Mourning the loss of our friend, WhitPhil.
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Malware Removal & HijackThis Logs
Tag Cloud
access audio black screen blue screen bsod connection crash dell drivers dvd email error excel excel 2003 firefox google hard drive hardware hdmi hijackthis internet itunes keyboard laptop malware monitor motherboard network networking outlook problem ram recovery router screen slow sound spyware tdlwsp.dll trojan vba video virus vista vundo windows windows 7 windows vista windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Issas, Svshost, Msras, Ntvdm, Spyware/Malware/Virus on Windows 2000 (New)

Tip: Click here to scan for System Errors and Optimize PC performance
[ Sponsored Link ]

Closed Thread
 
Thread Tools
dcarsonm's Avatar
Junior Member with 26 posts.
  
Join Date: Jul 2005
Experience: Beginner
09-Feb-2006, 11:27 AM #1
Issas, Svshost, Msras, Ntvdm, Spyware/Malware/Virus on Windows 2000
Techguys,

I'm running windows professional and have a bunch of programs that just keep coming back. I've run Ewido and Adaway which has killed a few but the main ones are tough. I read on one of the other posts that there is one program that regenerates its name every time you boot up and this program regenerates the others. I also have runthis.bat which stops the programs from running but they regenerate so fast I lose all my computer functions. I'm using process explorer and windows task manager to find them but when I try to stop the process it gives me a warning that I do not have access to stop it (even though I log on as the administrator). I've also tried to manually go to the program to change it's settings to give me access but this also does not work. The malware shows a microsoft identity but it's (not confirmed) which makes it tough to figure out which ones are good and bad. I think one of the renaming programs is spbbcsvc.exe. I'm posting a hjt log and would appreciate any and all help. What are my chances of getting rid of these problems? Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 8:14:32 AM, on 2/9/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mssearchnet.exe
C:\WINNT\System32\nvctrl.exe
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\desk95.exe
C:\WINNT\System32\viewport.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\System32\hphmon03.exe
C:\WINNT\iau.exe
C:\WINNT\stisvsq.exe
C:\WINNT\svshost.exe
C:\WINNT\msqdevl.exe
C:\WINNT\iau.exe
C:\WINNT\lssas.exe
C:\WINNT\mservice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:80
R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINNT\System32\hp7906.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [HydarVisionViewport] viewport.exe
O4 - HKLM\..\Run: [WinampAgent] "F:\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Norton Personal Firewall 2005 retail Crack] G:\LimeWire\Music\Norton Personal Firewall 2005 retail Crack.exe
O4 - HKLM\..\Run: [WinUpdate] C:\cmon.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [wmv license crack] G:\LimeWire\Music\wmv license crack.exe
O4 - HKLM\..\Run: [WinZIP v9.0 Keygen] G:\LimeWire\Music\WinZIP v9.0 Keygen.exe
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vmcleaner] gxlib.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINNT\System32\hphmon03.exe
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [WyvernWorks Ad Away] "C:\Program Files\WyvernWorks\Ad Away 2004\Ad Away.exe" -minimized
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O20 - Winlogon Notify: mljki - C:\WINNT\System32\mljki.dll
O21 - SSODL: WdSMkkLsTxTjGlzD - {2CB2EE41-8618-44EB-33B9-F3525FEF79F2} - C:\WINNT\System32\vt.dll (file missing)
O21 - SSODL: Adware Away v2.2.8.9_is1 - {CC4F6EFF-CDF5-461F-480B-31CBD7C6B35F} - c:\program files\adware away\wcudpy32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver - HP - C:\WINNT\System32\HPHipm09.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Register for free to hide this ad!
MFDnNC's Avatar
Distinguished Member with 49,029 posts.
  
Join Date: Sep 2004
09-Feb-2006, 11:38 AM #2
* Click here to download smitRem.exe.
  • Save the file to your desktop.
  • It is a self extracting file.
  • Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
  • Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.


*

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


*


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.


* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan and

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/prod...rc=4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
dcarsonm's Avatar
Junior Member with 26 posts.
  
Join Date: Jul 2005
Experience: Beginner
10-Feb-2006, 10:52 AM #3
Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.

Thank you but before I begin I've had trouble with one part of the instructions (when I had help from another tech). Under control panel and display I do not have a "Desktop" tab. There are: background, screensaver, appearance, web, effects and settings and I was unable to find any which had the "Customize Desktop" button. Am I looking in the wrong place or am I just not looking deep enough? I'm assuming every step is vital to my computers health and want to make sure I get this one right. Thank you again.
MFDnNC's Avatar
Distinguished Member with 49,029 posts.
  
Join Date: Sep 2004
10-Feb-2006, 11:11 AM #4
Oh I see you are running W2K - Not XP - go ahead with the rest and we'll see what's next
dcarsonm's Avatar
Junior Member with 26 posts.
  
Join Date: Jul 2005
Experience: Beginner
28-Feb-2006, 12:23 AM #5
Thank you for your advise. I followed your instructions but was unable to get smitrem to complete it's cycle because there were so many pop up's my computer's cpu maxed out (with that strange alarm noise). So I downloaded spysweeper and did that first. Then I could operate, ran smitrem in safe mode, restarted but IE would not work. I tried reinstalling it but that also did not work; the error message said it could not find shdocvw.dll. Luckily I had already installed firefox but it was not compatible with the panda active scan so I ran another online scan but it didn't seem to help at all.
Then I ran spysweeper again and got this report:

