Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

desktop hijack [RESOLVED]

Started by a4nier , Dec 12 2005 03:35 PM

This topic is locked

#1
a4nier

Posted 12 December 2005 - 03:35 PM

New Member

Member
7 posts

I believe that my desktop has been hijacked. I've followed all the outlined steps and here my HJT log.

I really would appreicate any help in clearing this up ASAP. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 4:24:36 PM, on 12/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PowerManager\upssrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PowerManager\upsio.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Advanced Searchbar\Homepage Protection\HPP.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mysoftwarechoice.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C268481-61AC-4A8C-8849-C7A68326C9BB} - C:\WINDOWS\System32\lnjb.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Startup: Homepage Protection.lnk = C:\Program Files\Advanced Searchbar\Homepage Protection\HPP.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Canon MultiPASS Status Monitor.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll (file missing)
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129403514077
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129403459717
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: UPS Service (CyberPowerUPS) - CyberPower Systems, Inc. - C:\PowerManager\upssrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MPService - Unknown owner - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#2
Buckeye_Sam

Posted 13 December 2005 - 04:50 PM

Malware Expert

Member
10,019 posts

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...&DisplayLang=en
Apply the update, reboot, and post a fresh Hijack This log.

#3
a4nier

Posted 20 December 2005 - 11:51 AM

New Member

Topic Starter
Member
7 posts

Sam, Thanks for getting back to me right off. I've been away for a week. I've installed Windows XP service pack 1 and here's my new HKT report.

I appreicate you help, thanks.

Logfile of HijackThis v1.99.1
Scan saved at 12:40:43 PM, on 12/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PowerManager\upssrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PowerManager\upsio.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Advanced Searchbar\Homepage Protection\HPP.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mysoftwarechoice.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C268481-61AC-4A8C-8849-C7A68326C9BB} - C:\WINDOWS\System32\lnjb.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Startup: Homepage Protection.lnk = C:\Program Files\Advanced Searchbar\Homepage Protection\HPP.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Canon MultiPASS Status Monitor.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll (file missing)
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129403514077
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129403459717
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: UPS Service (CyberPowerUPS) - CyberPower Systems, Inc. - C:\PowerManager\upssrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MPService - Unknown owner - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4
Buckeye_Sam

Posted 20 December 2005 - 05:04 PM

Malware Expert

Member
10,019 posts

That's good! :tazz:

Now let's see what we can do for you.

First we need to download and prepare some tools that we will need to fix your problem.

Please download SmitRem.zip
- Save the file to your desktop.
- Right click on the file and extract it to it's own folder on the desktop.
Please download Ewido Security Suite
- Install ewido security suite
- When installing, under "Additional Options" uncheck..
  - Install background guard
  - Install scan via context menu
- Launch ewido, there should be an icon on your desktop, double-click it.
- You will need to update ewido to the latest definition files.
  - On the left hand side of the main screen click update.
  - Then click on Start Update.
- The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display "Update successful")
- Exit ewido. DO NOT scan yet.
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido Manual Updates
Please download Adaware SE 1.06
Install Adaware and check for updates, but don't run it yet.
Place a shortcut to Panda ActiveScan on your desktop.

=============

Now that you have the right tools we can start fixing your problem.
Please print out these instructions as the rest of this fix must be done in Safe mode and you won't be able to access the Internet.

Please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

* if you have trouble getting into Safe mode go here for more info.

=============

Once in Safe mode, follow these steps:

Open the smitRem folder, then double click the RunThis.bat file to start the tool.
- Follow the prompts on screen.
- Wait for the tool to complete and disk cleanup to finish.
- The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
Open Ad-aware and do a full scan. Remove everything that it finds.
Run Ewido:
- Click on scanner
- Click Complete System Scan and the scan will begin.
- During the scan it will prompt you to clean files, click OK
- When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
- When the scan is finished, click the Save report button at the bottom of the screen.
- Save the report to your desktop.
- Close Ewido.
Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.
Reboot back into normal mode and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the Panda scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.

Let me know how it goes.

#5
a4nier

Posted 21 December 2005 - 01:38 PM

New Member

Topic Starter
Member
7 posts

Sam, I have preformed all of the above. The Ewido, Panda, smitfiles, HJT reports are attached.

Incident Status Location

Adware:adware/gator Not disinfected C:\WINDOWS\GatorUninstaller.log
Adware:adware program Not disinfected C:\WINDOWS\stsheets.dat
Adware:adware/yoursearchengineNot disinfected C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\FAVORITES\ DATING.url
Adware:adware/searchaid Not disinfected Windows Registry
Virus:Trj/Femad.L Not disinfected C:\WINDOWS\Downloaded Program Files\on.exe
Adware:Adware/Troyanov Not disinfected C:\WINDOWS\SYSTEM32\dcom_9.dll

Logfile of HijackThis v1.99.1
Scan saved at 2:18:58 PM, on 12/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PowerManager\upssrv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PowerManager\upsio.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Windows\system32\HpSrvUI.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Advanced Searchbar\Homepage Protection\HPP.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mysoftwarechoice.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C268481-61AC-4A8C-8849-C7A68326C9BB} - C:\WINDOWS\System32\lnjb.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Startup: Homepage Protection.lnk = C:\Program Files\Advanced Searchbar\Homepage Protection\HPP.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Canon MultiPASS Status Monitor.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll (file missing)
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129403514077
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129403459717
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: UPS Service (CyberPowerUPS) - CyberPower Systems, Inc. - C:\PowerManager\upssrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: MPService - Unknown owner - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:45:04 AM, 12/21/2005
+ Report-Checksum: BC71BE5A

+ Scan result:

C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup

::Report End

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 12/21/2005
The current time is: 9:16:24.85

