process ALL in list"
Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Documents and Settings\Carrie Dearden\Favorites\SPORTS\Auto racing.url
C:\Documents and Settings\Carrie Dearden\Local Settings\Temp\!update.exe
:\WINDOWS\system32\drivers\etc\hosts.bak
C:\WINDOWS\system32\jikfdjdn.exe
C:\WINDOWS\system32\phhdiafk.exe
C:\WINDOWS\Cursors\jpegplay.exe
C:\WINDOWS\addins\keydb.exe
C:\WINDOWS\Temp\!update.exe
C:\WINDOWS\Temp\~150881.tmp
C:\WINDOWS\Temp\~164008.tmp
C:\WINDOWS\Temp\~518883.tmp
C:\WINDOWS\Temp\~839926.tmp
C:\WINDOWS\Temp\~940987.tmp
C:\WINDOWS\Temp\~962451.tmp
C:\WINDOWS\winext.exe
C:\GatorPatch.log
C:\WINDOWS\flag.bla
C:\PROGRAM FILES\GIB
C:\PROGRAM FILES\Lycos
C:\PROGRAM FILES\MLH
C:\PROGRAM FILES\TimeSync
C:\Program Files\p2pnetworks
C:\Program Files\Common Files\wqwm
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
Let the system reboot.

Step #4

Find and delete this folder :
C:\!Killbox <= this folder

Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Step #5

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the scan log and post it along with a new HijackThis Log in your next reply.

#9
Fecal Scientist

Posted 29 November 2005 - 02:37 AM

Member

Topic Starter
Member
17 posts

I must say thank you again for helping it is deeply appreciated and I am already starting to notice a difference. Here is my Panda Scan results and HiJackThis Log:
Incident Status Location

Adware:adware/azesearch Not disinfected C:\Documents and Settings\Carrie Dearden\Favorites\SPORTS\Baseball news.url
Dialer:dialer generic Not disinfected C:\PROGRAM FILES\GIB
Adware:adware/sidesearch Not disinfected C:\Documents and Settings\Carrie Dearden\Application Data\Lycos
Adware:adware/spywareno Not disinfected Windows Registry
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OD2RG5U7\!update-2800[1].0000
Virus:Trj/Agent.AJX Not disinfected C:\Program Files\Object Desktop\DesktopX\dxfi32.dll
Virus:Trj/Qhost.Y Not disinfected C:\WINDOWS\system32\drivers\etc\hosts.bak
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~150881.tmp
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~164008.tmp
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~518883.tmp
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~839926.tmp
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~940987.tmp
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~962451.tmp

Logfile of HijackThis v1.99.1
Scan saved at 3:37:25 AM, on 11/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Rewards Network\brndisp.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Carrie Dearden\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [REWARDS NETWORK] C:\Program Files\Rewards Network\brntray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: lass414 - https://onlinegames....ses/lass414.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt1_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog2.games.sn...yog/y/fs9_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst3_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Reversi - http://download.game...nts/y/rt0_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://mirror.worldw...ut/brickout.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldw...3/pool/pool.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Puzzle Control) - http://mirror.worldw...gsaw/jigsaw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay10...es/MsnPUpld.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry....yFamilyTree.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/do...py/iesnoopy.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126148021106
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7BC394DE-07B8-412B-9F98-52E7E7A4ABD4} (Pencil Wars Control) - http://mirror.worldw...y/territory.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {8BDF4BDB-7C40-4DC8-B2DD-138D8059698C} (Focus Control) - http://mirror.worldw...focus/focus.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldw...v40/sol/sol.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside....cherControl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0727.dll
O16 - DPF: {A1A961DA-2BA6-4032-859E-01AC35357163} - http://www.one2one.c...ass/one2one.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldw...man/hangman.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldw...ty/tilecity.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com.../autopricer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5EF1E59-8AFD-425A-9F30-817FD6507215} (Darts Control) - http://mirror.worldw...darts/darts.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livesc03.righ...l/java/RntX.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldw...ool/h2hpool.cab
O16 - DPF: {FB37AE65-64F4-4D27-AB4F-AFF3DA2441A0} - http://download.acce...mtinstaller.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#10
didom

Posted 29 November 2005 - 10:32 AM

Member 1K

Member
1,919 posts

Please run full scans with Ad-Aware SE and Spybot-S&D as follows:
(If you already have Ad-Aware SE 1.06 and Spybot 1.4 installed, you can skip the installation steps. If you don't, please uninstall your old versions and install the new ones from the links below.)

Full Ad-Aware Scan
Please download Ad-Aware SE from here:
http://www.majorgeek...ownload506.html
Install Ad-Aware and run it. In the bottom-right hand corner, click "Check for updates now". Click "Connect" to download the newest reference file.