********
9:45 PM: | Start of Session, Thursday, February 23, 2006 |
9:45 PM: Spy Sweeper started
9:45 PM: Sweep initiated using definitions version 620
9:45 PM: Sweep Canceled
9:45 PM: Traces Found: 0
********
8:50 PM: | Start of Session, Thursday, February 23, 2006 |
8:50 PM: Spy Sweeper started
8:50 PM: Sweep initiated using definitions version 620
8:50 PM: Starting Memory Sweep
8:52 PM: Memory Sweep Complete, Elapsed Time: 00:02:07
8:52 PM: Starting Registry Sweep
8:52 PM: Registry Sweep Complete, Elapsed Time:00:00:16
8:52 PM: Starting Cookie Sweep
8:52 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:52 PM: Starting File Sweep
9:16 PM: Warning: Invalid Stream
9:17 PM: File Sweep Complete, Elapsed Time: 00:24:13
9:17 PM: Full Sweep has completed. Elapsed time 00:26:48
9:17 PM: Traces Found: 0
9:45 PM: | End of Session, Thursday, February 23, 2006 |
********
8:33 PM: | Start of Session, Thursday, February 16, 2006 |
8:33 PM: Spy Sweeper started
8:33 PM: Sweep initiated using definitions version 613
8:33 PM: Starting Memory Sweep
8:35 PM: Memory Sweep Complete, Elapsed Time: 00:02:02
8:35 PM: Starting Registry Sweep
8:35 PM: Found Adware: cws_easy-search.biz hijacker
8:35 PM: HKLM\software\microsoft\windows\currentversion\run\ || games acceleration (ID = 117153)
8:35 PM: HKLM\software\microsoft\windows\currentversion\run\ || internet connection wizard (ID = 117154)
8:35 PM: HKLM\software\microsoft\windows\currentversion\run\ || internet mail and news (ID = 117155)
8:35 PM: HKLM\software\microsoft\windows\currentversion\run\ || microsoft internet acceleration utility (ID = 117156)
8:35 PM: HKLM\software\microsoft\windows\currentversion\run\ || microsoft management console (ID = 117157)
8:35 PM: HKLM\software\microsoft\windows\currentversion\run\ || multimedia extensions (ID = 117158)
8:35 PM: Found Trojan Horse: trojan-downloader-linkschain
8:35 PM: HKLM\software\microsoft\windows\currentversion\run\ || vmcleaner (ID = 712882)
8:35 PM: Found Adware: worldantispy
8:35 PM: HKLM\software\worldantispy.com\ (221 subtraces) (ID = 714255)
8:35 PM: Found Adware: virtumonde
8:35 PM: HKCR\msevents.msevents\ (5 subtraces) (ID = 749130)
8:35 PM: HKCR\msevents.msevents.1\ (3 subtraces) (ID = 749136)
8:35 PM: HKLM\software\classes\msevents.msevents\ (5 subtraces) (ID = 749153)
8:35 PM: HKLM\software\classes\msevents.msevents.1\ (3 subtraces) (ID = 749157)
8:35 PM: HKCR\applications\worldantispy.exe\ (3 subtraces) (ID = 795501)
8:35 PM: HKLM\software\classes\applications\worldantispy.exe\ (3 subtraces) (ID = 795503)
8:35 PM: HKU\S-1-5-21-1229272821-1935655697-1060284298-500\software\microsoft\windows\currentversion\run\ || games acceleration (ID = 117147)
8:35 PM: HKU\S-1-5-21-1229272821-1935655697-1060284298-500\software\microsoft\windows\currentversion\run\ || internet connection wizard (ID = 117148)
8:35 PM: HKU\S-1-5-21-1229272821-1935655697-1060284298-500\software\microsoft\windows\currentversion\run\ || internet mail and news (ID = 117149)
8:35 PM: HKU\S-1-5-21-1229272821-1935655697-1060284298-500\software\microsoft\windows\currentversion\run\ || microsoft internet acceleration utility (ID = 117150)
8:35 PM: HKU\S-1-5-21-1229272821-1935655697-1060284298-500\software\microsoft\windows\currentversion\run\ || microsoft management console (ID = 117151)
8:35 PM: HKU\S-1-5-21-1229272821-1935655697-1060284298-500\software\microsoft\windows\currentversion\run\ || multimedia extensions (ID = 117152)
8:35 PM: HKU\WRSS_Profile_S-1-5-21-1229272821-1935655697-1060284298-1000\software\microsoft\windows\currentversion\run\ || games acceleration (ID = 117147)
8:35 PM: HKU\WRSS_Profile_S-1-5-21-1229272821-1935655697-1060284298-1000\software\microsoft\windows\currentversion\run\ || internet connection wizard (ID = 117148)
8:35 PM: HKU\WRSS_Profile_S-1-5-21-1229272821-1935655697-1060284298-1000\software\microsoft\windows\currentversion\run\ || internet mail and news (ID = 117149)
8:35 PM: HKU\WRSS_Profile_S-1-5-21-1229272821-1935655697-1060284298-1000\software\microsoft\windows\currentversion\run\ || microsoft internet acceleration utility (ID = 117150)
8:35 PM: HKU\WRSS_Profile_S-1-5-21-1229272821-1935655697-1060284298-1000\software\microsoft\windows\currentversion\run\ || microsoft management console (ID = 117151)
8:35 PM: HKU\WRSS_Profile_S-1-5-21-1229272821-1935655697-1060284298-1000\software\microsoft\windows\currentversion\run\ || multimedia extensions (ID = 117152)
8:35 PM: Registry Sweep Complete, Elapsed Time:00:00:18
8:35 PM: Starting Cookie Sweep
8:35 PM: Found Spy Cookie: 66.246.209 cookie
8:35 PM: administrator@66.246.209[1].txt (ID = 1997)
8:35 PM: Found Spy Cookie: adecn cookie
8:35 PM: administrator@adecn[2].txt (ID = 2063)
8:35 PM: Found Spy Cookie: advertising cookie
8:35 PM: administrator@advertising[1].txt (ID = 2175)
8:35 PM: Found Spy Cookie: alt cookie
8:35 PM: administrator@alt[1].txt (ID = 2217)
8:35 PM: Found Spy Cookie: atlas dmt cookie
8:35 PM: administrator@atdmt[2].txt (ID = 2253)
8:35 PM: Found Spy Cookie: belnk cookie
8:35 PM: administrator@ath.belnk[2].txt (ID = 2293)
8:35 PM: Found Spy Cookie: banner cookie
8:35 PM: administrator@banner[1].txt (ID = 2276)
8:35 PM: administrator@belnk[1].txt (ID = 2292)
8:35 PM: Found Spy Cookie: enhance cookie
8:35 PM: administrator@c.enhance[1].txt (ID = 2614)
8:35 PM: Found Spy Cookie: goclick cookie
8:35 PM: administrator@c.goclick[2].txt (ID = 2733)
8:35 PM: Found Spy Cookie: ccbill cookie
8:35 PM: administrator@ccbill[1].txt (ID = 2369)
8:35 PM: Found Spy Cookie: hitslink cookie
8:35 PM: administrator@counter2.hitslink[2].txt (ID = 2790)
8:35 PM: administrator@dist.belnk[2].txt (ID = 2293)
8:35 PM: Found Spy Cookie: exitexchange cookie
8:35 PM: administrator@exitexchange[2].txt (ID = 2633)
8:35 PM: Found Spy Cookie: go.com cookie
8:35 PM: administrator@go[2].txt (ID = 2728)
8:35 PM: Found Spy Cookie: questionmarket cookie
8:35 PM: administrator@questionmarket[1].txt (ID = 3217)