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

shopping

~~~ system32 folder ~~~

oleext32.dll
zlbw.dll
oleext.dll

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 788 'explorer.exe'
Killing PID 788 'explorer.exe'

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :tazz:

#6
Buckeye_Sam

Posted 21 December 2005 - 05:32 PM

Malware Expert

Member
10,019 posts

Please follow these steps:

Please make sure that you can View Hidden Files
- Click Start -> My Computer
- Select Tools -> Folder options
- Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
- Also make sure that 'Display the contents of system folders' is checked.
- Make sure "Hide extensions for known file types" is unchecked
- Make sure "Hide protected operating system files (recommended)" is unchecked
- For more info on how to show hidden files click here.
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5C268481-61AC-4A8C-8849-C7A68326C9BB} - C:\WINDOWS\System32\lnjb.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll (file missing)
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll (file missing)
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll (file missing)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
Please reboot your computer in SafeMode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
- If you have trouble getting into Safe mode go here for more info.
Once in Safe mode, delete these files or directories (Do not be concerned if they do not exist):

C:\Program Files\WinHound <-- delete this folder
C:\WINDOWS\System32\winldra.exe
C:\WINDOWS\GatorUninstaller.log
C:\WINDOWS\stsheets.dat
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\FAVORITES\ DATING.url
C:\WINDOWS\Downloaded Program Files\on.exe
C:\WINDOWS\SYSTEM32\dcom_9.dll

Reboot your computer to go back to normal mode.

I see you have Spysweeper installed. Please run a full scan with Spysweeper and post the log here in your next reply along with a new hijackthis log.

#7
a4nier

Posted 22 December 2005 - 11:07 AM

New Member

Topic Starter
Member
7 posts

I've followed your instructions and here are my logs.
Thanks

Logfile of HijackThis v1.99.1
Scan saved at 11:48:35 AM, on 12/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PowerManager\upssrv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PowerManager\upsio.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Advanced Searchbar\Homepage Protection\HPP.exe
C:\Program Files\Wondershare\Photo2DVD Studio\photo2dvd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mysoftwarechoice.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Homepage Protection.lnk = C:\Program Files\Advanced Searchbar\Homepage Protection\HPP.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Canon MultiPASS Status Monitor.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129403514077
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129403459717
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: UPS Service (CyberPowerUPS) - CyberPower Systems, Inc. - C:\PowerManager\upssrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: MPService - Unknown owner - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

********
10:16 AM: | Start of Session, Thursday, December 22, 2005 |
10:16 AM: Spy Sweeper started
10:16 AM: Sweep initiated using definitions version 589
10:16 AM: Starting Memory Sweep
10:27 AM: Memory Sweep Complete, Elapsed Time: 00:11:46
10:27 AM: Starting Registry Sweep
10:28 AM: Found Trojan Horse: phisher-sars
10:28 AM: HKU\S-1-5-21-346832259-3848448594-3852255402-1003\software\sars\ (1 subtraces) (ID = 136733)
10:28 AM: Found Trojan Horse: trojan-backdoor-satellite
10:28 AM: HKU\S-1-5-21-346832259-3848448594-3852255402-1003\software\microsoft\moviemaker\recordsettings\captureset\ (1 subtraces) (ID = 1021450)
10:28 AM: Found Adware: hotsurprise
10:28 AM: HKU\S-1-5-18\software\netscape\netscape navigator\suffixes\ || application/x-htnw (ID = 937510)
10:28 AM: HKU\S-1-5-18\software\microsoft\moviemaker\recordsettings\captureset\ (1 subtraces) (ID = 1021450)
10:28 AM: Registry Sweep Complete, Elapsed Time:00:00:52
10:28 AM: Starting Cookie Sweep
10:29 AM: Found Spy Cookie: 2o7.net cookie
10:29 AM: owner@2o7[1].txt (ID = 1957)
10:29 AM: Found Spy Cookie: 64.62.232 cookie
10:29 AM: [email protected][2].txt (ID = 1987)
10:29 AM: [email protected][3].txt (ID = 1987)
10:29 AM: [email protected][4].txt (ID = 1987)
10:29 AM: Found Spy Cookie: websponsors cookie
10:29 AM: [email protected][1].txt (ID = 3665)
10:29 AM: Found Spy Cookie: about cookie
10:29 AM: owner@about[1].txt (ID = 2037)
10:29 AM: [email protected][2].txt (ID = 2038)
10:29 AM: Found Spy Cookie: adknowledge cookie
10:29 AM: owner@adknowledge[2].txt (ID = 2072)
10:29 AM: Found Spy Cookie: adrevolver cookie
10:29 AM: owner@adrevolver[2].txt (ID = 2088)
10:29 AM: owner@adrevolver[3].txt (ID = 2088)
10:29 AM: Found Spy Cookie: adultfriendfinder cookie
10:29 AM: owner@adultfriendfinder[1].txt (ID = 2165)
10:29 AM: Found Spy Cookie: atwola cookie
10:29 AM: [email protected][2].txt (ID = 2256)
10:29 AM: Found Spy Cookie: ask cookie
10:29 AM: owner@ask[1].txt (ID = 2245)
10:29 AM: owner@atwola[1].txt (ID = 2255)
10:29 AM: Found Spy Cookie: belnk cookie
10:29 AM: owner@belnk[1].txt (ID = 2292)
10:29 AM: Found Spy Cookie: bizrate cookie
10:29 AM: owner@bizrate[1].txt (ID = 2308)
10:29 AM: Found Spy Cookie: burstnet cookie
10:29 AM: owner@burstnet[2].txt (ID = 2336)
10:29 AM: Found Spy Cookie: ccbill cookie
10:29 AM: owner@ccbill[1].txt (ID = 2369)
10:29 AM: Found Spy Cookie: centrport net cookie
10:29 AM: owner@centrport[1].txt (ID = 2374)
10:29 AM: Found Spy Cookie: dealtime cookie
10:29 AM: owner@dealtime[2].txt (ID = 2505)
10:29 AM: [email protected][2].txt (ID = 2293)
10:29 AM: Found Spy Cookie: ic-live cookie
10:29 AM: owner@ic-live[1].txt (ID = 2821)
10:29 AM: [email protected][1].txt (ID = 2038)
10:29 AM: Found Spy Cookie: kinghost cookie
