Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Huntbar...part 2

Started by donnadoula , Dec 24 2005 11:40 AM

Please log in to reply

#1
donnadoula

Posted 24 December 2005 - 11:40 AM

Member

Member
26 posts

Logfile of HijackThis v1.99.1
Scan saved at 11:39:31 AM, on 12/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.valornet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.valornet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\iiiii.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MIT BHO - {6379A99A-9102-446C-A837-0623E1810D75} - C:\Program Files\MIT\MIT.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\repair\svcip.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MIT Band - {159C2E51-9823-11D2-8DDC-D84A1B4ACD4D} - C:\Program Files\MIT\MIT.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VidiaDrivers] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\System32\guarnset.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [links] links.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_3 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O15 - Trusted Zone: http://www.principal.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {18CD2FD8-81CE-44C3-99E1-0822E1C7116C} (EARTPatch8X Class) - http://files.ea.com/.../v4/EARTP8X.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126838937584
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwa...uditControl.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: ddawt - ddawt.dll (file missing)
O20 - Winlogon Notify: iiiii - iiiii.dll (file missing)
O20 - Winlogon Notify: svcip - C:\WINDOWS\repair\svcip.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: htagyaa - Unknown owner - C:\WINDOWS\system32\htagyaa.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: MMtask Engine (MMtaskEngine) - Unknown owner - C:\WINDOWS\System32\mmtask.exe (file missing)

#2
FZWG

Posted 24 December 2005 - 10:41 PM

Visiting Staff

Member
145 posts

Let’s go the easy route first to see if we can get rid of some of the nasties showing up on the HijackThis log. If not, we’ll use some heavier artillery.

Please do the following:

Download SpySweeper:
http://www.webroot.c...weeper_overview
On the right side click on: Download SpySweeper Trial
Follow the prompts and do a Typical installation
Click: Install, make sure Run SpySweeper Now is checked, and click Finish.

Update the program definitions

Then click on Options > Sweep Options
Check: Sweep all Folders on Selected drives
Check: Local Disc C
Under: What to Sweep, check every box.

Now, select: Sweep
It will take a while to scan the computer.

When the scan is done, remove whatever it finds.
Then, press the Results button
Select the Session Log tab
Select: Save to File so you can provide the results in your response.
Exit SpySweeper

Restart the computer.

Post the SpySweeper Session log, and a new HijackThis log.

Thank you.

Edited by FZWG, 24 December 2005 - 10:42 PM.

#3
donnadoula

Posted 24 December 2005 - 11:26 PM

Member

Topic Starter
Member
26 posts

Thank you for your quick response. I know you must be drowning...with the holidays.

I can't get access to webroot.com (either via the link above or by typing in even part of the address.) I can access other sites. Suggestions?

#4
FZWG

Posted 24 December 2005 - 11:48 PM

Visiting Staff

Member
145 posts

Download the Hoster:
http://www.funkytoad.com/hoster.htm
Save it to its own folder
Run Hoster by clicking on its icon (traffic sign/light)

If the Hosts file is read only, as noted in red, click the button: Make Hosts Writable?
Next, select: Restore Original Hosts
OK the prompt.

Next, press: Make Hosts Read Only?
Click OK
Exit Hoster.

Try the SpySweeper website now.

#5
donnadoula

Posted 25 December 2005 - 11:49 PM

Member

Topic Starter
Member
26 posts

I downloaded the hoster and did the writeable/restore original hosts you described.

Then I tried the webroot.com page (which it did find)

Then I clicked to download the spysweeper trial version...and it did the same thing again...cannot find this page.

Also, my computer's icon in the upper right corner when on the internet spins and spins. Sometimes it doesn't stop spinning when it is finished working or searching.

And my computer makes this awful "growling" noise every now and then. It sounds like the whole computer is just about to shut itself down. I don't know if that is related to the other problem, but thought I'd give you more to work with...hopefully it'll be helpful.

#6
FZWG

Posted 26 December 2005 - 12:37 AM

Visiting Staff

Member
145 posts

Please proceed as follows:

First, read these instructions to have an idea of what to do, and either save them in NotePad on the Desktop, or print them for later use in Safe Mode.

Then, download VundoFix.exe to the Desktop:
http://www.atribune....ds/VundoFix.exe
Double-click VundoFix.exe to extract the files
A VundoFix folder is created on the Desktop.

Next, reboot to Safe Mode:
-Restart the computer
-When the machine first starts again, tap the F8 key repeatedly until presented with a Windows XP Advanced Options menu
-Select the option for Safe Mode using the arrow keys
-Press Enter to boot into Safe Mode

Once in Safe Mode, open the VundoFix folder and double-click on KillVundo.bat

You are presented with a warning and a list of forums.
At this point press Enter one time

Next, a request to type in a file path appears
Pease type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\repair\svcip.dll

Then, press Enter, then press the F6 key, and then press Enter one more time to continue

Again, a request to type in a second file path appears
Please type the following file path (make sure to enter it exactly as below, asterisk included!):

C:\WINDOWS\repair\picvs.*B]

Then, press Enter, press the F6 key, and press Enter one more time to continue

VundoFix runs, and HijackThis opens.

In HijackThis, place a check next to the following entries:

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\repair\svcip.dll

O20 - Winlogon Notify: ddawt - ddawt.dll (file missing)
O20 - Winlogon Notify: iiiii - iiiii.dll (file missing)
O20 - Winlogon Notify: svcip - C:\WINDOWS\repair\svcip.dll

Select: Fix Checked

After fixing the entries above, close HijackThis and press any key to force a reboot of the computer.

Pressing any key will cause a Blue Screen. This is normal, do not worry!

Once the computer reboots to normal mode, the VundoFix folder will contain a copy of the VundoFix.txt to provide in your reply.
Next, run an online virus scan from Trend Micro’s HouseCall:
http://housecall.trendmicro.com/

Select: Complete Scan, and scan all drives.

When the scan is finished, delete anything it cannot clean.

Then, select: Print Report
When the report appears, go to File > Save As and save the file to the Desktop.
Under: Save as type use the drop arrow and select: Text file (*.txt)

Finally, restart the computer once more, and post the following:
The VundoFix.txt
The HouseCall report
A new HijackThis log

Is there a reason why you have not updated XP and Internet Explorer?

Using Internet Explorer, please go to:
http://www.microsoft...ws/default.mspx

Then, go to the following area: Run the Windows Validation Assistant
Click on: Validate Now

While the ActiveX loads, do not click on any links.

You will be prompted to install - click YES.

You may need to enter the XP product key, and then click: Continue

When it says [b]Validation Complete, copy what the Assistant reports, and also provide the info in your reply.

#7
donnadoula

Posted 28 December 2005 - 02:05 AM

Member

Topic Starter
Member
26 posts

I had some problems doing what you requested...they are noted below.

You said>>>>Please proceed as follows:

First, read these instructions to have an idea of what to do, and either save them in NotePad on the Desktop, or print them for later use in Safe Mode.