8:35 PM: Found Spy Cookie: statcounter cookie
8:35 PM: administrator@statcounter[1].txt (ID = 3447)
8:35 PM: Found Spy Cookie: reliablestats cookie
8:35 PM: administrator@stats1.reliablestats[1].txt (ID = 3254)
8:35 PM: Found Spy Cookie: tacoda cookie
8:35 PM: administrator@tacoda[1].txt (ID = 6444)
8:35 PM: Found Spy Cookie: redzip cookie
8:35 PM: administrator@www.redzip[1].txt (ID = 3250)
8:35 PM: Found Spy Cookie: xren_cj cookie
8:35 PM: administrator@xren_cj[1].txt (ID = 3723)
8:35 PM: administrator@xren_cj[2].txt (ID = 3723)
8:35 PM: safe@banner[1].txt (ID = 2276)
8:35 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
8:35 PM: Starting File Sweep
8:35 PM: c:\documents and settings\administrator\application data\skinux\worldantispy (1 subtraces) (ID = -2147473526)
8:35 PM: Found Adware: cws_tiny0
8:35 PM: netpw32.dll (ID = 205)
8:35 PM: apivt32.dll (ID = 205)
8:35 PM: netdb32.dll (ID = 205)
8:35 PM: addcl.dll (ID = 205)
8:35 PM: addkc32.dll (ID = 205)
8:35 PM: appev.dll (ID = 205)
8:35 PM: d3yw.dll (ID = 205)
8:35 PM: atlsi.dll (ID = 205)
8:36 PM: Found Trojan Horse: trojan-downloader-adaware.cc
8:36 PM: on.exe (ID = 130320)
8:39 PM: on.exe (ID = 130320)
8:40 PM: on.exe (ID = 130320)
8:44 PM: winamp.ini:zufsks (ID = 200)
8:45 PM: sdkig.dll (ID = 205)
8:45 PM: iprg32.dll (ID = 205)
8:45 PM: ipxd32.dll (ID = 205)
8:45 PM: appqg32.dll (ID = 205)
8:45 PM: ieyz32.dll (ID = 205)
8:45 PM: apigw32.dll (ID = 205)
8:45 PM: apivb32.dll (ID = 205)
8:45 PM: adduw.dll (ID = 205)
8:45 PM: sdkoi.dll (ID = 205)
8:45 PM: apigm.dll (ID = 205)
8:45 PM: d3si32.dll (ID = 205)
8:45 PM: apizy32.dll (ID = 205)
8:45 PM: javadk.dll (ID = 205)
8:45 PM: crjg32.dll (ID = 205)
8:45 PM: javaxd32.dll (ID = 205)
8:45 PM: d3tm32.dll (ID = 205)
8:46 PM: on.exe (ID = 130320)
8:46 PM: mfclf.dll (ID = 205)
8:46 PM: javaak32.dll (ID = 205)
8:46 PM: craa.dll (ID = 205)
8:46 PM: ntft32.dll (ID = 205)
8:46 PM: javakx.dll (ID = 205)
8:46 PM: sdklx32.dll (ID = 205)
8:46 PM: sdkzu32.dll (ID = 205)
8:46 PM: iejl.dll (ID = 205)
8:46 PM: ieov32.dll (ID = 205)
8:46 PM: sysca32.dll (ID = 205)
8:46 PM: ieqx.dll (ID = 205)
8:46 PM: crjd32.dll (ID = 205)
8:46 PM: ntnx32.dll (ID = 205)
8:46 PM: sdkqk32.dll (ID = 205)
8:46 PM: iplf.dll (ID = 205)
8:46 PM: javawg32.dll (ID = 205)
8:46 PM: d3xj.dll (ID = 205)
8:46 PM: javamg.dll (ID = 205)
8:46 PM: iefh32.dll (ID = 205)
8:46 PM: msln32.dll (ID = 205)
8:46 PM: ielw.dll (ID = 205)
8:46 PM: d3uw.dll (ID = 205)
8:46 PM: mspn32.dll (ID = 205)
8:46 PM: iptj32.dll (ID = 205)
8:46 PM: apiue.dll (ID = 205)
8:46 PM: msbj32.dll (ID = 205)
8:46 PM: mfcge32.dll (ID = 205)
8:46 PM: netoi.dll (ID = 205)
8:46 PM: addny32.dll (ID = 205)
8:46 PM: addib.dll (ID = 205)
8:47 PM: apitc32.dll (ID = 205)
8:47 PM: sysmv32.dll (ID = 205)
8:47 PM: winml32.dll (ID = 205)
8:47 PM: apiwe32.dll (ID = 205)
8:47 PM: addao32.exe (ID = 204)
8:47 PM: on.exe (ID = 130320)
8:47 PM: javazq.dll (ID = 205)
8:47 PM: syspn32.dll (ID = 205)
8:47 PM: addwq32.dll (ID = 205)
8:47 PM: syseo32.dll (ID = 205)
8:47 PM: on.exe (ID = 130320)
8:47 PM: mfctz.dll (ID = 205)
8:47 PM: Found Adware: coolwebsearch (cws)
8:47 PM: credit counseling.url (ID = 130668)
8:47 PM: insurance home.url (ID = 130676)
8:47 PM: mortgage life insurance.url (ID = 130681)
8:47 PM: help desk software.url (ID = 130675)
8:47 PM: ab scissor.url (ID = 130666)
8:47 PM: videos.url (ID = 130694)
8:47 PM: what is hydrocodone.url (ID = 130695)
8:47 PM: online gambling casino.url (ID = 130684)
8:47 PM: refinancing my mortgage.url (ID = 130691)
8:47 PM: debt credit card.url (ID = 130671)
8:47 PM: fha.url (ID = 130673)
8:47 PM: loan for debt consolidation.url (ID = 130677)
8:47 PM: health insurance.url (ID = 130674)
8:47 PM: personal loans online.url (ID = 130688)
8:47 PM: payroll advance.url (ID = 130687)
8:47 PM: marketing email.url (ID = 130679)
8:48 PM: prescription drugs rx online.url (ID = 130690)
8:48 PM: credit report.url (ID = 130669)
8:48 PM: tahoe vacation rental.url (ID = 130692)
8:48 PM: escorts.url (ID = 130672)
8:48 PM: order phentermine.url (ID = 130686)
8:48 PM: mortgage insurance.url (ID = 130680)
8:48 PM: personal loans with bad credit.url (ID = 130689)
8:48 PM: crm software.url (ID = 130670)
8:48 PM: nevada corporations.url (ID = 130682)
8:48 PM: unsecured bad credit loans.url (ID = 130693)
8:48 PM: loan for people with bad credit.url (ID = 130678)
8:48 PM: broadband comparison.url (ID = 130667)
8:48 PM: online betting site.url (ID = 130683)
8:48 PM: online instant loan.url (ID = 130685)
8:56 PM: File Sweep Complete, Elapsed Time: 00:20:46
8:56 PM: Full Sweep has completed. Elapsed time 00:23:18
8:56 PM: Traces Found: 395
9:00 PM: Removal process initiated
9:00 PM: Quarantining All Traces: virtumonde
9:00 PM: Quarantining All Traces: coolwebsearch (cws)
9:00 PM: Quarantining All Traces: cws_tiny0
9:00 PM: Quarantining All Traces: trojan-downloader-adaware.cc
9:00 PM: Quarantining All Traces: trojan-downloader-linkschain
9:00 PM: Quarantining All Traces: cws_easy-search.biz hijacker
9:00 PM: Quarantining All Traces: worldantispy
9:00 PM: Quarantining All Traces: 66.246.209 cookie
9:00 PM: Quarantining All Traces: adecn cookie
9:00 PM: Quarantining All Traces: advertising cookie
9:00 PM: Quarantining All Traces: alt cookie
9:00 PM: Quarantining All Traces: atlas dmt cookie
9:00 PM: Quarantining All Traces: banner cookie
9:00 PM: Quarantining All Traces: belnk cookie
9:00 PM: Quarantining All Traces: ccbill cookie
9:00 PM: Quarantining All Traces: enhance cookie
9:00 PM: Quarantining All Traces: exitexchange cookie
9:00 PM: Quarantining All Traces: go.com cookie
9:00 PM: Quarantining All Traces: goclick cookie
9:00 PM: Quarantining All Traces: hitslink cookie
9:00 PM: Quarantining All Traces: questionmarket cookie
9:00 PM: Quarantining All Traces: redzip cookie
9:00 PM: Quarantining All Traces: reliablestats cookie
9:01 PM: Quarantining All Traces: statcounter cookie