Now we will configure Ad-Aware to perform a full scan. In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
1) Automatically save log-file
2) Automatically quarantine objects prior to removal
3) Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:
1) Scan within archives
2) Scan active processes
3) Scan registry
4) Deep scan registry
4) Scan my IE Favorites for banned URLs
5) Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
1) Unload recognized processes & modules during scanning
2) Obtain command line of scanned processes
3) Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:
1) Always try to unload modules before deletion
2) During removal, unload Explorer and IE if necessary
3) Let Windows remove files in use at next reboot
4) Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:
1) Automatically select problematic objects in results lists
2) Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom right side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects. Then please restart your computer.

Spybot Full Scan
Next, please download Spybot-S&D from here:
http://www.majorgeek...ad.php?det=2471
Install Spybot-S&D and run it. Select "Search for updates" and then select all available updates. Click on the drop-down box in the top center to choose a download location nearest to you. Then click "Download updates". When all updates have downloaded, close Spybot-S&D, and then run it again. Click on "Check for problems". When the scan has finished, select any entries listed in red and click "Fix selected problems". Then please restart your computer again.

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the Panda ActiveScan log. Start HijackThis and perform a new scan.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

#11
Fecal Scientist

Posted 30 November 2005 - 03:12 AM

Member

Topic Starter
Member
17 posts

Ok after performing a custom scan by Ad-Aware and removing all items found my IE wouldnt run nor would MSN explorer. My internet connection said that I was connected and since this is the only computer that I am able to work from I had to restore everything that Ad-Aware found. After restoring everything worked again. I also ran SpyBot S&D and nothing was found using that. Here is the results from Panda Scan and a new HiJackThis Log:
Adware:adware/azesearch Not disinfected C:\Documents and Settings\Carrie Dearden\Favorites\SPORTS\Auto racing.url
Adware:adware/purityscan Not disinfected C:\Documents and Settings\Carrie Dearden\Local Settings\Temp\!update.exe
Adware:adware/gator Not disinfected C:\GatorPatch.log
Adware:adware program Not disinfected C:\WINDOWS\flag.bla
Dialer:dialer generic Not disinfected C:\PROGRAM FILES\GIB
Adware:adware/sidesearch Not disinfected C:\PROGRAM FILES\Lycos
Adware:adware/downloadware Not disinfected C:\PROGRAM FILES\MLH
Adware:adware/dealhelper Not disinfected C:\PROGRAM FILES\TimeSync
Adware:adware/spywareno Not disinfected Windows Registry
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Carrie Dearden\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bae16f0-2ab4322b.zip[NewSecurityClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Carrie Dearden\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bae16f0-2ab4322b.zip[NewURLClassLoader.class]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Carrie Dearden\Local Settings\Temp\!update.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OD2RG5U7\!update-2800[1].0000
Virus:Trj/Agent.AJX Not disinfected C:\Program Files\Object Desktop\DesktopX\dxfi32.dll
Virus:Trj/Qhost.Y Not disinfected C:\WINDOWS\system32\drivers\etc\hosts.bak
Adware:Adware/CWS.Searchmeup Not disinfected C:\WINDOWS\system32\jikfdjdn.exe
Adware:Adware/CWS.Searchmeup Not disinfected C:\WINDOWS\system32\phhdiafk.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\Temp\!update.exe
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~150881.tmp
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~164008.tmp
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~518883.tmp
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~839926.tmp
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~940987.tmp
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~962451.tmp
Virus:W32/Mops.A.worm Not disinfected C:\WINDOWS\winext.exe
Logfile of HijackThis v1.99.1
Scan saved at 4:07:05 AM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Rewards Network\brndisp.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Carrie Dearden\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [REWARDS NETWORK] C:\Program Files\Rewards Network\brntray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: lass414 - https://onlinegames....ses/lass414.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt1_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog2.games.sn...yog/y/fs9_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst3_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Reversi - http://download.game...nts/y/rt0_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://mirror.worldw...ut/brickout.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldw...3/pool/pool.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Puzzle Control) - http://mirror.worldw...gsaw/jigsaw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay10...es/MsnPUpld.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry....yFamilyTree.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/do...py/iesnoopy.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126148021106
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7BC394DE-07B8-412B-9F98-52E7E7A4ABD4} (Pencil Wars Control) - http://mirror.worldw...y/territory.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {8BDF4BDB-7C40-4DC8-B2DD-138D8059698C} (Focus Control) - http://mirror.worldw...focus/focus.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldw...v40/sol/sol.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside....cherControl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0727.dll
O16 - DPF: {A1A961DA-2BA6-4032-859E-01AC35357163} - http://www.one2one.c...ass/one2one.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldw...man/hangman.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldw...ty/tilecity.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com.../autopricer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5EF1E59-8AFD-425A-9F30-817FD6507215} (Darts Control) - http://mirror.worldw...darts/darts.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livesc03.righ...l/java/RntX.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldw...ool/h2hpool.cab
O16 - DPF: {FB37AE65-64F4-4D27-AB4F-AFF3DA2441A0} - http://download.acce...mtinstaller.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#12
didom