Then, download VundoFix.exe to the Desktop:
http://www.atribune....ds/VundoFix.exe
Double-click VundoFix.exe to extract the files
A VundoFix folder is created on the Desktop.

Next, reboot to Safe Mode:
-Restart the computer
-When the machine first starts again, tap the F8 key repeatedly until presented with a Windows XP Advanced Options menu
-Select the option for Safe Mode using the arrow keys
-Press Enter to boot into Safe Mode

Once in Safe Mode, open the VundoFix folder and double-click on KillVundo.bat

You are presented with a warning and a list of forums.
At this point press Enter one time

Next, a request to type in a file path appears
Pease type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\repair\svcip.dll

*** No problems so far***

Then, press Enter, then press the F6 key, and then press Enter one more time to continue

Again, a request to type in a second file path appears
Please type the following file path (make sure to enter it exactly as below, asterisk included!):

C:\WINDOWS\repair\picvs.*B]

Then, press Enter, press the F6 key, and press Enter one more time to continue

*** The F6 key seemed unnecessary, not sure if I did it wrong or what, but I entered both the paths you said to enter (one and then the other after it asked for the 2nd path) without pressing F6 ***

VundoFix runs, and [b]HijackThis opens.

In HijackThis, place a check next to the following entries:

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\repair\svcip.dll

*** This line above was not present when I was looking for it***

O20 - Winlogon Notify: ddawt - ddawt.dll (file missing)
O20 - Winlogon Notify: iiiii - iiiii.dll (file missing)
O20 - Winlogon Notify: svcip - C:\WINDOWS\repair\svcip.dll

***Deleted these 3 lines without problems***

Select: Fix Checked

After fixing the entries above, close HijackThis and press any key to force a reboot of the computer.

Pressing any key will cause a Blue Screen. This is normal, do not worry!

Once the computer reboots to normal mode, the VundoFix folder will contain a copy of the VundoFix.txt to provide in your reply.
Next, run an online virus scan from Trend Micro’s HouseCall:
http://housecall.trendmicro.com/

Select: Complete Scan, and scan all drives.

When the scan is finished, delete anything it cannot clean.

***Scan seemed ok, but it would not delete anything more after it finished cleaning...even though there was some more grayware***

Then, select: Print Report
When the report appears, go to File > Save As and save the file to the Desktop.
Under: Save as type use the drop arrow and select: Text file (*.txt)

***Could not find "print report" and wouldn't even allow me to highlight and copy***

Finally, restart the computer once more, and post the following:
The VundoFix.txt
The HouseCall report
A new HijackThis log

***Heres the Logfile of HijackThis v1.99.1***
Scan saved at 1:56:10 AM, on 12/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\AllOfUs\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.valornet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.valornet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\iiiii.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MIT BHO - {6379A99A-9102-446C-A837-0623E1810D75} - C:\Program Files\MIT\MIT.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\repair\svcip.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Logfile of HijackThis v1.99.1
Scan saved at 1:56:10 AM, on 12/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\AllOfUs\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.valornet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.valornet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\iiiii.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MIT BHO - {6379A99A-9102-446C-A837-0623E1810D75} - C:\Program Files\MIT\MIT.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\repair\svcip.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MIT Band - {159C2E51-9823-11D2-8DDC-D84A1B4ACD4D} - C:\Program Files\MIT\MIT.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VidiaDrivers] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\System32\guarnset.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [links] links.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_3 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O15 - Trusted Zone: http://www.principal.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {18CD2FD8-81CE-44C3-99E1-0822E1C7116C} (EARTPatch8X Class) - http://files.ea.com/.../v4/EARTP8X.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126838937584
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwa...uditControl.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: ddawt - ddawt.dll (file missing)
O20 - Winlogon Notify: iiiii - iiiii.dll (file missing)
O20 - Winlogon Notify: svcip - C:\WINDOWS\repair\svcip.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: htagyaa - Unknown owner - C:\WINDOWS\system32\htagyaa.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: MMtask Engine (MMtaskEngine) - Unknown owner - C:\WINDOWS\System32\mmtask.exe (file missing)

***Vundofix.txt file***
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\repair\svcip.dll

The second filepath entered was

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------

Killing PID 148 'smss.exe'

Killing PID 812 'explorer.exe'
Killing PID 812 'explorer.exe'

Killing PID 224 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\repair\svcip.dll Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

***I hope I gave you enough to work with.***

#8
FZWG

Posted 28 December 2005 - 07:00 PM

Visiting Staff

Member
145 posts

Your log is still showing malware, and you are running an outdated and vulnerable version of XP and Internet Explorer.

The first defense against malware is a properly updated system. Connecting to the Internet with no updates installed is the equivalent of dragging a magnet through a pile of metal shavings!!

As asked before, is there any reason why you have not updated XP and Internet Explorer?

Please do the following:

Using Internet Explorer, go to:
http://www.microsoft...ws/default.mspx

Go to the following area: Run the Windows Validation Assistant
Click on Validate Now

While the ActiveX loads, do not click on any links.

You will be prompted to install - click YES.

You may need to enter the XP product key, and then click: Continue

When it says Validation Complete, copy what the Assistant reports, and provide it in your reply.

Next, please make sure HijackThis is in its own folder. If you want to keep it on the Desktop, right click an empty area, select New>Folder, name the folder HijackThis, and place the HijackThis.exe file in it. Then, run the program from there.

HijackThis makes backups of what is fixed/removed, and needs its own folder to create and keep these secure. Backups allow you to restore removed entries, and this option may be necessary when dealing with what is showing on your log.

Now run HijackThis, Scan
Check box for:

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\iiiii.dll (file missing)
O2 - BHO: MIT BHO - {6379A99A-9102-446C-A837-0623E1810D75} - C:\Program Files\MIT\MIT.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\repair\svcip.dll (file missing)

O3 - Toolbar: MIT Band - {159C2E51-9823-11D2-8DDC-D84A1B4ACD4D} - C:\Program Files\MIT\MIT.dll

O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\System32\guarnset.exe
O4 - HKLM\..\Run: [links] links.exe

O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwa...uditControl.cab
O20 - Winlogon Notify: ddawt - ddawt.dll (file missing)
O20 - Winlogon Notify: iiiii - iiiii.dll (file missing)
O20 - Winlogon Notify: svcip - C:\WINDOWS\repair\svcip.dll (file missing)

O23 - Service: htagyaa - Unknown owner - C:\WINDOWS\system32\htagyaa.exe (file missing)
O23 - Service: MMtask Engine (MMtaskEngine) - Unknown owner - C:\WINDOWS\System32\mmtask.exe (file missing)

Select: Fix Checked

It appaear that you downloaded EWIDO once before.
If the program is no longer installed, please create a folder on the Desktop (Right click, select New>Folder)
Name it: EWIDO
Download Ewido Security Suite:
http://www.ewido.net/en/download/
Press: Download Now
In the folder where EWIDO is located, double click the EWIDO Setup file
Follow the prompts and reboot when done.