9:01 PM: Quarantining All Traces: tacoda cookie
9:01 PM: Quarantining All Traces: xren_cj cookie
9:05 PM: Removal process completed. Elapsed time 00:04:58
9:46 AM: Processing Startup Alerts
9:46 AM: Allowed Startup entry: wextract_cleanup0
9:46 AM: Allowed Startup entry: BrandClearStubs
9:46 AM: Allowed Startup entry: Regsister WScript
9:56 AM: Processing Startup Alerts
9:56 AM: Allowed Startup entry: wextract_cleanup0
9:15 PM: Your spyware definitions have been updated.
9:15 PM: Your spyware definitions have been updated.
8:49 PM: Updating spyware definitions
8:49 PM: Your spyware definitions have been updated.
8:50 PM: | End of Session, Thursday, February 23, 2006 |
********
7:07 PM: | Start of Session, Thursday, February 16, 2006 |
7:07 PM: Spy Sweeper started
7:07 PM: Sweep initiated using definitions version 613
7:07 PM: Found Adware: virtumonde
7:07 PM: HKCR\clsid\{6dd0bc06-4719-4ba3-bebc-fbae6a448152}\inprocserver32\ (2 subtraces) (ID = 1142184)
7:07 PM: mljki.dll (ID = 1142184)
7:07 PM: Starting Memory Sweep
7:08 PM: Detected running threat: C:\WINNT\system32\mljki.dll (ID = 77)
7:10 PM: Memory Sweep Complete, Elapsed Time: 00:02:20
7:10 PM: Starting Registry Sweep
7:10 PM: Found Adware: cws_easy-search.biz hijacker
7:10 PM: HKLM\software\microsoft\windows\currentversion\run\ || games acceleration (ID = 117153)
7:10 PM: HKLM\software\microsoft\windows\currentversion\run\ || internet connection wizard (ID = 117154)
7:10 PM: HKLM\software\microsoft\windows\currentversion\run\ || internet mail and news (ID = 117155)
7:10 PM: HKLM\software\microsoft\windows\currentversion\run\ || microsoft internet acceleration utility (ID = 117156)
7:10 PM: HKLM\software\microsoft\windows\currentversion\run\ || microsoft management console (ID = 117157)
7:10 PM: HKLM\software\microsoft\windows\currentversion\run\ || multimedia extensions (ID = 117158)
7:10 PM: Found Trojan Horse: trojan-downloader-linkschain
7:10 PM: HKLM\software\microsoft\windows\currentversion\run\ || vmcleaner (ID = 712882)
7:10 PM: Found Adware: worldantispy
7:10 PM: HKLM\software\worldantispy.com\ (221 subtraces) (ID = 714255)
7:10 PM: HKCR\msevents.msevents\ (5 subtraces) (ID = 749130)
7:10 PM: HKCR\msevents.msevents.1\ (3 subtraces) (ID = 749136)
7:10 PM: HKLM\software\classes\msevents.msevents\ (5 subtraces) (ID = 749153)
7:10 PM: HKLM\software\classes\msevents.msevents.1\ (3 subtraces) (ID = 749157)
7:10 PM: HKCR\applications\worldantispy.exe\ (3 subtraces) (ID = 795501)
7:10 PM: HKLM\software\classes\applications\worldantispy.exe\ (3 subtraces) (ID = 795503)
7:10 PM: HKCR\clsid\{6dd0bc06-4719-4ba3-bebc-fbae6a448152}\ (12 subtraces) (ID = 954591)
7:10 PM: HKLM\software\classes\clsid\{6dd0bc06-4719-4ba3-bebc-fbae6a448152}\ (12 subtraces) (ID = 954593)
7:10 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{6dd0bc06-4719-4ba3-bebc-fbae6a448152}\ (ID = 954595)
7:10 PM: Found Adware: popuper
7:10 PM: HKCR\clsid\{7caf96a2-c556-460a-988e-76fc7895d284}\ (4 subtraces) (ID = 1026307)
7:10 PM: HKLM\software\classes\clsid\{7caf96a2-c556-460a-988e-76fc7895d284}\ (4 subtraces) (ID = 1026331)
7:10 PM: HKU\S-1-5-21-1229272821-1935655697-1060284298-500\software\microsoft\windows\currentversion\run\ || games acceleration (ID = 117147)
7:10 PM: HKU\S-1-5-21-1229272821-1935655697-1060284298-500\software\microsoft\windows\currentversion\run\ || internet connection wizard (ID = 117148)
7:10 PM: HKU\S-1-5-21-1229272821-1935655697-1060284298-500\software\microsoft\windows\currentversion\run\ || internet mail and news (ID = 117149)
7:10 PM: HKU\S-1-5-21-1229272821-1935655697-1060284298-500\software\microsoft\windows\currentversion\run\ || microsoft internet acceleration utility (ID = 117150)
7:10 PM: HKU\S-1-5-21-1229272821-1935655697-1060284298-500\software\microsoft\windows\currentversion\run\ || microsoft management console (ID = 117151)
7:10 PM: HKU\S-1-5-21-1229272821-1935655697-1060284298-500\software\microsoft\windows\currentversion\run\ || multimedia extensions (ID = 117152)
7:10 PM: HKU\WRSS_Profile_S-1-5-21-1229272821-1935655697-1060284298-1000\software\microsoft\windows\currentversion\run\ || games acceleration (ID = 117147)
7:10 PM: HKU\WRSS_Profile_S-1-5-21-1229272821-1935655697-1060284298-1000\software\microsoft\windows\currentversion\run\ || internet connection wizard (ID = 117148)
7:10 PM: HKU\WRSS_Profile_S-1-5-21-1229272821-1935655697-1060284298-1000\software\microsoft\windows\currentversion\run\ || internet mail and news (ID = 117149)
7:10 PM: HKU\WRSS_Profile_S-1-5-21-1229272821-1935655697-1060284298-1000\software\microsoft\windows\currentversion\run\ || microsoft internet acceleration utility (ID = 117150)
7:10 PM: HKU\WRSS_Profile_S-1-5-21-1229272821-1935655697-1060284298-1000\software\microsoft\windows\currentversion\run\ || microsoft management console (ID = 117151)
7:10 PM: HKU\WRSS_Profile_S-1-5-21-1229272821-1935655697-1060284298-1000\software\microsoft\windows\currentversion\run\ || multimedia extensions (ID = 117152)
7:10 PM: Registry Sweep Complete, Elapsed Time:00:00:19
7:10 PM: Starting Cookie Sweep
7:10 PM: Found Spy Cookie: 66.246.209 cookie
7:10 PM: administrator@66.246.209[1].txt (ID = 1997)
7:10 PM: Found Spy Cookie: adecn cookie
7:10 PM: administrator@adecn[2].txt (ID = 2063)
7:10 PM: Found Spy Cookie: advertising cookie
7:10 PM: administrator@advertising[1].txt (ID = 2175)
7:10 PM: Found Spy Cookie: alt cookie
7:10 PM: administrator@alt[1].txt (ID = 2217)
7:10 PM: Found Spy Cookie: atlas dmt cookie
7:10 PM: administrator@atdmt[2].txt (ID = 2253)
7:10 PM: Found Spy Cookie: belnk cookie
7:10 PM: administrator@ath.belnk[2].txt (ID = 2293)
7:10 PM: Found Spy Cookie: banner cookie
7:10 PM: administrator@banner[1].txt (ID = 2276)
7:10 PM: administrator@belnk[1].txt (ID = 2292)
7:10 PM: Found Spy Cookie: enhance cookie
7:10 PM: administrator@c.enhance[1].txt (ID = 2614)
7:10 PM: Found Spy Cookie: goclick cookie
dcarsonm's Avatar
Junior Member with 26 posts.
  