Posted 30 November 2005 - 12:39 PM

Member 1K

Member
1,919 posts

Step #1

We need to make sure all hidden files are showing so please:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Step #2

Reboot Your System in Safe Mode:

Restart the computer.
As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
Use the arrow keys to select the Safe Mode menu item.
Press the Enter key.

Step #3

Find and delete these files and folders (if they are still there):
Files:
C:\GatorPatch.log
C:\WINDOWS\winext.exe
C:\WINDOWS\flag.bla
C:\WINDOWS\Temp\!update.exe
C:\WINDOWS\Temp\~150881.tmp
C:\WINDOWS\Temp\~164008.tmp
C:\WINDOWS\Temp\~518883.tmp
C:\WINDOWS\Temp\~839926.tmp
C:\WINDOWS\Temp\~940987.tmp
C:\WINDOWS\Temp\~962451.tmp
C:\WINDOWS\system32\jikfdjdn.exe
C:\WINDOWS\system32\phhdiafk.exe
C:\WINDOWS\system32\drivers\etc\hosts.bak
C:\Program Files\Object Desktop\DesktopX\dxfi32.dll
C:\Documents and Settings\Carrie Dearden\Favorites\SPORTS\Auto racing.url
C:\Documents and Settings\Carrie Dearden\Local Settings\Temp\!update.exe

Folders:
C:\PROGRAM FILES\GIB
C:\PROGRAM FILES\MLH
C:\PROGRAM FILES\Lycos
C:\PROGRAM FILES\TimeSync

Reboot your computer normally.

Step #4

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the Panda ActiveScan log. Start HijackThis and perform a new scan.

Step #5

Download Silent Runners
Unzip it to a permanent folder.
Start SilentRunners.vbs
When your antivirus is giving an alert, do not block this. Allow the script.
Copy and paste the content of the txtfile you get afterwards in your next reply.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

#13
Fecal Scientist

Posted 01 December 2005 - 03:50 AM

Member

Topic Starter
Member
17 posts

Ok I deleted all the files that were still on my computer except that I was unable to delete the file C:\WINDOWS\Temp\-164008.tmp. An error came up saying Access is denied. Here is the ActiveScan Log, HiJackThis and Silent Runners Logs:

Adware:adware/azesearch Not disinfected C:\Documents and Settings\Carrie Dearden\Favorites\SPORTS\Basketball news.url
Adware:adware program Not disinfected C:\WINDOWS\SYSTEM32\key.~
Adware:adware/spywareno Not disinfected Windows Registry
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~164008.tmp
Logfile of HijackThis v1.99.1
Scan saved at 4:49:50 AM, on 12/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Rewards Network\brndisp.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Carrie Dearden\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [REWARDS NETWORK] C:\Program Files\Rewards Network\brntray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: lass414 - https://onlinegames....ses/lass414.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt1_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog2.games.sn...yog/y/fs9_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst3_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Reversi - http://download.game...nts/y/rt0_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://mirror.worldw...ut/brickout.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldw...3/pool/pool.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Puzzle Control) - http://mirror.worldw...gsaw/jigsaw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay10...es/MsnPUpld.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry....yFamilyTree.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/do...py/iesnoopy.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126148021106
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7BC394DE-07B8-412B-9F98-52E7E7A4ABD4} (Pencil Wars Control) - http://mirror.worldw...y/territory.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {8BDF4BDB-7C40-4DC8-B2DD-138D8059698C} (Focus Control) - http://mirror.worldw...focus/focus.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldw...v40/sol/sol.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside....cherControl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0727.dll
O16 - DPF: {A1A961DA-2BA6-4032-859E-01AC35357163} - http://www.one2one.c...ass/one2one.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldw...man/hangman.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldw...ty/tilecity.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com.../autopricer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5EF1E59-8AFD-425A-9F30-817FD6507215} (Darts Control) - http://mirror.worldw...darts/darts.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livesc03.righ...l/java/RntX.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldw...ool/h2hpool.cab
O16 - DPF: {FB37AE65-64F4-4D27-AB4F-AFF3DA2441A0} - http://download.acce...mtinstaller.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"AIM" = "C:\Program Files\AIM95\aim.exe -cnetwait.odl" ["America Online, Inc."]
"ares" = ""C:\Program Files\Ares\Ares.exe" -h" ["Ares Development Group"]
"updateMgr" = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0" ["Adobe Systems Incorporated"]
"Yahoo! Pager" = ""C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"1A:Stardock TrayMonitor" = ""C:\Program Files\Common Files\Stardock\TrayServer.exe"" [file not found]
"WorksFUD" = "C:\Program Files\Microsoft Works\wkfud.exe" ["Microsoft® Corporation"]
"Microsoft Works Portfolio" = "C:\Program Files\Microsoft Works\WksSb.exe /AllUsers" ["Microsoft® Corporation"]
"Microsoft Works Update Detection" = "C:\Program Files\Microsoft Works\WkDetect.exe" ["Microsoft® Corporation"]
"REWARDS NETWORK" = "C:\Program Files\Rewards Network\brntray.exe" ["PlanetJam Media Group"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"Freedom" = "C:\Program Files\Zero Knowledge\Freedom\Freedom.exe" ["Zero-Knowledge Systems Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" ["Sun Microsystems, Inc."]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"RegistryMechanic" = (empty string)