Now, go to Start>All Programs>EWIDO
Select: Security Suite

When the program starts, do an online update for the latest signature files
An Update Successful prompt appears when done

Then, reboot to Safe Mode as follows:
-Restart your computer.
-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

Run EWIDO
Click on the Scanner button in the left menu
Next, click on: Complete System Scan

The scan may find malware entries and request action to clean up. Agree.
However, if EWIDO finds something that you know is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), do not check: Perform action with all infections. If you are unsure of an entry, select None as the action for the time being.

Once the scan has completed, click: Save Report
Save the report to the EWIDO folder

When EWIDO is done, reboot.

Run HijackThis (from its own folder!!), Scan.

Post the EWIDO report, and a new HijackThis log

#9
donnadoula

Posted 29 December 2005 - 12:31 AM

Member

Topic Starter
Member
26 posts

Thank you sooooo much for helping me with my computer problems. I don't know if you can tell from what I'm posting here, but it is still having problems. I appreciate your sticking with me and helping me to get it fixed.

Here's the results of the IE/XP update. I bought my computer from a computer teacher at school. Did he sell me a bad copy of Windows? I've been keeping Windows XP updated w/the exception of Service Pak 2, which I can't get to download.

Validation Failure: Product Key Failed Validation[0x80080220]

Why did my machine fail validation?

The product key found on your computer is from a Volume License Key (VLK), which has been blocked. A VLK is typically licensed to organizations who want to use multiple copies of Windows. However, if a VLK is reported as stolen or leaked, it is then blocked from passing through validation.

If you received a computer with a VLK, and you do not have a Volume License Agreement with Microsoft, then you may be a victim of software piracy. If this has happened to you, please see below for the steps you can take.

If you do have a Volume License Agreement with Microsoft, you believe you are using the appropriate VLK assigned to your organization, and your VLK has not been reported as stolen or lost, please contact your system administrator, Large Account Reseller (LAR), or Enterprise Software Advisor (ESA) to report the problem.

*******************************************
Here's the new Logfile of HijackThis v1.99.1
Scan saved at 1:32:50 AM, on 12/29/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\AllOfUs\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.valornet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.valornet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CM BHO - {6379A99A-9102-446C-A837-0623E1810D75} - C:\Program Files\Crystalys media\cm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: CM Band - {159C2E51-9823-11D2-8DDC-D84A1B4ACD4D} - C:\Program Files\Crystalys media\cm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VidiaDrivers] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_3 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O15 - Trusted Zone: http://www.principal.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {18CD2FD8-81CE-44C3-99E1-0822E1C7116C} (EARTPatch8X Class) - http://files.ea.com/.../v4/EARTP8X.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126838937584
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: MMtask Engine (MMtaskEngine) - Unknown owner - C:\WINDOWS\System32\mmtask.exe (file missing)

Ewido Log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:55:45 AM, 12/29/2005
+ Report-Checksum: 24C32C13

+ Scan result:

HKLM\SOFTWARE\Classes\Common.Buttons -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\Radio.RadioPlayer -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\Shorty.Gopher -> Adware.Shorty : Error during cleaning
HKLM\SOFTWARE\Classes\Shorty.Gopher.1 -> Adware.Shorty : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginConfig -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginConfig\Clsid -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginDown -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginDown\Clsid -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginDownAdd -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginDownAdd\Clsid -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginEvents -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginEvents\Clsid -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginInst -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginInst\Clsid -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginServer -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginServer\Clsid -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.ToolbarScript -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.ToolbarScript\Clsid -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\toolbar.ResProtocol -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\WToolsB.ResProtocol -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\AllOfUs\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\AllOfUs\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\AllOfUs\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup

::Report End

Edited by donnadoula, 29 December 2005 - 01:57 AM.

#10
FZWG

Posted 30 December 2005 - 11:22 AM

Visiting Staff

Member
145 posts

Try this again using a new link. The other link does not carry the Free Trial program any longer:

Download SpySweeper 4.5 Free Trial (bottom of page):
http://www.webroot.c...weeper_latestv/

Follow the prompts and do a Typical installation
Click: Install, make sure Run SpySweeper Now is checked, and click Finish.

Update the program definitions

Then click on Options > Sweep Options
Check: Sweep all Folders on Selected drives
Check: Local Disc C
Under: What to Sweep, check every box.

Now, select: Sweep
It will take a while to scan the computer.

When the scan is done, remove whatever it finds.
Then, press the Results button
Select the Session Log tab
Select: Save to File so you can provide the results in your response.
Exit SpySweeper

Restart the computer.

Run HijackThis once again, and Scan.

Please post the SpySweeper log, as well as a new HijackThis log.

#11
donnadoula

Posted 30 December 2005 - 08:07 PM

Member

Topic Starter
Member
26 posts

I sure wish I could look at this and figure out what is wrong. Boy, I'm glad to have your help!

Logfile of HijackThis v1.99.1
Scan saved at 8:02:01 PM, on 12/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\AllOfUs\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.valornet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.valornet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VidiaDrivers] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_3 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O15 - Trusted Zone: http://www.principal.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {18CD2FD8-81CE-44C3-99E1-0822E1C7116C} (EARTPatch8X Class) - http://files.ea.com/.../v4/EARTP8X.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126838937584
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: MMtask Engine (MMtaskEngine) - Unknown owner - C:\WINDOWS\System32\mmtask.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

When I was updating SpySweeper,immediately after the install,
it said there was a problem, and gave me this message.