Join Date: Jul 2005
Experience: Beginner
28-Feb-2006, 12:24 AM #6
7:10 PM: administrator@c.goclick[2].txt (ID = 2733)
7:10 PM: Found Spy Cookie: ccbill cookie
7:10 PM: administrator@ccbill[1].txt (ID = 2369)
7:10 PM: Found Spy Cookie: hitslink cookie
7:10 PM: administrator@counter2.hitslink[2].txt (ID = 2790)
7:10 PM: administrator@dist.belnk[2].txt (ID = 2293)
7:10 PM: Found Spy Cookie: exitexchange cookie
7:10 PM: administrator@exitexchange[2].txt (ID = 2633)
7:10 PM: Found Spy Cookie: go.com cookie
7:10 PM: administrator@go[2].txt (ID = 2728)
7:10 PM: Found Spy Cookie: questionmarket cookie
7:10 PM: administrator@questionmarket[1].txt (ID = 3217)
7:10 PM: Found Spy Cookie: statcounter cookie
7:10 PM: administrator@statcounter[1].txt (ID = 3447)
7:10 PM: Found Spy Cookie: reliablestats cookie
7:10 PM: administrator@stats1.reliablestats[1].txt (ID = 3254)
7:10 PM: Found Spy Cookie: tacoda cookie
7:10 PM: administrator@tacoda[1].txt (ID = 6444)
7:10 PM: Found Spy Cookie: redzip cookie
7:10 PM: administrator@www.redzip[1].txt (ID = 3250)
7:10 PM: Found Spy Cookie: xren_cj cookie
7:10 PM: administrator@xren_cj[1].txt (ID = 3723)
7:10 PM: administrator@xren_cj[2].txt (ID = 3723)
7:10 PM: safe@banner[1].txt (ID = 2276)
7:10 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
7:10 PM: Starting File Sweep
7:10 PM: c:\documents and settings\administrator\application data\skinux\worldantispy (1 subtraces) (ID = -2147473526)
7:10 PM: Found Adware: cws_tiny0
7:10 PM: netpw32.dll (ID = 205)
7:10 PM: apivt32.dll (ID = 205)
7:10 PM: netdb32.dll (ID = 205)
7:10 PM: addcl.dll (ID = 205)
7:10 PM: addkc32.dll (ID = 205)
7:10 PM: appev.dll (ID = 205)
7:10 PM: d3yw.dll (ID = 205)
7:10 PM: atlsi.dll (ID = 205)
7:11 PM: Found Trojan Horse: trojan-downloader-adaware.cc
7:11 PM: on.exe (ID = 130320)
7:14 PM: on.exe (ID = 130320)
7:15 PM: on.exe (ID = 130320)
7:19 PM: winamp.ini:zufsks (ID = 200)
7:20 PM: sdkig.dll (ID = 205)
7:20 PM: iprg32.dll (ID = 205)
7:20 PM: ipxd32.dll (ID = 205)
7:20 PM: appqg32.dll (ID = 205)
7:20 PM: ieyz32.dll (ID = 205)
7:20 PM: apigw32.dll (ID = 205)
7:20 PM: apivb32.dll (ID = 205)
7:20 PM: adduw.dll (ID = 205)
7:20 PM: sdkoi.dll (ID = 205)
7:20 PM: apigm.dll (ID = 205)
7:20 PM: d3si32.dll (ID = 205)
7:20 PM: apizy32.dll (ID = 205)
7:20 PM: javadk.dll (ID = 205)
7:20 PM: crjg32.dll (ID = 205)
7:20 PM: javaxd32.dll (ID = 205)
7:21 PM: d3tm32.dll (ID = 205)
7:21 PM: on.exe (ID = 130320)
7:21 PM: mfclf.dll (ID = 205)
7:21 PM: javaak32.dll (ID = 205)
7:21 PM: craa.dll (ID = 205)
7:21 PM: ntft32.dll (ID = 205)
7:21 PM: javakx.dll (ID = 205)
7:21 PM: sdklx32.dll (ID = 205)
7:21 PM: sdkzu32.dll (ID = 205)
7:21 PM: iejl.dll (ID = 205)
7:21 PM: ieov32.dll (ID = 205)
7:21 PM: sysca32.dll (ID = 205)
7:21 PM: ieqx.dll (ID = 205)
7:21 PM: crjd32.dll (ID = 205)
7:21 PM: ntnx32.dll (ID = 205)
7:21 PM: sdkqk32.dll (ID = 205)
7:21 PM: iplf.dll (ID = 205)
7:21 PM: javawg32.dll (ID = 205)
7:21 PM: d3xj.dll (ID = 205)
7:21 PM: javamg.dll (ID = 205)
7:21 PM: iefh32.dll (ID = 205)
7:21 PM: msln32.dll (ID = 205)
7:21 PM: ielw.dll (ID = 205)
7:21 PM: d3uw.dll (ID = 205)
7:21 PM: mspn32.dll (ID = 205)
7:21 PM: iptj32.dll (ID = 205)
7:21 PM: apiue.dll (ID = 205)
7:21 PM: msbj32.dll (ID = 205)
7:21 PM: mfcge32.dll (ID = 205)
7:21 PM: netoi.dll (ID = 205)
7:21 PM: addny32.dll (ID = 205)
7:22 PM: addib.dll (ID = 205)
7:22 PM: apitc32.dll (ID = 205)
7:22 PM: sysmv32.dll (ID = 205)
7:22 PM: winml32.dll (ID = 205)
7:22 PM: apiwe32.dll (ID = 205)
7:22 PM: addao32.exe (ID = 204)
7:22 PM: on.exe (ID = 130320)
7:22 PM: javazq.dll (ID = 205)
7:22 PM: syspn32.dll (ID = 205)
7:22 PM: addwq32.dll (ID = 205)
7:23 PM: syseo32.dll (ID = 205)
7:23 PM: on.exe (ID = 130320)
7:23 PM: mfctz.dll (ID = 205)
7:23 PM: Found Adware: coolwebsearch (cws)
7:23 PM: credit counseling.url (ID = 130668)
7:23 PM: insurance home.url (ID = 130676)
7:23 PM: mortgage life insurance.url (ID = 130681)
7:23 PM: help desk software.url (ID = 130675)
7:23 PM: ab scissor.url (ID = 130666)
7:23 PM: videos.url (ID = 130694)
7:23 PM: what is hydrocodone.url (ID = 130695)
7:23 PM: online gambling casino.url (ID = 130684)
7:23 PM: refinancing my mortgage.url (ID = 130691)
7:23 PM: debt credit card.url (ID = 130671)
7:23 PM: fha.url (ID = 130673)
7:23 PM: loan for debt consolidation.url (ID = 130677)
7:23 PM: health insurance.url (ID = 130674)
7:23 PM: personal loans online.url (ID = 130688)
7:23 PM: payroll advance.url (ID = 130687)
7:23 PM: marketing email.url (ID = 130679)
7:23 PM: prescription drugs rx online.url (ID = 130690)
7:23 PM: credit report.url (ID = 130669)
7:23 PM: tahoe vacation rental.url (ID = 130692)
7:23 PM: escorts.url (ID = 130672)
7:23 PM: order phentermine.url (ID = 130686)
7:23 PM: mortgage insurance.url (ID = 130680)
7:23 PM: personal loans with bad credit.url (ID = 130689)
7:23 PM: crm software.url (ID = 130670)
7:23 PM: nevada corporations.url (ID = 130682)
7:23 PM: unsecured bad credit loans.url (ID = 130693)
7:23 PM: loan for people with bad credit.url (ID = 130678)
7:23 PM: broadband comparison.url (ID = 130667)
7:23 PM: online betting site.url (ID = 130683)
7:23 PM: online instant loan.url (ID = 130685)
7:31 PM: File Sweep Complete, Elapsed Time: 00:21:15
7:31 PM: Full Sweep has completed. Elapsed time 00:24:00
7:31 PM: Traces Found: 437
7:35 PM: Removal process initiated
7:36 PM: Quarantining All Traces: popuper
7:36 PM: Quarantining All Traces: virtumonde
********
12:24 AM: | Start of Session, Tuesday, February 14, 2006 |
12:24 AM: Spy Sweeper started
12:24 AM: Sweep initiated using definitions version 613
12:24 AM: Found Adware: virtumonde
12:24 AM: HKCR\clsid\{6dd0bc06-4719-4ba3-bebc-fbae6a448152}\inprocserver32\ (2 subtraces) (ID = 1142184)
12:24 AM: mljki.dll (ID = 1142184)
12:24 AM: Starting Memory Sweep
12:24 AM: Detected running threat: C:\WINNT\system32\mljki.dll (ID = 77)
12:26 AM: Memory Sweep Complete, Elapsed Time: 00:02:17
12:26 AM: Starting Registry Sweep
12:26 AM: Found Adware: cws_easy-search.biz hijacker
12:26 AM: HKLM\software\microsoft\windows\currentversion\run\ || games acceleration (ID = 117153)
12:26 AM: HKLM\software\microsoft\windows\currentversion\run\ || internet connection wizard (ID = 117154)
12:26 AM: HKLM\software\microsoft\windows\currentversion\run\ || internet mail and news (ID = 117155)
12:26 AM: HKLM\software\microsoft\windows\currentversion\run\ || microsoft internet acceleration utility (ID = 117156)
12:26 AM: HKLM\software\microsoft\windows\currentversion\run\ || microsoft management console (ID = 117157)
12:26 AM: HKLM\software\microsoft\windows\currentversion\run\ || multimedia extensions (ID = 117158)
12:26 AM: Found Trojan Horse: trojan-downloader-linkschain
12:26 AM: HKLM\software\microsoft\windows\currentversion\run\ || vmcleaner (ID = 712882)
12:26 AM: Found Adware: worldantispy
12:26 AM: HKLM\software\worldantispy.com\ (221 subtraces) (ID = 714255)
12:26 AM: HKCR\msevents.msevents\ (5 subtraces) (ID = 749130)
12:26 AM: HKCR\msevents.msevents.1\ (3 subtraces) (ID = 749136)
12:26 AM: HKLM\software\classes\msevents.msevents\ (5 subtraces) (ID = 749153)
12:26 AM: HKLM\software\classes\msevents.msevents.1\ (3 subtraces) (ID = 749157)
12:26 AM: HKCR\applications\worldantispy.exe\ (3 subtraces) (ID = 795501)
12:26 AM: HKLM\software\classes\applications\worldantispy.exe\ (3 subtraces) (ID = 795503)
12:26 AM: HKCR\clsid\{6dd0bc06-4719-4ba3-bebc-fbae6a448152}\ (12 subtraces) (ID = 954591)
12:26 AM: HKLM\software\classes\clsid\{6dd0bc06-4719-4ba3-bebc-fbae6a448152}\ (12 subtraces) (ID = 954593)
12:26 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{6dd0bc06-4719-4ba3-bebc-fbae6a448152}\ (ID = 954595)
12:26 AM: Found Adware: popuper
12:26 AM: HKCR\clsid\{7caf96a2-c556-460a-988e-76fc7895d284}\ (4 subtraces) (ID = 1026307)
12:26 AM: HKLM\software\classes\clsid\{7caf96a2-c556-460a-988e-76fc7895d284}\ (4 subtraces) (ID = 1026331)
12:26 AM: HKU\S-1-5-21-1229272821-1935655697-1060284298-500\software\microsoft\windows\currentversion\run\ || games acceleration (ID = 117147)
12:26 AM: HKU\S-1-5-21-1229272821-1935655697-1060284298-500\software\microsoft\windows\currentversion\run\ || internet connection wizard (ID = 117148)
12:26 AM: HKU\S-1-5-21-1229272821-1935655697-1060284298-500\software\microsoft\windows\currentversion\run\ || internet mail and news (ID = 117149)