10:29 AM: owner@kinghost[1].txt (ID = 2903)
10:29 AM: Found Spy Cookie: mrskin cookie
10:29 AM: owner@mrskin[1].txt (ID = 3020)
10:29 AM: Found Spy Cookie: nextag cookie
10:29 AM: owner@nextag[2].txt (ID = 5014)
10:29 AM: Found Spy Cookie: pcstats.com cookie
10:29 AM: owner@pcstats[2].txt (ID = 3125)
10:29 AM: [email protected][1].txt (ID = 2038)
10:29 AM: [email protected][2].txt (ID = 2506)
10:29 AM: Found Spy Cookie: toplist cookie
10:29 AM: owner@toplist[1].txt (ID = 3557)
10:29 AM: Found Spy Cookie: tracking cookie
10:29 AM: owner@tracking[2].txt (ID = 3571)
10:29 AM: Found Spy Cookie: adultxxxpornstars cookie
10:29 AM: [email protected][2].txt (ID = 2170)
10:29 AM: [email protected][1].txt (ID = 3021)
10:29 AM: Found Spy Cookie: seeq cookie
10:29 AM: [email protected][1].txt (ID = 3332)
10:29 AM: Found Spy Cookie: xren_cj cookie
10:29 AM: owner@xren_cj[2].txt (ID = 3723)
10:29 AM: owner@xren_cj[3].txt (ID = 3723)
10:29 AM: owner@xren_cj[4].txt (ID = 3723)
10:29 AM: Found Spy Cookie: zedo cookie
10:29 AM: owner@zedo[2].txt (ID = 3762)
10:29 AM: Cookie Sweep Complete, Elapsed Time: 00:00:24
10:29 AM: Starting File Sweep
10:30 AM: Found Adware: hotbar
10:30 AM: c:\program files\spamblockerutility (3 subtraces) (ID = -2147465762)
10:30 AM: Found Adware: winhound spyware remover
10:30 AM: c:\documents and settings\owner\application data\winhound.com (11 subtraces) (ID = -2147462035)
10:31 AM: Found Adware: cws_tiny0
10:31 AM: appjt32.dll:fphvbr (ID = 204)
10:31 AM: clock.avi:jxuhiw (ID = 204)
10:32 AM: desktop.ini:axvijo (ID = 204)
10:32 AM: bti.ini:uzxtud (ID = 204)
10:32 AM: clock.avi:ctwtbv (ID = 204)
10:32 AM: control.ini:bynmcg (ID = 200)
10:32 AM: control.ini:uugydg (ID = 200)
10:33 AM: kwfri.txt:lemhus (ID = 200)
10:33 AM: move your stuff.ico:zhxzcl (ID = 204)
10:33 AM: winnt256.bmp:iuopfu (ID = 200)
10:33 AM: sti_trace.log:wepicj (ID = 204)
10:33 AM: wmsysprx(2).prx:vawsuw (ID = 204)
10:33 AM: mkdewe.trn:cyltoi (ID = 200)
10:34 AM: windows update.log:swmeou (ID = 200)
10:34 AM: blkdrv.dat:vqllqv (ID = 200)
10:34 AM: msgsocm.log:riqmew (ID = 200)
10:34 AM: t30debuglogfile.txt:vheniu (ID = 200)
10:35 AM: river sumida.bmp:qfizzg (ID = 200)
10:36 AM: q311889.log:esofod (ID = 200)
10:36 AM: dasetup.log:sallyr (ID = 204)
10:36 AM: setuplog.txt:mfvnul (ID = 200)
10:37 AM: vmmreg32.dll:qieesg (ID = 200)
10:37 AM: msdfmap.ini:hcoxze (ID = 204)
10:40 AM: softchoice.ico:wgxdyq (ID = 204)
10:40 AM: sgedit.ini:kehldv (ID = 204)
10:40 AM: t30debuglogfile.txt:ghjoud (ID = 200)
10:45 AM: winhelp.exe:qtwbds (ID = 204)
10:46 AM: odbcinst.ini:kdvsba (ID = 204)
10:46 AM: orun32.isu:denyvl (ID = 200)
10:46 AM: sti_trace.log:bdiede (ID = 204)
10:47 AM: sdkvh.dll:mcqmhs (ID = 204)
10:47 AM: iptc.dll:qrftws (ID = 204)
10:52 AM: orun32.isu:hpobya (ID = 204)
11:06 AM: reglocs.old:xequxd (ID = 204)
11:11 AM: sessmgr.setup.log:gnbkte (ID = 204)
11:12 AM: taxact04.ini:melxar (ID = 200)
11:16 AM: q308387.log:msvzut (ID = 204)
11:20 AM: system.ini:peivwu (ID = 200)
11:21 AM: setupact.log:fdarbc (ID = 200)
11:21 AM: setupact.log:uechsa (ID = 204)
11:21 AM: setupact.log:utqzzl (ID = 200)
11:25 AM: bti(2).ini:wiplyo (ID = 204)
11:31 AM: File Sweep Complete, Elapsed Time: 01:02:32
11:31 AM: Full Sweep has completed. Elapsed time 01:15:48
11:31 AM: Traces Found: 103
11:44 AM: Removal process initiated
11:44 AM: Quarantining All Traces: phisher-sars
11:44 AM: Quarantining All Traces: trojan-backdoor-satellite
11:44 AM: Quarantining All Traces: cws_tiny0
11:44 AM: Quarantining All Traces: hotbar
11:44 AM: Quarantining All Traces: hotsurprise
11:44 AM: Quarantining All Traces: winhound spyware remover
11:44 AM: Quarantining All Traces: 2o7.net cookie
11:44 AM: Quarantining All Traces: 64.62.232 cookie
11:44 AM: Quarantining All Traces: about cookie
11:45 AM: Quarantining All Traces: adknowledge cookie
11:45 AM: Quarantining All Traces: adrevolver cookie
11:45 AM: Quarantining All Traces: adultfriendfinder cookie
11:45 AM: Quarantining All Traces: adultxxxpornstars cookie
11:45 AM: Quarantining All Traces: ask cookie
11:45 AM: Quarantining All Traces: atwola cookie
11:45 AM: Quarantining All Traces: belnk cookie
11:45 AM: Quarantining All Traces: bizrate cookie
11:45 AM: Quarantining All Traces: burstnet cookie
11:45 AM: Quarantining All Traces: ccbill cookie
11:45 AM: Quarantining All Traces: centrport net cookie
11:45 AM: Quarantining All Traces: dealtime cookie
11:45 AM: Quarantining All Traces: ic-live cookie
11:45 AM: Quarantining All Traces: kinghost cookie
11:45 AM: Quarantining All Traces: mrskin cookie
11:45 AM: Quarantining All Traces: nextag cookie
11:45 AM: Quarantining All Traces: pcstats.com cookie
11:45 AM: Quarantining All Traces: seeq cookie
11:45 AM: Quarantining All Traces: toplist cookie
11:45 AM: Quarantining All Traces: tracking cookie
11:45 AM: Quarantining All Traces: websponsors cookie
11:45 AM: Quarantining All Traces: xren_cj cookie
11:45 AM: Quarantining All Traces: zedo cookie
11:45 AM: Removal process completed. Elapsed time 00:01:12
********
7:57 AM: | Start of Session, Wednesday, December 07, 2005 |
7:57 AM: Spy Sweeper started
7:57 AM: Sweep initiated using definitions version 556
7:57 AM: Starting Memory Sweep
8:03 AM: Memory Sweep Complete, Elapsed Time: 00:06:04
8:03 AM: Starting Registry Sweep
8:03 AM: Registry Sweep Complete, Elapsed Time:00:00:22
8:03 AM: Starting Cookie Sweep
8:03 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:03 AM: Starting File Sweep
8:19 AM: File Sweep Complete, Elapsed Time: 00:16:17
8:19 AM: Full Sweep has completed. Elapsed time 00:22:48
8:19 AM: Traces Found: 0
9:10 AM: Deletion from quarantine initiated
9:10 AM: Processing: 2o7.net cookie
9:10 AM: Processing: 66.246.209 cookie
9:10 AM: Processing: advertising cookie
9:10 AM: Processing: atlas dmt cookie
9:10 AM: Processing: atwola cookie
9:10 AM: Processing: coolwebsearch (cws)
9:10 AM: Processing: cws aboutnavigationfailed hijacker