date/time : 2005-12-30, 15:36:49, 486ms
computer name : DONNASCOMPUTER
user name : SYSTEM
operating system : Windows XP build 2600
system language : English
system up time : 28 minutes 18 seconds
program up time : 7 seconds
processor : AMD Athlon™ XP 1900+
physical memory : 293/511 MB (free/total)
free disk space : (C:) 64.06 GB
display mode : 800x600, 32 bit
process id : $b9c
allocated memory : 5.21 MB
executable : WRSSSDK.exe
exec. date/time : 2005-12-14 19:17
version : 2.0.8.483
madExcept version : 2.7g
exception class : EAccessViolation
exception message : Access violation at address 77FA3482 in module 'ntdll.dll'. Write of address 004055F2.
thread $bd0:
77fa3482 ntdll.dll
00497cc9 WRSSSDK.exe WideRegistry 432 TWideRegistry.GetDataSize
0054cda8 WRSSSDK.exe StartupEntryList 1439 TStartupEntry.Create
0054af9c WRSSSDK.exe StartupEntryList 701 TStartupEntryList.GetCurrentStartupRegEntries
0054ae46 WRSSSDK.exe StartupEntryList 664 TStartupEntryList.GetCurrentStartupList
0054b4c4 WRSSSDK.exe StartupEntryList 844 TStartupEntryList.UpdateAndPersist
0054a9c5 WRSSSDK.exe StartupEntryList 530 TStartupEntryList.InitializeList
0054a350 WRSSSDK.exe StartupEntryList 320 TStartupEntryList.Create
0054dc98 WRSSSDK.exe ShieldStartup 87 TShieldStartup.Create
00558a75 WRSSSDK.exe ShieldsInterface 166 TShieldsInterface.Create
005697c1 WRSSSDK.exe SSEngine 328 TSSEngine.Create
0058664a WRSSSDK.exe Engine 375 SetupSpyEngine
00586907 WRSSSDK.exe Engine 437 TEngine.InitializeSpyEngine
77f5c122 ntdll.dll NtSetInformationThread
77dd1ea0 ADVAPI32.dll SetThreadToken
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $bcc (TServiceThread) at:
780079a5 RPCRT4.dll
main thread ($ba4):
7ffe0304 ???
77d8a8d8 user32.dll WaitMessage
00487c98 WRSSSDK.exe Forms TApplication.Idle
004872ef WRSSSDK.exe Forms TApplication.HandleMessage
0048adab WRSSSDK.exe SvcMgr TServiceApplication.Run
0058b320 WRSSSDK.exe WRSSSDK 282 initialization
thread $b40 (TCSIDLRefreshThread):
7ffe0304 ???
77f5c3c2 ntdll.dll NtWaitForSingleObject
77e9753f kernel32.dll WaitForSingleObjectEx
77e76610 kernel32.dll WaitForSingleObject
004cf332 WRSSSDK.exe CSIDLRefreshThread 90 TCSIDLRefreshThread.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by main thread ($ba4) at:
004cf24c WRSSSDK.exe CSIDLRefreshThread 56 TCSIDLRefreshThread.Create
thread $b4c (TDirectoryWatcher):
7ffe0304 ???
77f5c3b2 ntdll.dll NtWaitForMultipleObjects
77e97792 kernel32.dll WaitForMultipleObjectsEx
77e97d60 kernel32.dll WaitForMultipleObjects
0051437e WRSSSDK.exe Watcher 141 TCustomWatcher.WaitForEvent
00514413 WRSSSDK.exe Watcher 164 TCustomWatcher.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by main thread ($ba4) at:
00514188 WRSSSDK.exe Watcher 72 TCustomWatcher.Create
thread $b3c (TSpyDriverThread): <priority:2>
7ffe0304 ???
77f5b682 ntdll.dll NtDelayExecution
77e9784f kernel32.dll SleepEx
77e97d6e kernel32.dll Sleep
005368a5 WRSSSDK.exe SpyDriver 536 TSpyDriverThread.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by main thread ($ba4) at:
0053673b WRSSSDK.exe SpyDriver 488 TSpyDriverThread.Create
thread $b80 (TWinlogonMgr):
7ffe0304 ???
77f5c3c2 ntdll.dll NtWaitForSingleObject
77e9753f kernel32.dll WaitForSingleObjectEx
77e76610 kernel32.dll WaitForSingleObject
00538a71 WRSSSDK.exe WinlogonNotifierMgr 251 TWinlogonMgr.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by main thread ($ba4) at:
0053879e WRSSSDK.exe WinlogonNotifierMgr 190 TWinlogonMgr.Create
thread $b38 (TServiceStartThread):
7ffe0304 ???
77f5be42 ntdll.dll NtReadFile
77e82b0b kernel32.dll ReadFile
77de1f29 ADVAPI32.dll StartServiceCtrlDispatcherA
0048abe7 WRSSSDK.exe SvcMgr TServiceStartThread.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by main thread ($ba4) at:
0048ab7f WRSSSDK.exe SvcMgr TServiceStartThread.Create
thread $bc8:
7ffe0304 ???
77f5c3c2 ntdll.dll NtWaitForSingleObject
77e9753f kernel32.dll WaitForSingleObjectEx
77e76610 kernel32.dll WaitForSingleObject
0044c560 WRSSSDK.exe Classes TThread.WaitFor
0048a0b9 WRSSSDK.exe SvcMgr TService.DoStart
00489fe8 WRSSSDK.exe SvcMgr TService.Main
0048a4cb WRSSSDK.exe SvcMgr TServiceApplication.DispatchServiceMain
0048a2ea WRSSSDK.exe SvcMgr ServiceMain
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $b38 (TServiceStartThread) at:
77de0ff5 ADVAPI32.dll
thread $bcc (TServiceThread):
7ffe0304 ???
77d45b15 user32.dll GetMessageA
00489853 WRSSSDK.exe SvcMgr TServiceThread.ProcessRequests