12:26 AM: HKU\S-1-5-21-1229272821-1935655697-1060284298-500\software\microsoft\windows\currentversion\run\ || microsoft internet acceleration utility (ID = 117150)
12:26 AM: HKU\S-1-5-21-1229272821-1935655697-1060284298-500\software\microsoft\windows\currentversion\run\ || microsoft management console (ID = 117151)
12:26 AM: HKU\S-1-5-21-1229272821-1935655697-1060284298-500\software\microsoft\windows\currentversion\run\ || multimedia extensions (ID = 117152)
12:26 AM: HKU\WRSS_Profile_S-1-5-21-1229272821-1935655697-1060284298-1000\software\microsoft\windows\currentversion\run\ || games acceleration (ID = 117147)
12:26 AM: HKU\WRSS_Profile_S-1-5-21-1229272821-1935655697-1060284298-1000\software\microsoft\windows\currentversion\run\ || internet connection wizard (ID = 117148)
12:26 AM: HKU\WRSS_Profile_S-1-5-21-1229272821-1935655697-1060284298-1000\software\microsoft\windows\currentversion\run\ || internet mail and news (ID = 117149)
12:26 AM: HKU\WRSS_Profile_S-1-5-21-1229272821-1935655697-1060284298-1000\software\microsoft\windows\currentversion\run\ || microsoft internet acceleration utility (ID = 117150)
12:26 AM: HKU\WRSS_Profile_S-1-5-21-1229272821-1935655697-1060284298-1000\software\microsoft\windows\currentversion\run\ || microsoft management console (ID = 117151)
12:26 AM: HKU\WRSS_Profile_S-1-5-21-1229272821-1935655697-1060284298-1000\software\microsoft\windows\currentversion\run\ || multimedia extensions (ID = 117152)
12:26 AM: Registry Sweep Complete, Elapsed Time:00:00:19
12:26 AM: Starting Cookie Sweep
12:26 AM: Found Spy Cookie: 66.246.209 cookie
12:26 AM: administrator@66.246.209[1].txt (ID = 1997)
12:26 AM: Found Spy Cookie: adecn cookie
12:26 AM: administrator@adecn[2].txt (ID = 2063)
12:26 AM: Found Spy Cookie: advertising cookie
12:26 AM: administrator@advertising[1].txt (ID = 2175)
12:26 AM: Found Spy Cookie: alt cookie
12:26 AM: administrator@alt[1].txt (ID = 2217)
12:26 AM: Found Spy Cookie: atlas dmt cookie
12:26 AM: administrator@atdmt[2].txt (ID = 2253)
12:26 AM: Found Spy Cookie: belnk cookie
12:26 AM: administrator@ath.belnk[2].txt (ID = 2293)
12:26 AM: Found Spy Cookie: banner cookie
12:26 AM: administrator@banner[1].txt (ID = 2276)
12:26 AM: administrator@belnk[1].txt (ID = 2292)
12:26 AM: Found Spy Cookie: enhance cookie
12:26 AM: administrator@c.enhance[1].txt (ID = 2614)
12:26 AM: Found Spy Cookie: goclick cookie
12:26 AM: administrator@c.goclick[2].txt (ID = 2733)
12:26 AM: Found Spy Cookie: ccbill cookie
12:26 AM: administrator@ccbill[1].txt (ID = 2369)
12:26 AM: Found Spy Cookie: hitslink cookie
12:26 AM: administrator@counter2.hitslink[2].txt (ID = 2790)
12:26 AM: administrator@dist.belnk[2].txt (ID = 2293)
12:26 AM: Found Spy Cookie: exitexchange cookie
12:26 AM: administrator@exitexchange[2].txt (ID = 2633)
12:26 AM: Found Spy Cookie: go.com cookie
12:26 AM: administrator@go[2].txt (ID = 2728)
12:26 AM: Found Spy Cookie: questionmarket cookie
12:26 AM: administrator@questionmarket[1].txt (ID = 3217)
12:26 AM: Found Spy Cookie: statcounter cookie
12:26 AM: administrator@statcounter[1].txt (ID = 3447)
12:26 AM: Found Spy Cookie: reliablestats cookie
12:26 AM: administrator@stats1.reliablestats[1].txt (ID = 3254)
12:26 AM: Found Spy Cookie: tacoda cookie
12:26 AM: administrator@tacoda[1].txt (ID = 6444)
12:26 AM: Found Spy Cookie: redzip cookie
12:26 AM: administrator@www.redzip[1].txt (ID = 3250)
12:26 AM: Found Spy Cookie: xren_cj cookie
12:26 AM: administrator@xren_cj[1].txt (ID = 3723)
12:26 AM: administrator@xren_cj[2].txt (ID = 3723)
12:26 AM: safe@banner[1].txt (ID = 2276)
12:26 AM: Cookie Sweep Complete, Elapsed Time: 00:00:01
12:27 AM: Starting File Sweep
12:27 AM: c:\documents and settings\administrator\application data\skinux\worldantispy (1 subtraces) (ID = -2147473526)
12:27 AM: Found Adware: cws_tiny0
12:27 AM: netpw32.dll (ID = 205)
12:27 AM: apivt32.dll (ID = 205)
12:27 AM: netdb32.dll (ID = 205)
12:27 AM: addcl.dll (ID = 205)
12:27 AM: addkc32.dll (ID = 205)
12:27 AM: appev.dll (ID = 205)
12:27 AM: d3yw.dll (ID = 205)
12:27 AM: atlsi.dll (ID = 205)
12:28 AM: Found Trojan Horse: trojan-downloader-adaware.cc
12:28 AM: on.exe (ID = 130320)
12:31 AM: on.exe (ID = 130320)
12:32 AM: on.exe (ID = 130320)
12:35 AM: winamp.ini:zufsks (ID = 200)
12:36 AM: sdkig.dll (ID = 205)
12:36 AM: iprg32.dll (ID = 205)
12:36 AM: ipxd32.dll (ID = 205)
12:36 AM: appqg32.dll (ID = 205)
12:37 AM: ieyz32.dll (ID = 205)
12:37 AM: apigw32.dll (ID = 205)
12:37 AM: apivb32.dll (ID = 205)
12:37 AM: adduw.dll (ID = 205)
12:37 AM: sdkoi.dll (ID = 205)
12:37 AM: apigm.dll (ID = 205)
12:37 AM: d3si32.dll (ID = 205)
12:37 AM: apizy32.dll (ID = 205)
12:37 AM: javadk.dll (ID = 205)
12:37 AM: crjg32.dll (ID = 205)
12:37 AM: javaxd32.dll (ID = 205)
12:37 AM: d3tm32.dll (ID = 205)
12:37 AM: on.exe (ID = 130320)
12:37 AM: mfclf.dll (ID = 205)
12:37 AM: javaak32.dll (ID = 205)
12:37 AM: craa.dll (ID = 205)
12:37 AM: ntft32.dll (ID = 205)
12:37 AM: javakx.dll (ID = 205)
12:37 AM: sdklx32.dll (ID = 205)
12:37 AM: sdkzu32.dll (ID = 205)
12:37 AM: iejl.dll (ID = 205)
12:37 AM: ieov32.dll (ID = 205)
12:37 AM: sysca32.dll (ID = 205)
12:37 AM: ieqx.dll (ID = 205)
12:37 AM: crjd32.dll (ID = 205)
12:37 AM: ntnx32.dll (ID = 205)
12:37 AM: sdkqk32.dll (ID = 205)
12:38 AM: iplf.dll (ID = 205)
12:38 AM: javawg32.dll (ID = 205)
12:38 AM: d3xj.dll (ID = 205)
12:38 AM: javamg.dll (ID = 205)
12:38 AM: iefh32.dll (ID = 205)
12:38 AM: msln32.dll (ID = 205)
12:38 AM: ielw.dll (ID = 205)
12:38 AM: d3uw.dll (ID = 205)
12:38 AM: mspn32.dll (ID = 205)
12:38 AM: iptj32.dll (ID = 205)
12:38 AM: apiue.dll (ID = 205)
12:38 AM: msbj32.dll (ID = 205)
12:38 AM: mfcge32.dll (ID = 205)
12:38 AM: netoi.dll (ID = 205)
12:38 AM: addny32.dll (ID = 205)
12:38 AM: addib.dll (ID = 205)
12:38 AM: apitc32.dll (ID = 205)
12:38 AM: sysmv32.dll (ID = 205)
12:38 AM: winml32.dll (ID = 205)
12:38 AM: apiwe32.dll (ID = 205)
12:38 AM: addao32.exe (ID = 204)
12:38 AM: on.exe (ID = 130320)
12:39 AM: javazq.dll (ID = 205)
12:39 AM: syspn32.dll (ID = 205)
12:39 AM: addwq32.dll (ID = 205)
12:39 AM: syseo32.dll (ID = 205)
12:39 AM: on.exe (ID = 130320)
12:39 AM: mfctz.dll (ID = 205)
12:39 AM: Found Adware: coolwebsearch (cws)
12:39 AM: credit counseling.url (ID = 130668)
12:39 AM: insurance home.url (ID = 130676)
12:39 AM: mortgage life insurance.url (ID = 130681)
12:39 AM: help desk software.url (ID = 130675)
12:39 AM: ab scissor.url (ID = 130666)
12:39 AM: videos.url (ID = 130694)
12:39 AM: what is hydrocodone.url (ID = 130695)
12:39 AM: online gambling casino.url (ID = 130684)
12:39 AM: refinancing my mortgage.url (ID = 130691)
12:39 AM: debt credit card.url (ID = 130671)
12:39 AM: fha.url (ID = 130673)
12:39 AM: loan for debt consolidation.url (ID = 130677)
12:39 AM: health insurance.url (ID = 130674)
12:39 AM: personal loans online.url (ID = 130688)
12:39 AM: payroll advance.url (ID = 130687)
12:39 AM: marketing email.url (ID = 130679)
12:39 AM: prescription drugs rx online.url (ID = 130690)
12:39 AM: credit report.url (ID = 130669)
12:39 AM: tahoe vacation rental.url (ID = 130692)
12:39 AM: escorts.url (ID = 130672)
12:39 AM: order phentermine.url (ID = 130686)
12:39 AM: mortgage insurance.url (ID = 130680)
12:39 AM: personal loans with bad credit.url (ID = 130689)
12:39 AM: crm software.url (ID = 130670)
12:39 AM: nevada corporations.url (ID = 130682)
12:39 AM: unsecured bad credit loans.url (ID = 130693)
12:39 AM: loan for people with bad credit.url (ID = 130678)
12:39 AM: broadband comparison.url (ID = 130667)
12:39 AM: online betting site.url (ID = 130683)
12:39 AM: online instant loan.url (ID = 130685)
12:46 AM: Warning: Cannot create file "C:\WINNT\temp\14SST7.0 + WinZip Self-Extractor + Serial [FULL](By Black Knight)\WinZip Self-Extractor\". The system cannot find the path specified
12:46 AM: Warning: Cannot create file "C:\WINNT\temp\16SST8.0 + WinZip Self-Extractor + Serial [FULL](By Black Knight)\". The filename, directory name, or volume label syntax is incorrect
12:49 AM: File Sweep Complete, Elapsed Time: 00:22:13
12:49 AM: Full Sweep has completed. Elapsed time 00:24:56
12:49 AM: Traces Found: 437
********
9:49 PM: | Start of Session, Monday, February 13, 2006 |
9:49 PM: Spy Sweeper started
9:49 PM: Program Version 4.5.9 (Build 709) Using Spyware Definitions 556
11:35 PM: Messenger service has been disabled.
12:22 AM: Your spyware definitions have been updated.
12:24 AM: | End of Session, Tuesday, February 14, 2006

As it stands now I can run everything normally except IE (which I would like to use if possible) and I don't have the incessent pop-ups so my cpu is not filling up. I'm still a little worried because I know there are more processes running (which I see in windows task manager): smss, csrss,isass,realsched, spoolsv, and spbbcsvc (which I think might be the program causing the other name changing regenerators). Can I do more? The other major iissue is that I can't copletely shut down my computer. When I try, the computer automatically restarts. If I need to turn it off I just flip the switch at the point right before it goes into restart. If you can help me more I would really appreciate it. Byt the way my spy sweeper trial ended. Thank you. I'll post an hjt log in another reply.
dcarsonm's Avatar
Junior Member with 26 posts.
  
Join Date: Jul 2005
Experience: Beginner
28-Feb-2006, 12:25 AM #7
Logfile of HijackThis v1.99.1
Scan saved at 7:36:37 AM, on 2/24/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Documents and Settings\Administrator\Desktop\Spy_Sweeper\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\desk95.exe
C:\WINNT\System32\viewport.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\System32\hphmon03.exe
C:\Documents and Settings\Administrator\Desktop\Spy_Sweeper\Spy Sweeper\SpySweeper.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\drwtsn32.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:80
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [HydarVisionViewport] viewport.exe
O4 - HKLM\..\Run: [WinampAgent] "F:\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Norton Personal Firewall 2005 retail Crack] G:\LimeWire\Music\Norton Personal Firewall 2005 retail Crack.exe
O4 - HKLM\..\Run: [WinUpdate] C:\cmon.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [wmv license crack] G:\LimeWire\Music\wmv license crack.exe
O4 - HKLM\..\Run: [WinZIP v9.0 Keygen] G:\LimeWire\Music\WinZIP v9.0 Keygen.exe
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINNT\System32\hphmon03.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [WyvernWorks Ad Away] "C:\Program Files\WyvernWorks\Ad Away 2004\Ad Away.exe" -minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Documents and Settings\Administrator\Desktop\Spy_Sweeper\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WdSMkkLsTxTjGlzD - {2CB2EE41-8618-44EB-33B9-F3525FEF79F2} - C:\WINNT\System32\vt.dll (file missing)
O21 - SSODL: Adware Away v2.2.8.9_is1 - {CC4F6EFF-CDF5-461F-480B-31CBD7C6B35F} - c:\program files\adware away\wcudpy32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver - HP - C:\WINNT\System32\HPHipm09.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Documents and Settings\Administrator\Desktop\Spy_Sweeper\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
MFDnNC's Avatar
Distinguished Member with 49,029 posts.
  