9:10 AM: Processing: cws se.dll hijack
9:10 AM: Processing: cws_ns3
9:10 AM: Processing: cws_tiny0
9:10 AM: Processing: cws-aboutblank
9:11 AM: Processing: gain-supported software
9:11 AM: Processing: hotbar
9:11 AM: Processing: hotnow
9:11 AM: Processing: hotsurprise
9:11 AM: Processing: ieplugin
9:11 AM: Processing: ist istbar
9:11 AM: Processing: psguard desktop hijacker
9:11 AM: Processing: shopathomeselect
9:11 AM: Processing: trojan-backdoor-msdcom32
9:11 AM: Processing: tvmedia
9:11 AM: Deletion from quarantine completed. Elapsed time 00:00:02
12:20 PM: The Spy Communication shield has blocked access to: banners.pennyweb.com
12:20 PM: The Spy Communication shield has blocked access to: banners.pennyweb.com
11:11 AM: BHO Shield: found: -- BHO installation allowed at user request
11:12 AM: Processing Internet Explorer Favorites Alerts
11:12 AM: Removed IE Favorite: Webuser Forums User has been registered.
11:12 AM: Removed IE Favorite: Webuser Forums my desktop has been hijacked with warnhp.html!! Help
11:38 AM: Your spyware definitions have been updated.
10:54 AM: BHO Shield: found: -- BHO installation allowed at user request
11:00 AM: IE Security Shield: found: C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE -- IE Security modification allowed at user request
11:40 AM: Your spyware definitions have been updated.
12:28 PM: Processing Startup Alerts
12:28 PM: Allowed Startup entry: THGuard
12:29 PM: Processing Startup Alerts
12:29 PM: Allowed Startup entry: THGuard
2:44 PM: BHO Shield: found: -- BHO installation allowed at user request
9:21 AM: Your spyware definitions have been updated.
3:18 PM: Processing Startup Alerts
3:18 PM: Removed Startup entry: MPlayer2_FixUp
3:18 PM: Removed Startup entry: Simple Star PhotoShow Media Manager
9:23 AM: Your spyware definitions have been updated.
10:20 AM: Processing Internet Explorer Favorites Alerts
10:20 AM: Allowed IE Favorite: Preventing Infection - Geeks to Go Forums
10:20 AM: Allowed IE Favorite: WWMD - Regional Office Programs - engineering services
10:20 AM: Allowed IE Favorite: http--www.anr.state.vt.us-dec-ww-Rules-OS-2004-FinalEffective1-1-05.pdf
10:20 AM: Allowed IE Favorite: Visa armand4-fournier1
10:20 AM: Allowed IE Favorite: MerchantConnect-access-fournier4
10:20 AM: Allowed IE Favorite: MC armand44-fournier1
10:20 AM: Allowed IE Favorite: M Bk pinetreest-access or 1
10:20 AM: Allowed IE Favorite: M Bank Four#1 #2
10:20 AM: Allowed IE Favorite: EmigrantDirect-armand44-fournier1
10:20 AM: Allowed IE Favorite: Emigrant Direct In The News
10:20 AM: Allowed IE Favorite: Chase-armand44-fournier11
10:21 AM: Processing Internet Explorer Favorites Alerts
10:21 AM: Allowed IE Favorite: Plan #2-2011
10:21 AM: Processing Internet Explorer Favorites Alerts
10:21 AM: Allowed IE Favorite: Vermont Tenants, Inc.-CVOEO Home Page
10:24 AM: Processing Internet Explorer Favorites Alerts
10:24 AM: Allowed IE Favorite: Legal Forms from LawDepot.com - Automated Online Form
10:24 AM: Allowed IE Favorite: Automated Promissory Note by LawDepot.com
10:24 AM: Allowed IE Favorite: Amortization Calculator Output
10:24 AM: Allowed IE Favorite: Peachtree Forums - a4nier-four
10:24 AM: Allowed IE Favorite: Ask4Ink.com - source for HP C6657AN ink cartridge ( HP 57 ) printer ink, HP C6657AN inkjet cartridge, printer ink jet cartrid
10:24 AM: Allowed IE Favorite: HP Photosmart 7760 InkJet Cartridges
10:24 AM: Allowed IE Favorite: TerraServer.com - View Imagery
10:35 AM: Your spyware definitions have been updated.
8:16 AM: Your spyware definitions have been updated.
11:29 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:29 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:29 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:29 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:30 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
2:30 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
2:30 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
2:30 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
2:30 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
2:31 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
2:31 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
2:31 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
2:31 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
2:31 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
2:31 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
2:35 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
2:35 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
2:35 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
2:35 PM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
8:21 AM: Your spyware definitions have been updated.
3:15 PM: Processing Startup Alerts
3:15 PM: Allowed Startup entry: load32
8:12 AM: Processing Startup Alerts
8:12 AM: Removed Startup entry: WinHound
8:12 AM: Removed Startup entry: PcSync
8:12 AM: Removed Startup entry: AIM
8:12 AM: Removed Startup entry: Zero Knowledge Freedom
8:31 AM: Processing Startup Alerts
8:31 AM: Removed Startup entry: wextract_cleanup0
********
3:46 PM: | Start of Session, Tuesday, December 06, 2005 |
3:46 PM: Spy Sweeper started
3:46 PM: Sweep initiated using definitions version 556
3:46 PM: Starting Memory Sweep
3:54 PM: Memory Sweep Complete, Elapsed Time: 00:08:03
3:54 PM: Starting Registry Sweep
3:54 PM: Registry Sweep Complete, Elapsed Time:00:00:43
3:54 PM: Starting Cookie Sweep
3:54 PM: Found Spy Cookie: 2o7.net cookie
3:54 PM: owner@2o7[1].txt (ID = 1957)
3:54 PM: Found Spy Cookie: advertising cookie
3:54 PM: owner@advertising[1].txt (ID = 2175)
3:54 PM: Found Spy Cookie: atwola cookie
3:54 PM: owner@atwola[1].txt (ID = 2255)
3:54 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
3:55 PM: Starting File Sweep
4:15 PM: File Sweep Complete, Elapsed Time: 00:20:56
4:15 PM: Full Sweep has completed. Elapsed time 00:29:58
4:15 PM: Traces Found: 3
4:45 PM: Removal process initiated