0049fecf WRSSSDK.exe WRSSSDKService 132 TsvcWRSSSDK.ServiceExecute
004896c3 WRSSSDK.exe SvcMgr TServiceThread.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $bc8 at:
004895d3 WRSSSDK.exe SvcMgr TServiceThread.Create
thread $b94:
7ffe0304 ???
77f5b682 ntdll.dll NtDelayExecution
77e9784f kernel32.dll SleepEx
77e97d6e kernel32.dll Sleep
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $bcc (TServiceThread) at:
7721cf79 OLE32.DLL
thread $be0:
7ffe0304 ???
77f5bf12 ntdll.dll NtReplyWaitReceivePortEx
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $bd0 at:
780079a5 RPCRT4.dll
thread $4f8 (TDefFileRefreshThread):
7ffe0304 ???
77f5c3c2 ntdll.dll NtWaitForSingleObject
77e9753f kernel32.dll WaitForSingleObjectEx
77e76610 kernel32.dll WaitForSingleObject
004c1d72 WRSSSDK.exe DefFileRefreshThread 79 TDefFileRefreshThread.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $bd0 at:
004c1c90 WRSSSDK.exe DefFileRefreshThread 47 TDefFileRefreshThread.Create
modules:
00320000 RASAPI32.dll 5.1.2600.28 C:\WINDOWS\system32
00400000 WRSSSDK.exe 2.0.8.483 C:\Program Files\Webroot\Spy Sweeper
5ad60000 vdmdbg.dll 5.1.2600.153 C:\WINDOWS\system32
5ad70000 uxtheme.dll 6.0.2600.0 C:\WINDOWS\system32
5edd0000 olepro32.dll 5.0.5014.0 C:\WINDOWS\system32
63000000 wininet.dll 6.0.2737.800 C:\WINDOWS\system32
71950000 comctl32.dll 6.0.2600.0 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
71aa0000 WS2HELP.dll 5.1.2600.0 C:\WINDOWS\system32
71ab0000 WS2_32.dll 5.1.2600.0 C:\WINDOWS\system32
71ad0000 wsock32.dll 5.1.2600.0 C:\WINDOWS\system32
71b20000 mpr.dll 5.1.2600.0 C:\WINDOWS\system32
71bf0000 SAMLIB.dll 5.1.2600.0 C:\WINDOWS\system32
71c20000 NETAPI32.dll 5.1.2600.122 C:\WINDOWS\system32
75e90000 SXS.DLL 5.1.2600.136 C:\WINDOWS\system32
762a0000 MSASN1.dll 5.1.2600.137 C:\WINDOWS\system32
762c0000 CRYPT32.dll 5.131.2600.1123 C:\WINDOWS\system32
76360000 WINSTA.dll 5.1.2600.0 C:\WINDOWS\system32
763b0000 comdlg32.dll 6.0.2600.0 C:\WINDOWS\system32
76670000 SETUPAPI.dll 5.1.2600.0 C:\WINDOWS\system32
76b20000 ATL.DLL 3.0.9238.0 C:\WINDOWS\system32
76b40000 WINMM.dll 5.1.2600.0 C:\WINDOWS\system32
76c90000 IMAGEHLP.DLL 5.1.2600.0 C:\WINDOWS\system32
76d30000 WMI.dll 5.1.2600.0 C:\WINDOWS\system32
76d40000 MPRAPI.dll 5.1.2600.0 C:\WINDOWS\system32
76d60000 iphlpapi.dll 5.1.2600.2 C:\WINDOWS\system32
76d80000 DHCPCSVC.DLL 5.1.2600.0 C:\WINDOWS\system32
76da0000 WZCSvc.DLL 5.1.2600.0 C:\WINDOWS\system32
76de0000 netman.dll 5.1.2600.0 C:\WINDOWS\system32
76e10000 adsldpc.dll 5.1.2600.0 C:\WINDOWS\system32
76e40000 ACTIVEDS.dll 5.1.2600.0 C:\WINDOWS\system32
76e80000 rtutils.dll 5.1.2600.0 C:\WINDOWS\system32
76e90000 rasman.dll 5.1.2600.0 C:\WINDOWS\system32
76eb0000 TAPI32.dll 5.1.2600.0 C:\WINDOWS\system32
76f20000 DNSAPI.dll 5.1.2600.0 C:\WINDOWS\system32
76f50000 WTSAPI32.dll 5.1.2600.0 C:\WINDOWS\system32
76f60000 WLDAP32.dll 5.1.2600.0 C:\WINDOWS\system32
76f90000 Secur32.dll 5.1.2600.0 C:\WINDOWS\system32
77050000 COMRes.dll 2001.12.4414.42 C:\WINDOWS\system32
77120000 oleaut32.dll 3.50.5014.0 C:\WINDOWS\system32
771b0000 OLE32.DLL 5.1.2600.136 C:\WINDOWS\system32
772d0000 SHLWAPI.dll 6.0.2750.167 C:\WINDOWS\system32
77340000 comctl32.dll 5.82.2600.0 C:\WINDOWS\system32
773d0000 shell32.dll 6.0.2750.166 C:\WINDOWS\system32
77c00000 version.dll 5.1.2600.0 C:\WINDOWS\system32
77c10000 MSVCRT.DLL 7.0.2600.0 C:\WINDOWS\system32
77c70000 GDI32.dll 5.1.2600.151 C:\WINDOWS\system32
77d40000 user32.dll 5.1.2600.152 C:\WINDOWS\system32
77dd0000 ADVAPI32.dll 5.1.2600.0 C:\WINDOWS\system32
77e60000 kernel32.dll 5.1.2600.153 C:\WINDOWS\system32
77f50000 ntdll.dll 5.1.2600.114 C:\WINDOWS\System32
78000000 RPCRT4.dll 5.1.2600.135 C:\WINDOWS\system32
7c620000 CLBCATQ.DLL 2001.12.4414.53 C:\WINDOWS\system32
hardware:
+ Computer
- Advanced Configuration and Power Interface (ACPI) PC
+ Disk drives
- IC35L080AVVA07-0
+ Display adapters
- SiS 300/305 (driver 6.13.10.1160)
+ DVD/CD-ROM drives
- ATAPI CD-R/RW 32X10
+ Floppy disk controllers
- Standard floppy disk controller
+ Floppy disk drives
- Floppy disk drive
+ IDE ATA/ATAPI controllers
- Primary IDE Channel
- Secondary IDE Channel
- VIA Bus Master IDE Controller
+ Keyboards
- Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
+ Mice and other pointing devices
- PS/2 Compatible Mouse
+ Modems
- Generic 56K HCF Data Fax Modem
+ Monitors
- Plug and Play Monitor
+ Network adapters
- Compaq NC3121 Fast Ethernet NIC
+ Ports (COM

**When I restarted my computer...it gave me another error message

date/time : 2005-12-30, 15:41:55, 807ms
computer name : DONNASCOMPUTER
user name : SYSTEM
operating system : Windows XP build 2600
system language : English
system up time : 33 minutes 24 seconds
program up time : 5 minutes 13 seconds
processor : AMD Athlon™ XP 1900+
physical memory : 190/511 MB (free/total)
free disk space : (C:) 64.04 GB
display mode : 800x600, 32 bit
process id : $b9c
allocated memory : 44.58 MB
executable : WRSSSDK.exe
exec. date/time : 2005-12-14 19:17
version : 2.0.8.483
madExcept version : 2.7g
exception class : EAccessViolation
exception message : Access violation at address 77FA3482 in module 'ntdll.dll'. Write of address 004055F2.
thread $d84 (TIdentifyFileThread):
77fa3482 ntdll.dll
004dbb2a WRSSSDK.exe WinStartupScanner 163 ProcessKey
004dbbe4 WRSSSDK.exe WinStartupScanner 180 TWinStartupScanner.Initialize
004dc16b WRSSSDK.exe WinStartupScanner 235 TWinStartupScanner.ScanForTraces
00507a83 WRSSSDK.exe IdentifyFileObj 1077 TIdentifyFileObj.AddFoundTrace
00505c1e WRSSSDK.exe IdentifyFileObj 262 TIdentifyFileObj.AddFoundItem
00506852 WRSSSDK.exe IdentifyFileObj 629 TIdentifyFileObj.OnDirectoryFound
004dff84 WRSSSDK.exe CustomFileEnumerator 413 TCustomFileEnumerator.DoOnDirectoryFound
004dfe29 WRSSSDK.exe CustomFileEnumerator 394 TCustomFileEnumerator.ProcessPartition
00506c27 WRSSSDK.exe IdentifyFileObj 723 TIdentifyFileObj.SweepDirectories
005071e9 WRSSSDK.exe IdentifyFileObj 834 TIdentifyFileObj.SweepSelectedLocations
005073cc WRSSSDK.exe IdentifyFileObj 889 TIdentifyFileObj.Identify
00505367 WRSSSDK.exe IdentifyFileThread 84 TIdentifyFileThread.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $bd0 at:
004da470 WRSSSDK.exe IdentifyClasses 234 TIdentifyThread.Create
main thread ($ba4):
7ffe0304 ???
77d8a8d8 user32.dll WaitMessage
00487c98 WRSSSDK.exe Forms TApplication.Idle
004872ef WRSSSDK.exe Forms TApplication.HandleMessage
0048adab WRSSSDK.exe SvcMgr TServiceApplication.Run
0058b320 WRSSSDK.exe WRSSSDK 282 initialization
thread $b40 (TCSIDLRefreshThread):
7ffe0304 ???
77f5c3c2 ntdll.dll NtWaitForSingleObject
77e9753f kernel32.dll WaitForSingleObjectEx
77e76610 kernel32.dll WaitForSingleObject
004cf332 WRSSSDK.exe CSIDLRefreshThread 90 TCSIDLRefreshThread.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by main thread ($ba4) at:
004cf24c WRSSSDK.exe CSIDLRefreshThread 56 TCSIDLRefreshThread.Create
thread $b4c (TDirectoryWatcher):
7ffe0304 ???
77f5c3b2 ntdll.dll NtWaitForMultipleObjects
77e97792 kernel32.dll WaitForMultipleObjectsEx
77e97d60 kernel32.dll WaitForMultipleObjects
0051437e WRSSSDK.exe Watcher 141 TCustomWatcher.WaitForEvent
00514413 WRSSSDK.exe Watcher 164 TCustomWatcher.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by main thread ($ba4) at:
00514188 WRSSSDK.exe Watcher 72 TCustomWatcher.Create
thread $b3c (TSpyDriverThread): <priority:2>
7ffe0304 ???
77f5b682 ntdll.dll NtDelayExecution
77e9784f kernel32.dll SleepEx
77e97d6e kernel32.dll Sleep
005368a5 WRSSSDK.exe SpyDriver 536 TSpyDriverThread.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by main thread ($ba4) at:
0053673b WRSSSDK.exe SpyDriver 488 TSpyDriverThread.Create
thread $b80 (TWinlogonMgr):
7ffe0304 ???
77f5c3c2 ntdll.dll NtWaitForSingleObject
77e9753f kernel32.dll WaitForSingleObjectEx
77e76610 kernel32.dll WaitForSingleObject
00538a71 WRSSSDK.exe WinlogonNotifierMgr 251 TWinlogonMgr.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by main thread ($ba4) at:
0053879e WRSSSDK.exe WinlogonNotifierMgr 190 TWinlogonMgr.Create
thread $b38 (TServiceStartThread):
7ffe0304 ???
77f5be42 ntdll.dll NtReadFile
77e82b0b kernel32.dll ReadFile
77de1f29 ADVAPI32.dll StartServiceCtrlDispatcherA
0048abe7 WRSSSDK.exe SvcMgr TServiceStartThread.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by main thread ($ba4) at:
0048ab7f WRSSSDK.exe SvcMgr TServiceStartThread.Create
thread $bc8:
7ffe0304 ???
77f5c3c2 ntdll.dll NtWaitForSingleObject
77e9753f kernel32.dll WaitForSingleObjectEx
77e76610 kernel32.dll WaitForSingleObject
0044c560 WRSSSDK.exe Classes TThread.WaitFor
0048a0b9 WRSSSDK.exe SvcMgr TService.DoStart
00489fe8 WRSSSDK.exe SvcMgr TService.Main
0048a4cb WRSSSDK.exe SvcMgr TServiceApplication.DispatchServiceMain
0048a2ea WRSSSDK.exe SvcMgr ServiceMain
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $b38 (TServiceStartThread) at:
77de0ff5 ADVAPI32.dll
thread $bcc (TServiceThread):
7ffe0304 ???
77d45b15 user32.dll GetMessageA
00489853 WRSSSDK.exe SvcMgr TServiceThread.ProcessRequests
0049fecf WRSSSDK.exe WRSSSDKService 132 TsvcWRSSSDK.ServiceExecute
004896c3 WRSSSDK.exe SvcMgr TServiceThread.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $bc8 at:
004895d3 WRSSSDK.exe SvcMgr TServiceThread.Create
thread $bd0:
7ffe0304 ???
77f5bf12 ntdll.dll NtReplyWaitReceivePortEx
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $bcc (TServiceThread) at:
780079a5 RPCRT4.dll
thread $be0:
7ffe0304 ???
77f5b682 ntdll.dll NtDelayExecution
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $bd0 at:
780079a5 RPCRT4.dll
thread $4f8 (TDefFileRefreshThread):
7ffe0304 ???
77f5c3c2 ntdll.dll NtWaitForSingleObject
77e9753f kernel32.dll WaitForSingleObjectEx
77e76610 kernel32.dll WaitForSingleObject
004c1d72 WRSSSDK.exe DefFileRefreshThread 79 TDefFileRefreshThread.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $bd0 at:
004c1c90 WRSSSDK.exe DefFileRefreshThread 47 TDefFileRefreshThread.Create
thread $be8 (TCommonAdSitesThread): <suspended>
77e76a40 kernel32.dll
>> created by thread $bd0 at:
00552d1d WRSSSDK.exe ShieldCommonAdSites 97 TShieldCommonAdSites.Create
thread $bf4:
7ffe0304 ???
77f5bf12 ntdll.dll NtReplyWaitReceivePortEx
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $be0 at:
780079a5 RPCRT4.dll
thread $aac:
7ffe0304 ???
77d558bf user32.dll GetMessageW
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $bf4 at:
7721cf79 OLE32.DLL
thread $bb8 (TDirectoryWatcher):
7ffe0304 ???
77f5c3b2 ntdll.dll NtWaitForMultipleObjects
77e97792 kernel32.dll WaitForMultipleObjectsEx
77e97d60 kernel32.dll WaitForMultipleObjects
0051437e WRSSSDK.exe Watcher 141 TCustomWatcher.WaitForEvent
00514413 WRSSSDK.exe Watcher 164 TCustomWatcher.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $bf4 at:
00514188 WRSSSDK.exe Watcher 72 TCustomWatcher.Create
thread $83c (TShieldMessengerServiceThread):
7ffe0304 ???
77f5b682 ntdll.dll NtDelayExecution
77e9784f kernel32.dll SleepEx
77e97d6e kernel32.dll Sleep
00554434 WRSSSDK.exe ShieldMessengerService 226 TShieldMessengerServiceThread.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $be0 at:
0055428b WRSSSDK.exe ShieldMessengerService 117 TShieldMessengerService.ActivateSystemWideShield
thread $bb0:
7ffe0304 ???
77f5bf12 ntdll.dll NtReplyWaitReceivePortEx
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $be0 at:
780079a5 RPCRT4.dll
thread $bb4 (TDirectoryWatcher):
7ffe0304 ???
77f5c3b2 ntdll.dll NtWaitForMultipleObjects
77e97792 kernel32.dll WaitForMultipleObjectsEx
77e97d60 kernel32.dll WaitForMultipleObjects
0051437e WRSSSDK.exe Watcher 141 TCustomWatcher.WaitForEvent
00514413 WRSSSDK.exe Watcher 164 TCustomWatcher.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $bf4 at:
00514188 WRSSSDK.exe Watcher 72 TCustomWatcher.Create
thread $198 (TRegistryWatcher):
7ffe0304 ???
77f5c3b2 ntdll.dll NtWaitForMultipleObjects
77e97792 kernel32.dll WaitForMultipleObjectsEx
77e97d60 kernel32.dll WaitForMultipleObjects
0051437e WRSSSDK.exe Watcher 141 TCustomWatcher.WaitForEvent
00514413 WRSSSDK.exe Watcher 164 TCustomWatcher.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $bf4 at:
00514188 WRSSSDK.exe Watcher 72 TCustomWatcher.Create
thread $d28 (TSweepThread):
7ffe0304 ???
77f5c3c2 ntdll.dll NtWaitForSingleObject
77e9753f kernel32.dll WaitForSingleObjectEx
77e76610 kernel32.dll WaitForSingleObject
0044c560 WRSSSDK.exe Classes TThread.WaitFor
00559748 WRSSSDK.exe SweepThread 246 SweepFiles
0055a02a WRSSSDK.exe SweepThread 422 TSweepThread.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $bd0 at:
00559330 WRSSSDK.exe SweepThread 160 TSweepThread.Create
thread $d88 (TCallbackMgrThread):
7ffe0304 ???
77f5bf52 ntdll.dll NtRequestWaitReplyPort
78008146 RPCRT4.dll I_RpcSend
78046465 RPCRT4.dll NdrUserMarshalMarshall
0048ed6c WRSSSDK.exe ComObj DispCall
0048edaa WRSSSDK.exe ComObj DispCallByID
005878e2 WRSSSDK.exe Engine 714 TEngine.SpyFound
0055a5e9 WRSSSDK.exe SweepThread 562 TSweepThread._GenericSweepFoundEvent
00559093 WRSSSDK.exe QueuedCallbacks 55 TQueuedCallback.Invoke
0050cf2c WRSSSDK.exe CallbackMgr 217 TCallbackMgrThread.ProcessNextQueueItem
0050d048 WRSSSDK.exe CallbackMgr 263 TCallbackMgrThread.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $d28 (TSweepThread) at:
0050cce4 WRSSSDK.exe CallbackMgr 138 TCallbackMgrThread.Create
thread $328:
7ffe0304 ???
77f5b682 ntdll.dll NtDelayExecution
77e9784f kernel32.dll SleepEx
77e97d6e kernel32.dll Sleep
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $9f8 at:
7721cf79 OLE32.DLL
thread $b04:
7ffe0304 ???
77f5b682 ntdll.dll NtDelayExecution
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $bd0 at:
780079a5 RPCRT4.dll
thread $820 (TNTFSFileEnumerator): <priority:2>
7ffe0304 ???
77e82b0b kernel32.dll ReadFile
004c6f7c WRSSSDK.exe LogicalNTFSDisk 675 TLogicalNTFSDisk.ReadSectors
004e2732 WRSSSDK.exe NTFSFileEnumerator 668 TNTFSFileEnumerator.ProcessFiles
004e4533 WRSSSDK.exe NTFSFileEnumerator 1226 TNTFSFileEnumerator.Process
004dfb06 WRSSSDK.exe CustomFileEnumerator 307 TCustomFileEnumerator.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $d84 (TIdentifyFileThread) at:
004df284 WRSSSDK.exe CustomFileEnumerator 149 TCustomFileEnumerator.Create
modules:
00320000 RASAPI32.dll 5.1.2600.28 C:\WINDOWS\system32
00400000 WRSSSDK.exe 2.0.8.483 C:\Program Files\Webroot\Spy Sweeper
5ad60000 vdmdbg.dll 5.1.2600.153 C:\WINDOWS\system32
5ad70000 uxtheme.dll 6.0.2600.0 C:\WINDOWS\system32
5edd0000 olepro32.dll 5.0.5014.0 C:\WINDOWS\system32
63000000 wininet.dll 6.0.2737.800 C:\WINDOWS\system32
71700000 shdocvw.dll 6.0.2750.167 C:\WINDOWS\system32
71950000 comctl32.dll 6.0.2600.0 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
71aa0000 WS2HELP.dll 5.1.2600.0 C:\WINDOWS\system32
71ab0000 WS2_32.dll 5.1.2600.0 C:\WINDOWS\system32
71ad0000 wsock32.dll 5.1.2600.0 C:\WINDOWS\system32
71b20000 mpr.dll 5.1.2600.0 C:\WINDOWS\system32
71bf0000 SAMLIB.dll 5.1.2600.0 C:\WINDOWS\system32
71c10000 ntlanman.dll 5.1.2600.165 C:\WINDOWS\System32
71c20000 NETAPI32.dll 5.1.2600.122 C:\WINDOWS\system32
71c80000 NETRAP.dll 5.1.2600.0 C:\WINDOWS\System32
71c90000 NETUI1.dll 5.1.2600.0 C:\WINDOWS\System32
71cd0000 NETUI0.dll 5.1.2600.0 C:\WINDOWS\System32
75a70000 USERENV.dll 5.1.2600.0 C:\WINDOWS\system32
75e90000 SXS.DLL 5.1.2600.136 C:\WINDOWS\system32
75f40000 Apphelp.dll 5.1.2600.0 C:\WINDOWS\system32
75f60000 drprov.dll 5.1.2600.0 C:\WINDOWS\System32
75f70000 davclnt.dll 5.1.2600.0 C:\WINDOWS\System32
762a0000 MSASN1.dll 5.1.2600.137 C:\WINDOWS\system32
762c0000 CRYPT32.dll 5.131.2600.1123 C:\WINDOWS\system32
76360000 WINSTA.dll 5.1.2600.0 C:\WINDOWS\system32
763b0000 comdlg32.dll 6.0.2600.0 C:\WINDOWS\system32
76670000 SETUPAPI.dll 5.1.2600.0 C:\WINDOWS\system32
76b20000 ATL.DLL 3.0.9238.0 C:\WINDOWS\system32
76b40000 WINMM.dll 5.1.2600.0 C:\WINDOWS\system32
76bf0000 PSAPI.dll 5.1.2600.0 C:\WINDOWS\system32
76c90000 IMAGEHLP.DLL 5.1.2600.0 C:\WINDOWS\system32
76d30000 WMI.dll 5.1.2600.0 C:\WINDOWS\system32
76d40000 MPRAPI.dll 5.1.2600.0 C:\WINDOWS\system32
76d60000 iphlpapi.dll 5.1.2600.2 C:\WINDOWS\system32
76d80000 DHCPCSVC.DLL 5.1.2600.0 C:\WINDOWS\system32
76da0000 WZCSvc.DLL 5.1.2600.0 C:\WINDOWS\system32
76de0000 netman.dll 5.1.2600.0 C:\WINDOWS\system32
76e10000 adsldpc.dll 5.1.2600.0 C:\WINDOWS\system32
76e40000 ACTIVEDS.dll 5.1.2600.0 C:\WINDOWS\system32
76e80000 rtutils.dll 5.1.2600.0 C:\WINDOWS\system32
76e90000 rasman.dll 5.1.2600.0 C:\WINDOWS\system32
76eb0000 TAPI32.dll 5.1.2600.0 C:\WINDOWS\system32
76f20000 DNSAPI.dll 5.1.2600.0 C:\WINDOWS\system32
76f50000 WTSAPI32.dll 5.1.2600.0 C:\WINDOWS\system32
76f60000 WLDAP32.dll 5.1.2600.0 C:\WINDOWS\system32
76f90000 Secur32.dll 5.1.2600.0 C:\WINDOWS\system32
77050000 COMRes.dll 2001.12.4414.42 C:\WINDOWS\system32
77120000 oleaut32.dll 3.50.5014.0 C:\WINDOWS\system32
771b0000 OLE32.DLL 5.1.2600.136 C:\WINDOWS\system32
772d0000 SHLWAPI.dll 6.0.2750.167 C:\WINDOWS\system32
77340000 comctl32.dll 5.82.2600.0 C:\WINDOWS\system32
773d0000 shell32.dll 6.0.2750.166 C:\WINDOWS\system32
77c00000 version.dll 5.1.2600.0 C:\WINDOWS\system32
77c10000 MSVCRT.DLL 7.0.2600.0 C:\WINDOWS\system32
77c70000 GDI32.dll 5.1.2600.151 C:\WINDOWS\system32
77d40000 user32.dll 5.1.2600.152 C:\WINDOWS\system32
77dd0000 ADVAPI32.dll 5.1.2600.0 C:\WINDOWS\system32
77e60000 kernel32.dll 5.1.2600.153 C:\WINDOWS\system32
77f50000 ntdll.dll 5.1.2600.114 C:\WINDOWS\System32
78000000 RPCRT4.dll 5.1.2600.135 C:\WINDOWS\system32
7c620000 CLBCATQ.DLL 2001.12.4414.53 C:\WINDOWS\system32
hardware:
+ Computer
- Advanced Configuration and Power Interface (ACPI) PC
+ Disk drives
- IC35L080AVVA07-0
+ Display adapters
- SiS 300/305 (driver 6.13.10.1160)
+ DVD/CD-ROM drives
- ATAPI CD-R/RW 32X10
+ Floppy disk controllers
- Standard floppy disk controller
+ Floppy disk drives
- Floppy disk drive
+ IDE ATA/ATAPI controllers
- Primary IDE Channel
- Secondary IDE Channel
- VIA Bus Master IDE Controller
+ Keyboards
- Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
+ Mice and other pointing devices
- PS/2 Compatible Mouse
+ Modems
- Generic 56K HCF Data Fax Modem
+ Monitors
- Plug and Play Monitor
+ Network adapters
- Compaq NC3121 Fast Ethernet NIC

#12
FZWG

Posted 30 December 2005 - 10:40 PM

Visiting Staff

Member
145 posts

Unfortunately, the log shows no updates whatsoever for Windows XP and Internet Explorer. Under the current circumstances, Product Key Failed Validation, the prospect does not look favorable. As you have found out, trying to install updates becomes an exercise in futility.

The best thing you can do at this point is purchasing a valid copy of Windows XP, and updatint it, as well as IE. Otherwise, you will continue to experience malware problems.

SpySweeper just does not want to install.
An EAccessViolation is shown when invalid memory is accessed. Ntdll.dll is also involved.
Two likely possibilities: malware, a corrupt Windows file, or both!

Although at this point the HijackThis log looks clean, EWIDO reported some malware.

See if you can do a Panda online ActiveScan
http://www.pandasoft.../activescan.htm

On the top right go to: Free Use ActiveScan
Select: Free online virus scan

In the prompt that appears: Panda ActiveScan, select the green button: Check Now! At no cost.

Follow the prompts, provide the required info, select: Scan Now!
Allow the ActiveX download.

Select a device to scan: Local Disks

Next, select: See Report
Then select, Save Report and save to a location where you can find the report.

Please provide the ActiveScan report in your response.

#13
donnadoula

Posted 31 December 2005 - 04:37 PM

Member

Topic Starter
Member
26 posts

I ran the Panda Active Scan.

I accidently ran the san on "My Computer". Then I looked back at your instructions and saw that it should have been on "local drive". So included both reports for you here.

Here's the Scan from My Computer:

Incident Status Location

Adware:adware/adlogix Not disinfected C:\WINDOWS\SYSTEM32\pacifisy.dll
Adware:adware/bookedspace Not disinfected C:\WINDOWS\cfgmgr52.ini
Dialer:dialer.bny Not disinfected C:\WINDOWS\pcconfig.dat
Adware:adware/beginto Not disinfected C:\WINDOWS\SYSTEM32\cache32_dsktptr
Adware:adware/cws Not disinfected C:\Documents and Settings\AllOfUs\Favorites\Living
Adware:adware/ncase Not disinfected C:\WINDOWS\180Solutions
Adware:adware/savenow Not disinfected Windows Registry
And from Local Drive:

Incident Status Location

Adware:adware/bookedspace Not disinfected C:\WINDOWS\cfgmgr52.ini
Dialer:dialer.bny Not disinfected C:\WINDOWS\pcconfig.dat
Adware:adware/adlogix Not disinfected C:\WINDOWS\system32\pacifisy.dll

#14
FZWG

Posted 31 December 2005 - 09:02 PM

Visiting Staff

Member
145 posts

Let’s get rid of some more malware…

Go to Start > Control Panel
In the Control Panel window, double-click Add or Remove Programs
Scroll down to, and click SaveUninst, or SaveNow
Click: Remove

Search for and remove the following folders (bold):
C:\Program Files\SaveNow
C:\Documents and Settings\AllOfUs\Favorites\Living
C:\WINDOWS\180Solutions

Next, copy all the files below (CTRL+C) and paste (CTRL+V) them to Notepad
(Start > Programs > Accessories > Notepad):

C:\WINDOWS\SYSTEM32\pacifisy.dll
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\pcconfig.dat
C:\WINDOWS\SYSTEM32\cache32_dsktptr

Then, download Killbox:
http://www.downloads...org/KillBox.zip
Place it in a folder on the Desktop.
Extract Pocket KillBox from the zip file
Double-click on the red circle with white X to run it.

At the main screen of KillBox, select the option: Delete on Reboot

Open the Notepad file saved earlier and copy the files to the clipboard
(Highlight all (Ctrl+A) and Copy (Ctrl + C).

In Killbox, go to the File menu, and choose: Paste from Clipboard
Then select: All Files (button)

Now, press the button with a red circle and a white X (Delete File button)
KillBox will alert you the files will be deleted on next reboot, click Yes
When asked to Reboot, select Yes

After rebooting, run HijackThis, and post a new log.

#15
donnadoula

Posted 01 January 2006 - 04:21 PM

Member

Topic Starter
Member
26 posts

You asked me to remove...C:\Program Files\SaveNow....my computer could not find it while I was doing a "search".

I did find and remove these two ...
C:\Documents and Settings\AllOfUs\Favorites\Living
C:\WINDOWS\180Solutions

Here's the Logfile of HijackThis v1.99.1
Scan saved at 4:09:27 PM, on 01/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\AllOfUs\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.valornet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.valornet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VidiaDrivers] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_3 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O15 - Trusted Zone: http://www.principal.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {18CD2FD8-81CE-44C3-99E1-0822E1C7116C} (EARTPatch8X Class) - http://files.ea.com/.../v4/EARTP8X.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126838937584
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: MMtask Engine (MMtaskEngine) - Unknown owner - C:\WINDOWS\System32\mmtask.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Thank you again, for your continued support!