Join Date: Sep 2004
28-Feb-2006, 12:47 PM #8
Add remove programs – remove Limewire – the likely source of your infections

Fix these with HJT – mark them, close IE, click fix checked

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [Norton Personal Firewall 2005 retail Crack] G:\LimeWire\Music\Norton Personal Firewall 2005 retail Crack.exe

O4 - HKLM\..\Run: [WinUpdate] C:\cmon.exe

O4 - HKLM\..\Run: [wmv license crack] G:\LimeWire\Music\wmv license crack.exe

O4 - HKLM\..\Run: [WinZIP v9.0 Keygen] G:\LimeWire\Music\WinZIP v9.0 Keygen.exe

O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe

O21 - SSODL: WdSMkkLsTxTjGlzD - {2CB2EE41-8618-44EB-33B9-F3525FEF79F2} - C:\WINNT\System32\vt.dll (file missing)

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\cmon.exe
G:\LimeWire
C:\Program Files\winupdates
C:\WINNT\System32\sndcfg16.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
dcarsonm's Avatar
Junior Member with 26 posts.
  
Join Date: Jul 2005
Experience: Beginner
01-Mar-2006, 01:34 AM #9
Thank you. I followed all of your instructions. You were right about the killbox saying the files do not exist:
C:\cmon.exe
G:\LimeWire
C:\WINNT\System32\sndcfg16.exe
but it did delete
C:\Program Files\winupdates

The task manager still shows all the processes but I'm not getting any pop-ups. IE still does not work (it opens to "this page cannot be displayed") which I would like to fix but firefox is doing ok.

Here is the hjt report:

Logfile of HijackThis v1.99.1
Scan saved at 10:31:03 PM, on 2/28/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Documents and Settings\Administrator\Desktop\Spy_Sweeper\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\desk95.exe
C:\WINNT\System32\viewport.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\System32\hphmon03.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\taskmgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:80
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [HydarVisionViewport] viewport.exe
O4 - HKLM\..\Run: [WinampAgent] "F:\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINNT\System32\hphmon03.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [WyvernWorks Ad Away] "C:\Program Files\WyvernWorks\Ad Away 2004\Ad Away.exe" -minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Documents and Settings\Administrator\Desktop\Spy_Sweeper\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: Adware Away v2.2.8.9_is1 - {CC4F6EFF-CDF5-461F-480B-31CBD7C6B35F} - c:\program files\adware away\wcudpy32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver - HP - C:\WINNT\System32\HPHipm09.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Documents and Settings\Administrator\Desktop\Spy_Sweeper\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thank you again.
MFDnNC's Avatar
Distinguished Member with 49,029 posts.
  
Join Date: Sep 2004
01-Mar-2006, 11:43 AM #10
Fix these with HJT – mark them, close IE, click fix checked

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\Program Files\winupdates
C:\WINNT\System32\sndcfg16.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
dcarsonm's Avatar
Junior Member with 26 posts.
  
Join Date: Jul 2005
Experience: Beginner
20-Mar-2006, 10:39 PM #11
Thank you for your help. I used killbox and as you said it said both files did not exist. Here is a new hjt log.
Logfile of HijackThis v1.99.1
Scan saved at 7:36:30 PM, on 3/20/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Documents and Settings\Administrator\Desktop\Spy_Sweeper\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\desk95.exe
C:\WINNT\System32\viewport.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\System32\hphmon03.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\taskmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:80
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [HydarVisionViewport] viewport.exe
O4 - HKLM\..\Run: [WinampAgent] "F:\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINNT\System32\hphmon03.exe
O4 - HKLM\..\Run: [WyvernWorks Ad Away] "C:\Program Files\WyvernWorks\Ad Away 2004\Ad Away.exe" -minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Documents and Settings\Administrator\Desktop\Spy_Sweeper\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: Adware Away v2.2.8.9_is1 - {CC4F6EFF-CDF5-461F-480B-31CBD7C6B35F} - c:\program files\adware away\wcudpy32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver - HP - C:\WINNT\System32\HPHipm09.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Documents and Settings\Administrator\Desktop\Spy_Sweeper\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks again.
MFDnNC's Avatar
Distinguished Member with 49,029 posts.
  
Join Date: Sep 2004
21-Mar-2006, 02:50 PM #12
Now how are things
Closed Thread Bookmark and Share

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Smart Search

Find your solution!


« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | Podcast | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 03:14 AM.
Copyright © 1996 - 2009 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2009, Jelsoft Enterprises Ltd.
 Powered by Cermak Technologies, Inc.