4:45 PM: Quarantining All Traces: 2o7.net cookie
4:45 PM: Quarantining All Traces: advertising cookie
4:45 PM: Quarantining All Traces: atwola cookie
4:45 PM: Removal process completed. Elapsed time 00:00:13
7:57 AM: | End of Session, Wednesday, December 07, 2005 |
********
12:47 PM: | Start of Session, Tuesday, December 06, 2005 |
12:47 PM: Spy Sweeper started
12:47 PM: Sweep initiated using definitions version 556
12:47 PM: Starting Memory Sweep
12:53 PM: Found Adware: coolwebsearch (cws)
12:53 PM: Detected running threat: C:\WINDOWS\SYSTEM32\icasServ.exe (ID = 119337)
12:53 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || icasServ (ID = 0)
12:53 PM: Found Adware: cws-aboutblank
12:53 PM: Detected running threat: C:\Documents and Settings\Owner\Local Settings\Temp\se.dll (ID = 5)
12:55 PM: Memory Sweep Complete, Elapsed Time: 00:07:48
12:55 PM: Starting Registry Sweep
12:55 PM: HKCR\clsid\{3ce36d52-d914-5ba5-c0e2-3f53ae992abb}\ (2 subtraces) (ID = 107209)
12:55 PM: HKCR\clsid\{5e35fc42-405a-366b-fbc7-92e4fb34278a}\ (2 subtraces) (ID = 107268)
12:55 PM: HKCR\clsid\{6a5229c9-2f01-6a52-521f-8f546ded11c7}\ (2 subtraces) (ID = 107280)
12:55 PM: HKCR\clsid\{66f47db1-18c4-9337-e85f-30b8b1dd594a}\ (2 subtraces) (ID = 107503)
12:55 PM: HKCR\clsid\{66f47db1-18c4-9337-e85f-30b8b1dd594a}\ (2 subtraces) (ID = 107503)
12:55 PM: HKCR\clsid\{ee7430b5-880b-955d-af46-8c653aead8f8}\ (2 subtraces) (ID = 108279)
12:55 PM: HKCR\clsid\{f22b79fb-1d55-c94f-4938-eaa13a2fb4ed}\ (2 subtraces) (ID = 108311)
12:55 PM: HKLM\software\classes\clsid\{3ce36d52-d914-5ba5-c0e2-3f53ae992abb}\ (2 subtraces) (ID = 108597)
12:55 PM: HKLM\software\classes\clsid\{5e35fc42-405a-366b-fbc7-92e4fb34278a}\ (2 subtraces) (ID = 108656)
12:55 PM: HKLM\software\classes\clsid\{6a5229c9-2f01-6a52-521f-8f546ded11c7}\ (2 subtraces) (ID = 108668)
12:55 PM: HKLM\software\classes\clsid\{66f47db1-18c4-9337-e85f-30b8b1dd594a}\ (2 subtraces) (ID = 108890)
12:55 PM: HKLM\software\classes\clsid\{66f47db1-18c4-9337-e85f-30b8b1dd594a}\ (2 subtraces) (ID = 108890)
12:55 PM: HKLM\software\classes\clsid\{ee7430b5-880b-955d-af46-8c653aead8f8}\ (2 subtraces) (ID = 109661)
12:55 PM: HKLM\software\classes\clsid\{f22b79fb-1d55-c94f-4938-eaa13a2fb4ed}\ (2 subtraces) (ID = 109692)
12:55 PM: HKCR\clsid\{0e594352-a957-6820-4820-a4904cb77b7b}\ (2 subtraces) (ID = 112797)
12:55 PM: HKCR\clsid\{8f6c5de9-fddf-569a-0a0f-fef0e3957f0f}\ (2 subtraces) (ID = 113181)
12:55 PM: HKCR\clsid\{483c767c-e381-7083-fd10-379897aedefb}\ (2 subtraces) (ID = 113500)
12:55 PM: HKCR\clsid\{59411f8e-cf6c-7b7a-f0c0-db33873458bd}\ (2 subtraces) (ID = 113677)
12:55 PM: HKCR\clsid\{b7f1ece3-b414-b58b-b0a0-b0033802a5e4}\ (2 subtraces) (ID = 113899)
12:55 PM: HKCR\clsid\{cbd8f541-0c17-2308-ce59-19acbb1e7cb6}\ (2 subtraces) (ID = 114031)
12:55 PM: HKCR\clsid\{e37e0653-669a-42a9-7ea2-cec47aaf6d31}\ (2 subtraces) (ID = 114178)
12:55 PM: HKCR\protocols\filter\text/html\ (1 subtraces) (ID = 114343)
12:55 PM: HKCR\protocols\filter\text/plain\ (1 subtraces) (ID = 114344)
12:55 PM: HKLM\software\classes\clsid\{0e594352-a957-6820-4820-a4904cb77b7b}\ (2 subtraces) (ID = 114382)
12:55 PM: HKLM\software\classes\clsid\{8f6c5de9-fddf-569a-0a0f-fef0e3957f0f}\ (2 subtraces) (ID = 114762)
12:55 PM: HKLM\software\classes\clsid\{483c767c-e381-7083-fd10-379897aedefb}\ (2 subtraces) (ID = 115075)
12:55 PM: HKLM\software\classes\clsid\{59411f8e-cf6c-7b7a-f0c0-db33873458bd}\ (2 subtraces) (ID = 115253)
12:55 PM: HKLM\software\classes\clsid\{b7f1ece3-b414-b58b-b0a0-b0033802a5e4}\ (2 subtraces) (ID = 115468)
12:55 PM: HKLM\software\classes\clsid\{cbd8f541-0c17-2308-ce59-19acbb1e7cb6}\ (2 subtraces) (ID = 115598)
12:55 PM: HKLM\software\classes\clsid\{e37e0653-669a-42a9-7ea2-cec47aaf6d31}\ (2 subtraces) (ID = 115744)
12:55 PM: HKLM\software\classes\protocols\filter\text/html\ (1 subtraces) (ID = 115907)
12:55 PM: HKLM\software\classes\protocols\filter\text/plain\ (1 subtraces) (ID = 115908)
12:55 PM: HKLM\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115926)
12:55 PM: HKLM\software\microsoft\windows\currentversion\run\ || sp (ID = 116766)
12:55 PM: HKLM\software\microsoft\windows\currentversion\uninstall\searchassistant uninstall\ (2 subtraces) (ID = 116768)
12:55 PM: Found Adware: cws_ns3
12:55 PM: HKCR\clsid\{7d492e22-3773-8826-65fc-bcde3be460f9}\ (2 subtraces) (ID = 117983)
12:55 PM: HKCR\clsid\{8c5ccfeb-d80b-9087-ae97-c7343da6efdd}\ (2 subtraces) (ID = 118016)
12:55 PM: HKCR\clsid\{27d7bc22-f101-e351-8f6e-1b9ce9ecdd9c}\ (2 subtraces) (ID = 118116)
12:55 PM: HKCR\clsid\{50d9f2ab-8ec8-43e6-7c24-956820685690}\ (2 subtraces) (ID = 118191)
12:55 PM: HKCR\clsid\{52ca0fce-f9e0-2125-6ca6-2627141a47e9}\ (2 subtraces) (ID = 118195)
12:55 PM: HKCR\clsid\{56cdf9c1-56a8-f6f5-d235-2292cc21e897}\ (2 subtraces) (ID = 118207)
12:55 PM: HKCR\clsid\{84cde153-4cad-fc75-55e6-8ec38bb49b2c}\ (2 subtraces) (ID = 118282)
12:55 PM: HKCR\clsid\{798a3875-f0cf-e2b2-3196-d55e89cdef04}\ (2 subtraces) (ID = 118434)
12:55 PM: HKCR\clsid\{941c34f9-1f0a-6cbd-610e-8e15ce401add}\ (2 subtraces) (ID = 118457)
12:55 PM: HKCR\clsid\{8608bd91-b563-3b6a-847d-4938f5485f33}\ (2 subtraces) (ID = 118545)
12:55 PM: HKCR\clsid\{9261c8d3-6127-c95a-7b9b-f9e8ee283c42}\ (2 subtraces) (ID = 118551)
12:55 PM: HKCR\clsid\{8037964d-1365-8c5e-3ac3-419713b83cbe}\ (2 subtraces) (ID = 118682)
12:55 PM: HKCR\clsid\{10906011-f56b-d0fc-a5b8-30da3c759364}\ (2 subtraces) (ID = 118685)
12:55 PM: HKCR\clsid\{ad10fca0-53c6-02aa-4fd3-910400721200}\ (2 subtraces) (ID = 118819)
12:55 PM: HKCR\clsid\{af9e11d5-d86e-6f6b-de0a-d761ba766004}\ (2 subtraces) (ID = 118832)
12:55 PM: HKCR\clsid\{b64d852f-9fe9-83c4-3452-87a31638742a}\ (2 subtraces) (ID = 118867)
12:55 PM: HKCR\clsid\{b591ede1-abd7-f9ab-ff0b-970ce7faf00b}\ (2 subtraces) (ID = 118877)
12:55 PM: HKCR\clsid\{c09ee5e7-d49f-277c-b382-2ae86d6e874b}\ (2 subtraces) (ID = 118939)
12:55 PM: HKCR\clsid\{c7d795ac-547b-fa4b-091b-30c3c67b7d07}\ (2 subtraces) (ID = 118959)
12:55 PM: HKCR\clsid\{e61b04d3-5684-9f05-b849-0b1ac13a3f3f}\ (2 subtraces) (ID = 119244)
12:55 PM: HKCR\clsid\{edb041dc-4d4d-649f-f3b9-249e35abbef0}\ (2 subtraces) (ID = 119310)
12:55 PM: HKLM\software\classes\clsid\{7d492e22-3773-8826-65fc-bcde3be460f9}\ (2 subtraces) (ID = 119858)
12:55 PM: HKLM\software\classes\clsid\{8c5ccfeb-d80b-9087-ae97-c7343da6efdd}\ (2 subtraces) (ID = 119890)
12:55 PM: HKLM\software\classes\clsid\{27d7bc22-f101-e351-8f6e-1b9ce9ecdd9c}\ (2 subtraces) (ID = 119985)
12:55 PM: HKLM\software\classes\clsid\{50d9f2ab-8ec8-43e6-7c24-956820685690}\ (2 subtraces) (ID = 120048)
12:55 PM: HKLM\software\classes\clsid\{52ca0fce-f9e0-2125-6ca6-2627141a47e9}\ (2 subtraces) (ID = 120052)
12:55 PM: HKLM\software\classes\clsid\{56cdf9c1-56a8-f6f5-d235-2292cc21e897}\ (2 subtraces) (ID = 120064)
12:55 PM: HKLM\software\classes\clsid\{84cde153-4cad-fc75-55e6-8ec38bb49b2c}\ (2 subtraces) (ID = 120138)
12:55 PM: HKLM\software\classes\clsid\{941c34f9-1f0a-6cbd-610e-8e15ce401add}\ (2 subtraces) (ID = 120304)
12:55 PM: HKLM\software\classes\clsid\{8608bd91-b563-3b6a-847d-4938f5485f33}\ (2 subtraces) (ID = 120391)
12:55 PM: HKLM\software\classes\clsid\{9633e7cb-d24d-2353-e8ec-fcf820661f42}\ (2 subtraces) (ID = 120405)
12:55 PM: HKLM\software\classes\clsid\{8037964d-1365-8c5e-3ac3-419713b83cbe}\ (2 subtraces) (ID = 120527)
12:55 PM: HKLM\software\classes\clsid\{ad10fca0-53c6-02aa-4fd3-910400721200}\ (2 subtraces) (ID = 120658)
12:55 PM: HKLM\software\classes\clsid\{af9e11d5-d86e-6f6b-de0a-d761ba766004}\ (2 subtraces) (ID = 120671)
12:55 PM: HKLM\software\classes\clsid\{b64d852f-9fe9-83c4-3452-87a31638742a}\ (2 subtraces) (ID = 120705)
12:55 PM: HKLM\software\classes\clsid\{b591ede1-abd7-f9ab-ff0b-970ce7faf00b}\ (2 subtraces) (ID = 120715)
12:55 PM: HKLM\software\classes\clsid\{c09ee5e7-d49f-277c-b382-2ae86d6e874b}\ (2 subtraces) (ID = 120775)
12:55 PM: HKLM\software\classes\clsid\{c7d795ac-547b-fa4b-091b-30c3c67b7d07}\ (2 subtraces) (ID = 120794)
12:55 PM: HKLM\software\classes\clsid\{e61b04d3-5684-9f05-b849-0b1ac13a3f3f}\ (2 subtraces) (ID = 121078)
12:55 PM: HKLM\software\classes\clsid\{edb041dc-4d4d-649f-f3b9-249e35abbef0}\ (2 subtraces) (ID = 121141)
12:55 PM: Found Adware: cws_tiny0
12:55 PM: HKCR\clsid\{8a71c47b-9917-b588-625b-79254d40a325}\ (2 subtraces) (ID = 123858)
12:55 PM: HKCR\clsid\{38bcc2cd-af0a-ec41-d4cb-035f1c7378c9}\ (2 subtraces) (ID = 123881)
12:55 PM: HKCR\clsid\{983bcd03-bad0-48dd-7123-2cea9002484d}\ (2 subtraces) (ID = 123926)
12:55 PM: HKLM\software\classes\clsid\{8a71c47b-9917-b588-625b-79254d40a325}\ (2 subtraces) (ID = 124092)
12:55 PM: HKLM\software\classes\clsid\{983bcd03-bad0-48dd-7123-2cea9002484d}\ (2 subtraces) (ID = 124156)
12:55 PM: Found Adware: hotnow
12:55 PM: HKCR\.htnw\ (2 subtraces) (ID = 127694)
12:55 PM: HKCR\htnw file\ (7 subtraces) (ID = 127695)
12:55 PM: HKCR\mime\database\content type\application/x-htnw\ (1 subtraces) (ID = 127696)
12:55 PM: HKLM\software\pmx\ (3 subtraces) (ID = 127698)
12:55 PM: HKLM\software\classes\.htnw\ (2 subtraces) (ID = 127699)
12:55 PM: HKLM\software\classes\htnw file\ (7 subtraces) (ID = 127700)
12:55 PM: HKLM\software\classes\mime\database\content type\application/x-htnw\ (1 subtraces) (ID = 127701)
12:55 PM: Found Adware: ieplugin
12:55 PM: HKCR\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\ (2 subtraces) (ID = 128128)
12:55 PM: HKLM\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\ (2 subtraces) (ID = 128159)
12:55 PM: Found Adware: psguard desktop hijacker
12:55 PM: HKLM\software\microsoft\windows\currentversion\uninstall\internet update\ (3 subtraces) (ID = 136964)
12:56 PM: Found Adware: tvmedia
12:56 PM: HKCR\clsid\{39036bd7-3708-ac69-49ca-78f80350cdf7}\ (4 subtraces) (ID = 145302)
12:56 PM: HKLM\software\classes\clsid\{39036bd7-3708-ac69-49ca-78f80350cdf7}\ (4 subtraces) (ID = 145306)
12:56 PM: Found Trojan Horse: trojan-backdoor-msdcom32
12:56 PM: HKCR\clsid\{2c1cd3d7-86ac-4068-93bc-a02304bb8c34}\ (3 subtraces) (ID = 366335)
12:56 PM: HKLM\software\classes\clsid\{2c1cd3d7-86ac-4068-93bc-a02304bb8c34}\ (3 subtraces) (ID = 366355)
12:56 PM: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || dcom server (ID = 385950)
12:56 PM: Found Adware: hotbar
12:56 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/hbinstie.dll\ (2 subtraces) (ID = 484423)
12:56 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\hbinstie.dll (ID = 655022)
12:56 PM: HKLM\software\microsoft\code store database\distribution units\{8c875948-9c60-4381-9248-0df180542d53}\ (11 subtraces) (ID = 774751)
12:56 PM: Found Adware: hotsurprise
12:56 PM: HKU\.default\software\netscape\netscape navigator\suffixes\ || application/x-htnw (ID = 782233)
12:56 PM: HKU\.default\software\netscape\netscape navigator\viewers\ || type35 (ID = 782235)
12:56 PM: Found Adware: cws se.dll hijack
12:56 PM: HKLM\software\microsoft\internet explorer\main\ || search bar (ID = 837388)
12:56 PM: HKU\WRSS_Profile_S-1-5-21-346832259-3848448594-3852255402-1006\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)
12:56 PM: Found Adware: cws aboutnavigationfailed hijacker
12:56 PM: HKU\WRSS_Profile_S-1-5-21-346832259-3848448594-3852255402-1006\software\microsoft\internet explorer\main\ || search bar (ID = 116803)
12:56 PM: HKU\S-1-5-21-346832259-3848448594-3852255402-1003\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)
12:56 PM: HKU\S-1-5-21-346832259-3848448594-3852255402-1003\software\pmx\ (15 subtraces) (ID = 127697)
12:56 PM: HKU\S-1-5-21-346832259-3848448594-3852255402-1003\software\microsoft\internet explorer\main\ || search bar (ID = 837387)
12:56 PM: Registry Sweep Complete, Elapsed Time:00:00:44
12:56 PM: Starting Cookie Sweep
12:56 PM: Found Spy Cookie: atlas dmt cookie
12:56 PM: reba@atdmt[2].txt (ID = 2253)
12:56 PM: Found Spy Cookie: 2o7.net cookie
12:56 PM: [email protected][1].txt (ID = 1958)
12:56 PM: Found Spy Cookie: 66.246.209 cookie
12:56 PM: [email protected][1].txt (ID = 1997)
12:56 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:56 PM: Starting File Sweep
12:56 PM: Found Adware: shopathomeselect
12:56 PM: c:\windows\system32\sahimages (2 subtraces) (ID = -2147480329)
12:57 PM: faxmgr.ini:urmcyu (ID = 55692)
12:57 PM: album.ini:rxcdf (ID = 56660)
12:57 PM: q282010.log:innje (ID = 56660)
12:57 PM: control.ini:mwagdh (ID = 56601)
12:57 PM: active setup log.bak:kfvmb (ID = 56718)
12:57 PM: tsoc.log:cvdyb (ID = 56660)
12:58 PM: tm97pj39.dat (ID = 75644)
12:58 PM: zapotec.bmp:cgztu (ID = 56660)
12:58 PM: pstudio.ini:hqsez (ID = 56711)
12:58 PM: q308387.log:zrkjc (ID = 56711)
12:58 PM: oewablog.txt:jvgaf (ID = 56447)
12:58 PM: q308387.log:xohizg (ID = 56601)
12:58 PM: q282010.log:hvuhj (ID = 56660)
12:59 PM: q311889.log:ksdww (ID = 56322)
12:59 PM: q311889.log:qnocm (ID = 56660)
12:59 PM: haeac.dll (ID = 56603)
12:59 PM: hpqemlsz.ini:zmajw (ID = 56603)
12:59 PM: hbmpd.dll (ID = 56603)
12:59 PM: nsreg.dat:lofrn (ID = 56711)
12:59 PM: msgsocm.log:xibet (ID = 56322)
12:59 PM: softchoice.ico:wvsoi (ID = 81628)
1:00 PM: q315000.log:kdlfaz (ID = 57147)
1:00 PM: regopt.log:refll (ID = 56322)
1:01 PM: zyvia.dat:zektn (ID = 56711)
1:01 PM: faxsetup.log:bxink (ID = 56447)
1:01 PM: windows update.log:iqjwx (ID = 56447)
1:02 PM: sdkqx32.dll:uffjvd (ID = 56887)
1:02 PM: setuperr.log:kkodgr (ID = 56601)
1:03 PM: p1fumi62.dat (ID = 75851)
1:03 PM: vb.ini:gfihgx (ID = 56601)
1:03 PM: rtzol.dll:trvlsn (ID = 57119)
1:03 PM: dasetup.log:ssllb (ID = 56660)
1:03 PM: preinstallation.txt:atebq (ID = 56660)
1:04 PM: bti(2).ini:rwdxrb (ID = 56887)
1:04 PM: kdlmjh8r.dat (ID = 75676)
1:04 PM: hgvhu.dll (ID = 56603)
1:04 PM: egnvf.dll (ID = 56603)
1:04 PM: aenlq.dll (ID = 56603)
1:04 PM: armand_owner_pstudio.ini:hqsez (ID = 56711)
1:04 PM: blue lace 16.bmp:tfyqf (ID = 56660)
1:05 PM: winhlp32(2).exe:ntspwh (ID = 54093)
1:06 PM: gatorhdplugin.log:kfqct (ID = 56711)
1:07 PM: twunk_16.exe:vrkzt (ID = 56660)
1:07 PM: comsetup.log:nynrt (ID = 56447)
1:08 PM: okpdw.dat:iedty (ID = 56447)
1:10 PM: crgr.dll:exslgs (ID = 56287)
1:10 PM: hbinstie.dll (ID = 62318)
1:11 PM: vminst.log:sakfmb (ID = 54093)
1:11 PM: zhxzc.dat:xnhwdf (ID = 56887)
1:11 PM: hotnow.lnk (ID = 62419)
1:12 PM: winhlp32.exe:ntspwh (ID = 54093)
1:15 PM: q308387.log:vcbnu (ID = 56447)
1:15 PM: q311889.log:gdttx (ID = 56711)
1:18 PM: Found Adware: gain-supported software
1:18 PM: gatorhdplugin.log (ID = 119819)
1:18 PM: greenstone.bmp:jmazwe (ID = 56887)
1:18 PM: winnt.bmp:mkjhfs (ID = 56601)
1:18 PM: wksps.dat (ID = 53987)
1:18 PM: new.flg:vlwsd (ID = 56660)
1:19 PM: winhlp32.exe:brcjz (ID = 56711)
1:20 PM: wmsysprx.prx:trupt (ID = 56711)
1:20 PM: bl.dat (ID = 53987)
1:20 PM: unwise.exe:vzfjxm (ID = 56287)
1:20 PM: oewablog.txt:qhrtue (ID = 56601)
1:21 PM: zyvia.dat (ID = 56286)
1:21 PM: purep.dat (ID = 56286)
1:21 PM: mfcao32.dll:bvitfu (ID = 56601)
1:21 PM: msgsocm.log:eyejdr (ID = 54093)
1:22 PM: jautoexp.dat:rkavt (ID = 56711)
1:22 PM: explorer.exe:glved (ID = 56660)
1:22 PM: mplocal.ini:fiizr (ID = 56714)
1:22 PM: feathertexture.bmp:hxfju (ID = 56447)
1:23 PM: winhlp32.exe:bivwg (ID = 56660)
1:23 PM: hpfsched.exe:tvkcb (ID = 56660)
1:23 PM: gatorhdplugin.log:ibvxp (ID = 56711)
1:23 PM: wmsysprx(2).prx:trupt (ID = 56711)
1:24 PM: orun32.ini:afvzs (ID = 56711)
1:25 PM: mkdewe.trn:lrcelz (ID = 56287)
1:25 PM: mkdewe.trn:mhqmx (ID = 56711)
1:25 PM: icasserv.exe (ID = 119337)
1:25 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || icasServ (ID = 0)
1:25 PM: uktzl.dll (ID = 56603)
1:26 PM: winhlp32(2).exe:bivwg (ID = 56660)
1:26 PM: winhlp32(2).exe:brcjz (ID = 56711)
1:26 PM: iptc.dll:wbhbx (ID = 56447)
1:28 PM: lifeclips tape to dvd.ico:cpujf (ID = 56718)
1:28 PM: move your stuff.ico:dsvkfb (ID = 56451)
1:28 PM: orun32.isu:ywaax (ID = 56660)
1:29 PM: uninst.exe:ghaea (ID = 56660)
1:29 PM: sgedit.ini:euaag (ID = 56711)
1:29 PM: gatoruninstaller.log:bbocj (ID = 56711)
1:29 PM: gatoruninstaller.log:ugjhv (ID = 56714)
1:29 PM: gatoruninstaller.log:wsflf (ID = 56447)
1:29 PM: rtzol.dll (ID = 56603)
1:29 PM: cqmux.dll (ID = 56603)
1:30 PM: lbhui.dll (ID = 56603)
1:31 PM: Found Adware: ist istbar
1:31 PM: 0006_regular[1].cab (ID = 64478)
1:32 PM: spamblockerutility.inf (ID = 62333)
1:32 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:33 PM: Warning: Invalid file - not a PKZip file
1:34 PM: File Sweep Complete, Elapsed Time: 00:37:53
1:34 PM: Full Sweep has completed. Elapsed time 00:46:41
1:34 PM: Traces Found: 436
3:28 PM: Removal process initiated
3:28 PM: Quarantining All Traces: cws_ns3
3:29 PM: Quarantining All Traces: cws-aboutblank
3:29 PM: Quarantining All Traces: trojan-backdoor-msdcom32
3:29 PM: Quarantining All Traces: coolwebsearch (cws)
3:29 PM: coolwebsearch (cws) is in use. It will be removed on reboot.
3:29 PM: icasserv.exe is in use. It will be removed on reboot.
3:29 PM: Quarantining All Traces: cws aboutnavigationfailed hijacker
3:29 PM: Quarantining All Traces: cws se.dll hijack
3:29 PM: Quarantining All Traces: cws_tiny0
3:29 PM: Quarantining All Traces: gain-supported software
3:29 PM: Quarantining All Traces: hotbar
3:29 PM: Quarantining All Traces: hotnow
3:29 PM: Quarantining All Traces: hotsurprise
3:29 PM: Quarantining All Traces: ieplugin
3:29 PM: Quarantining All Traces: ist istbar
3:29 PM: Quarantining All Traces: psguard desktop hijacker
3:29 PM: Quarantining All Traces: shopathomeselect
3:29 PM: Quarantining All Traces: tvmedia
3:29 PM: Quarantining All Traces: 2o7.net cookie
3:29 PM: Quarantining All Traces: 66.246.209 cookie
3:29 PM: Quarantining All Traces: atlas dmt cookie
3:30 PM: Preparing to restart your computer. Please wait...
3:30 PM: Removal process completed. Elapsed time 00:02:12
********
12:20 PM: | Start of Session, Tuesday, December 06, 2005 |
12:20 PM: Spy Sweeper started
12:20 PM: Sweep initiated using definitions version 556
12:20 PM: Starting Memory Sweep
12:20 PM: Found Adware: cws-aboutblank
12:20 PM: Detected running threat: C:\WINDOWS\System32\lnjb.dll (ID = 5)
12:22 PM: Sweep Canceled
12:22 PM: Memory Sweep Complete, Elapsed Time: 00:02:02
12:22 PM: Traces Found: 1
12:23 PM: Removal process initiated
12:23 PM: Quarantining All Traces: cws-aboutblank
12:23 PM: cws-aboutblank is in use. It will be removed on reboot.
12:23 PM: C:\WINDOWS\System32\lnjb.dll is in use. It will be removed on reboot.
12:23 PM: Preparing to restart your computer. Please wait...
12:23 PM: Removal process completed. Elapsed time 00:00:30
12:43 PM: Memory Shield: Found: Memory-resident threat coolwebsearch (cws), version 1.0.0.0
12:43 PM: Detected running threat: coolwebsearch (cws)
12:47 PM: | End of Session, Tuesday, December 06, 2005 |
********
11:31 AM: | Start of Session, Tuesday, December 06, 2005 |
11:31 AM: Spy Sweeper started
11:31 AM: Sweep initiated using definitions version 556
11:31 AM: Starting Memory Sweep
11:31 AM: Found Adware: cws-aboutblank
11:31 AM: Detected running threat: C:\WINDOWS\System32\lnjb.dll (ID = 5)
11:37 AM: Detected running threat: C:\Documents and Settings\Owner\Local Settings\Temp\se.dll (ID = 5)
11:38 AM: Memory Sweep Complete, Elapsed Time: 00:07:27
11:38 AM: Starting Registry Sweep
11:38 AM: Found Adware: coolwebsearch (cws)
11:38 AM: HKCR\clsid\{3ce36d52-d914-5ba5-c0e2-3f53ae992abb}\ (2 subtraces) (ID = 107209)
11:38 AM: HKCR\clsid\{5e35fc42-405a-366b-fbc7-92e4fb34278a}\ (2 subtraces) (ID = 107268)
11:38 AM: HKCR\clsid\{6a5229c9-2f01-6a52-521f-8f546ded11c7}\ (2 subtraces) (ID = 107280)
11:38 AM: HKCR\clsid\{66f47db1-18c4-9337-e85f-30b8b1dd594a}\ (2 subtraces) (ID = 107503)
11:38 AM: HKCR\clsid\{66f47db1-18c4-9337-e85f-30b8b1dd594a}\ (2 subtraces) (ID = 107503)
11:38 AM: HKCR\clsid\{ee7430b5-880b-955d-af46-8c653aead8f8}\ (2 subtraces) (ID = 108279)
11:38 AM: HKCR\clsid\{f22b79fb-1d55-c94f-4938-eaa13a2fb4ed}\ (2 subtraces) (ID = 108311)
11:38 AM: HKLM\software\classes\clsid\{3ce36d52-d914-5ba5-c0e2-3f53ae992abb}\ (2 subtraces) (ID = 108597)
11:38 AM: HKLM\software\classes\clsid\{5e35fc42-405a-366b-fbc7-92e4fb34278a}\ (2 subtraces) (ID = 108656)
11:38 AM: HKLM\software\classes\clsid\{6a5229c9-2f01-6a52-521f-8f546ded11c7}\ (2 subtrace

#8
Buckeye_Sam

Posted 22 December 2005 - 05:44 PM

Malware Expert

Member
10,019 posts

Your log looks pretty good. I am a little suspicious of this though.

O4 - Startup: Homepage Protection.lnk = C:\Program Files\Advanced Searchbar\Homepage Protection\HPP.exe

Are you familiar with this program?

Let me know of any problems that you are still having.

#9
a4nier

Posted 23 December 2005 - 08:04 AM

New Member

Topic Starter
Member
7 posts

Good Morning,

Homepage protection is a program that I've installed that prevent my home page from being hijacked and changed without my consent. It seems to work fine.

I still have not been able to change my desktop background via the control panel. As I boot up the background that I have chosen appears and then changes to a white background.

Another issue that is becoming a problem is my bootup time, almost 10 minutes. I believe it's due to the variuos security programs that load and run in the background such as Norton anti virus, Webroot spysweeper, ewido anti Malware-guard active, trojanhunter guard, etc. My ISP,
http://www.adelphia.net/index.php ,offers security programs see at the attached link that i think may help reduce my bootup time and also provide an all around better security than the mix that I currently have.

I guess I'm asking for your option on how i can improve my internet security and avoid future problems or should I start another post? I think that the ones my ISP is offering for free would be better as they're all from the as software maker and should work well together. ????

Again thanks for your help and advise

#10
Buckeye_Sam

Posted 23 December 2005 - 08:23 AM

Malware Expert

Member
10,019 posts

Try this for your desktop:

Click Start>Control Panel>Display
Go to the Desktop tab and click on the Customise Desktop button.
Go to the Web tab
In the web page box, click on the page that is checkmarked and then click the Delete button.
Ok your way out of the dialog and check your desktop.

You are on the right track with all the startup programs slowing down your boot up. Norton is a big time resource hog, but there's some others in your log also. Let's eliminate some of the unnecessary programs running at startup and see where that gets us.

Please fix these lines with Hijackthis.

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Homepage Protection.lnk = C:\Program Files\Advanced Searchbar\Homepage Protection\HPP.exe <-- SpySweeper will offer this same protection
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Also Ewido and Spysweeper are very similar programs. Both are excellent, but you probably don't need to run both of them.

Reboot and your startup time should be greatly improved. If you are still unhappy with it, I would consider dumping Norton and replacing it with another antivirus program.

Let me know how it improves and about your desktop.

#11
a4nier

Posted 27 December 2005 - 08:19 AM

New Member

Topic Starter
Member
7 posts

Thanks Sam, I have my desktop back and my bootup time is better. I think that I'm all set. Thanks for you help. if you have any suggestions on internet security programs that I should be running to prevent future problems, I'd be gateful.

Thank again. I hope that you had a good Holiday season and have a Happy New Year.

#12
Buckeye_Sam

Posted 27 December 2005 - 04:41 PM

Malware Expert

Member
10,019 posts

That's good to hear that things are working better for you. Here's some preventative steps that you can take.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialize and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

:tazz:

#13
Buckeye_Sam

Posted 10 January 2006 - 07:32 AM

Malware Expert

Member
10,019 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.