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll" ["Yahoo! Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "st"
-> {CLSID}\InProcServer32\(Default) = "blank" [file not found]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = (value not set)
"run" = (value not set)

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e" [file not found], [MS], [file not found], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Carrie Dearden\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"

Startup items in "Carrie Dearden" & "All Users" startup folders:
----------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Works Calendar Reminders" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft® Corporation"]

Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" [file not found]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

DvpApi, dvpapi, "C:\Program Files\Common Files\Command Software\dvpapi.exe" ["Command Software Systems, Inc."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzlnt03\Driver = "hpzlnt03.dll" ["HP"]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 58 seconds, including 18 seconds for message boxes)

#14
didom

Posted 01 December 2005 - 06:15 AM

Member 1K

Member
1,919 posts

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Step #2

Reboot Your System in Safe Mode:

Restart the computer.
As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
Use the arrow keys to select the Safe Mode menu item.
Press the Enter key.

Step #3

Find and delete these files and folders (if they are still there):
C:\Documents and Settings\Carrie Dearden\Favorites\SPORTS <= this folder
C:\WINDOWS\Temp\~164008.tmp <= this file (just try it again!)

Reboot your computer normally.

Step #4

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the Panda ActiveScan log. Start HijackThis and perform a new scan.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

Edited by didom, 01 December 2005 - 06:16 AM.

#15
Fecal Scientist

Posted 03 December 2005 - 04:17 AM

Member

Topic Starter
Member
17 posts

OK I was finally able to delete that stupid file had to put the file on my desktop and drag it to the recycle bin in order to get rid of the [bleep] thing. Active Scan still shows the adware in Windows Registry though not sure how to get rid of that. I did a system search for the adware that it listed as being in there but it came back with nothing. Here is the new ActiveScan Log and HiJackThis Log and Thanks again for all your help.

Adware:adware/spywareno Not disinfected Windows Registry
Logfile of HijackThis v1.99.1
Scan saved at 5:17:26 AM, on 12/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Rewards Network\brndisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Carrie Dearden\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [REWARDS NETWORK] C:\Program Files\Rewards Network\brntray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: lass414 - https://onlinegames....ses/lass414.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt1_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog2.games.sn...yog/y/fs9_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst3_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Reversi - http://download.game...nts/y/rt0_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://mirror.worldw...ut/brickout.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldw...3/pool/pool.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Puzzle Control) - http://mirror.worldw...gsaw/jigsaw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay10...es/MsnPUpld.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry....yFamilyTree.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/do...py/iesnoopy.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126148021106
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7BC394DE-07B8-412B-9F98-52E7E7A4ABD4} (Pencil Wars Control) - http://mirror.worldw...y/territory.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {8BDF4BDB-7C40-4DC8-B2DD-138D8059698C} (Focus Control) - http://mirror.worldw...focus/focus.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldw...v40/sol/sol.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside....cherControl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0727.dll
O16 - DPF: {A1A961DA-2BA6-4032-859E-01AC35357163} - http://www.one2one.c...ass/one2one.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldw...man/hangman.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldw...ty/tilecity.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com.../autopricer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5EF1E59-8AFD-425A-9F30-817FD6507215} (Darts Control) - http://mirror.worldw...darts/darts.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livesc03.righ...l/java/RntX.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldw...ool/h2hpool.cab
O16 - DPF: {FB37AE65-64F4-4D27-AB4F-AFF3DA2441A0} - http://download.acce...mtinstaller.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe