Computer is Infected

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

stojsavl

Thread Starter
Joined
Oct 15, 2005
Messages
28
My computer keeps flashing messages in the tool bar that the computer is infected and system alerts about popups. The warnings keep directing me to sites that want me to purchase software to correct the problems. HELP! I've run the virus scans that I have on the computer but it doesn't seem to help. Can't get rid of these messages in the tool bar!!!
 
Joined
May 16, 2003
Messages
4,092
For starters click on that little red triangle top right of your post and request this thread be moved to security.

Then do this:

* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 

stojsavl

Thread Starter
Joined
Oct 15, 2005
Messages
28
Logfile of HijackThis v1.99.1
Scan saved at 7:52:38 AM, on 1/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\SpywareStrike\SpywareStrike.exe
C:\Program Files\SpywareStrike\SpywareStrike.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm2v.exe

O2 - BHO: RandomName - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp1DC4.tmp
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108761334609
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BD7AF76-EA18-4DF3-8705-548C3755DF1A}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
first

download http://www.mvps.org/winhelp2002/DelDomains.inf and place it on desktop
right click the file and select install, that will reset the zone settings that have been altered

then
Download smitRem.exe

or HERE and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

then

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under "Downloads/SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:

    • [*]Sweep Memory
      [*]Sweep Registry
      [*]Sweep Cookies
      [*]Sweep All User Accounts
      [*]Enable Direct Disk Sweeping
      [*]Sweep Contents of Compressed Files
      [*]Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

Post the contents of smitfiles.txt and the a new HJT log and the spysweeper report .
Let us know if any problems persist.
 

stojsavl

Thread Starter
Joined
Oct 15, 2005
Messages
28
********
9:59 PM: | Start of Session, Wednesday, January 11, 2006 |
9:59 PM: Spy Sweeper started
9:59 PM: Sweep initiated using definitions version 599
9:59 PM: Starting Memory Sweep
10:01 PM: Memory Sweep Complete, Elapsed Time: 00:02:01
10:01 PM: Starting Registry Sweep
10:02 PM: Found Adware: antivirus gold
10:02 PM: HKCR\appid\{70f17c8c-1744-41b6-9d07-575db448dcc5}\ (1 subtraces) (ID = 103594)
10:02 PM: HKLM\software\classes\appid\{70f17c8c-1744-41b6-9d07-575db448dcc5}\ (1 subtraces) (ID = 103633)
10:13 PM: Found Trojan Horse: manwithnoname_spamrelayer
10:13 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\msctl32.dll\ (5 subtraces) (ID = 1021403)
10:13 PM: Found Trojan Horse: trojan-downloader-hochladen
10:13 PM: HKLM\system\currentcontrolset\services\i386p\ (11 subtraces) (ID = 1021419)
10:13 PM: Registry Sweep Complete, Elapsed Time:00:12:19
10:13 PM: Starting Cookie Sweep
10:13 PM: Found Spy Cookie: about cookie
10:13 PM: [email protected][2].txt (ID = 2037)
10:13 PM: Found Spy Cookie: yieldmanager cookie
10:13 PM: [email protected][1].txt (ID = 3751)
10:13 PM: Found Spy Cookie: specificclick.com cookie
10:13 PM: [email protected][1].txt (ID = 3400)
10:13 PM: Found Spy Cookie: askmen cookie
10:13 PM: [email protected][2].txt (ID = 2247)
10:13 PM: Found Spy Cookie: ask cookie
10:13 PM: [email protected][1].txt (ID = 2245)
10:13 PM: Found Spy Cookie: belnk cookie
10:13 PM: [email protected][1].txt (ID = 2293)
10:13 PM: Found Spy Cookie: atwola cookie
10:13 PM: [email protected][1].txt (ID = 2255)
10:13 PM: [email protected][2].txt (ID = 2038)
10:13 PM: Found Spy Cookie: banner cookie
10:13 PM: [email protected][1].txt (ID = 2276)
10:13 PM: [email protected][2].txt (ID = 2038)
10:13 PM: [email protected][2].txt (ID = 2292)
10:13 PM: Found Spy Cookie: burstnet cookie
10:13 PM: [email protected][2].txt (ID = 2336)
10:13 PM: Found Spy Cookie: clickzs cookie
10:13 PM: [email protected][2].txt (ID = 2413)
10:13 PM: [email protected][2].txt (ID = 2413)
10:13 PM: [email protected][2].txt (ID = 2293)
10:13 PM: [email protected][1].txt (ID = 2038)
10:13 PM: Found Spy Cookie: nextag cookie
10:13 PM: [email protected][2].txt (ID = 5014)
10:13 PM: Found Spy Cookie: rightmedia cookie
10:13 PM: [email protected][2].txt (ID = 3259)
10:13 PM: Found Spy Cookie: adjuggler cookie
10:13 PM: [email protected][1].txt (ID = 2071)
10:13 PM: Found Spy Cookie: directtrack cookie
10:13 PM: [email protected][2].txt (ID = 2528)
10:13 PM: Found Spy Cookie: burstbeacon cookie
10:13 PM: [email protected][2].txt (ID = 2335)
10:13 PM: Found Spy Cookie: websponsors cookie
10:13 PM: [email protected][2].txt (ID = 3665)
10:13 PM: [email protected][2].txt (ID = 3751)
10:13 PM: Found Spy Cookie: precisead cookie
10:13 PM: [email protected][1].txt (ID = 3182)
10:13 PM: [email protected][1].txt (ID = 2245)
10:13 PM: [email protected][1].txt (ID = 2255)
10:13 PM: [email protected][1].txt (ID = 2292)
10:13 PM: [email protected][2].txt (ID = 2336)
10:13 PM: [email protected][2].txt (ID = 2293)
10:13 PM: Found Spy Cookie: ru4 cookie
10:13 PM: [email protected][1].txt (ID = 3269)
10:13 PM: [email protected][1].txt (ID = 3259)
10:13 PM: [email protected][1].txt (ID = 2335)
10:14 PM: Found Spy Cookie: 64.62.232 cookie
10:14 PM: [email protected][1].txt (ID = 1987)
10:14 PM: [email protected][3].txt (ID = 1987)
10:14 PM: [email protected][4].txt (ID = 1987)
10:14 PM: [email protected][5].txt (ID = 1987)
10:14 PM: Found Spy Cookie: 888 cookie
10:14 PM: [email protected][2].txt (ID = 2019)
10:14 PM: [email protected][2].txt (ID = 3665)
10:14 PM: Found Spy Cookie: go.com cookie
10:14 PM: [email protected][1].txt (ID = 2729)
10:14 PM: [email protected][1].txt (ID = 2037)
10:14 PM: [email protected][1].txt (ID = 3751)
10:14 PM: Found Spy Cookie: adknowledge cookie
10:14 PM: [email protected][1].txt (ID = 2072)
10:14 PM: Found Spy Cookie: adlegend cookie
10:14 PM: [email protected][1].txt (ID = 2074)
10:14 PM: Found Spy Cookie: hbmediapro cookie
10:14 PM: [email protected][1].txt (ID = 2768)
10:14 PM: [email protected][2].txt (ID = 3400)
10:14 PM: Found Spy Cookie: adrevservice cookie
10:14 PM: [email protected][1].txt (ID = 2091)
10:14 PM: Found Spy Cookie: cc214142 cookie
10:14 PM: [email protected][1].txt (ID = 2367)
10:14 PM: Found Spy Cookie: euniverseads cookie
10:14 PM: [email protected][2].txt (ID = 2630)
10:14 PM: Found Spy Cookie: adultrevenueservice cookie
10:14 PM: [email protected][1].txt (ID = 2167)
10:14 PM: [email protected][1].txt (ID = 2247)
10:14 PM: [email protected][1].txt (ID = 2245)
10:14 PM: [email protected][2].txt (ID = 2293)
10:14 PM: [email protected][2].txt (ID = 2255)
10:14 PM: Found Spy Cookie: a cookie
10:14 PM: [email protected][1].txt (ID = 2027)
10:14 PM: Found Spy Cookie: bannerspace cookie
10:14 PM: [email protected][2].txt (ID = 2284)
10:14 PM: [email protected][2].txt (ID = 2276)
10:14 PM: [email protected][1].txt (ID = 2038)
10:14 PM: [email protected][2].txt (ID = 2292)
10:14 PM: [email protected][1].txt (ID = 2038)
10:14 PM: Found Spy Cookie: bizrate cookie
10:14 PM: [email protected][2].txt (ID = 2308)
10:14 PM: [email protected][2].txt (ID = 2336)
10:14 PM: Found Spy Cookie: barelylegal cookie
10:14 PM: [email protected][1].txt (ID = 2286)
10:14 PM: Found Spy Cookie: ccbill cookie
10:14 PM: [email protected][1].txt (ID = 2369)
10:14 PM: Found Spy Cookie: tickle cookie
10:14 PM: [email protected][1].txt (ID = 3530)
10:14 PM: Found Spy Cookie: 360i cookie
10:14 PM: [email protected][1].txt (ID = 1962)
10:14 PM: [email protected][2].txt (ID = 2413)
10:14 PM: [email protected][2].txt (ID = 2413)
10:14 PM: [email protected][2].txt (ID = 2413)
10:14 PM: [email protected][2].txt (ID = 2413)
10:14 PM: [email protected][2].txt (ID = 2413)
10:14 PM: Found Spy Cookie: dealtime cookie
10:14 PM: [email protected][1].txt (ID = 2505)
10:14 PM: Found Spy Cookie: exitexchange cookie
10:14 PM: [email protected][1].txt (ID = 2633)
10:14 PM: Found Spy Cookie: experclick cookie
10:14 PM: [email protected][1].txt (ID = 2639)
10:14 PM: Found Spy Cookie: wegcash cookie
10:14 PM: [email protected][2].txt (ID = 3682)
10:14 PM: [email protected][2].txt (ID = 2038)
10:14 PM: Found Spy Cookie: gamespy cookie
10:14 PM: [email protected][1].txt (ID = 2719)
10:14 PM: [email protected][2].txt (ID = 2038)
10:14 PM: [email protected][2].txt (ID = 2728)
10:14 PM: Found Spy Cookie: starware.com cookie
10:14 PM: [email protected][1].txt (ID = 3442)
10:14 PM: [email protected][1].txt (ID = 2038)
10:14 PM: Found Spy Cookie: clickandtrack cookie
10:14 PM: [email protected][2].txt (ID = 2397)
10:14 PM: [email protected][1].txt (ID = 2038)
10:14 PM: Found Spy Cookie: ic-live cookie
10:14 PM: [email protected][1].txt (ID = 2821)
10:14 PM: Found Spy Cookie: kmpads cookie
10:14 PM: [email protected][1].txt (ID = 2909)
10:14 PM: Found Spy Cookie: linkexchange cookie
10:14 PM: [email protected][1].txt (ID = 2920)
10:14 PM: Found Spy Cookie: 2o7.net cookie
10:14 PM: [email protected][1].txt (ID = 1958)
10:14 PM: [email protected][1].txt (ID = 2038)
10:14 PM: [email protected][1].txt (ID = 5014)
10:14 PM: Found Spy Cookie: offeroptimizer cookie
10:14 PM: [email protected][1].txt (ID = 3087)
10:14 PM: Found Spy Cookie: paypopup cookie
10:14 PM: m[email protected][2].txt (ID = 3119)
10:14 PM: Found Spy Cookie: megago cookie
10:14 PM: [email protected][1].txt (ID = 2983)
10:14 PM: Found Spy Cookie: pridebucks cookie
10:14 PM: [email protected][2].txt (ID = 3187)
10:14 PM: [email protected][2].txt (ID = 2038)
10:14 PM: [email protected][2].txt (ID = 3682)
10:14 PM: Found Spy Cookie: rednova cookie
10:14 PM: [email protected][1].txt (ID = 3245)
10:14 PM: Found Spy Cookie: reunion cookie
10:14 PM: [email protected][2].txt (ID = 3255)
10:14 PM: [email protected][1].txt (ID = 3259)
10:14 PM: [email protected][2].txt (ID = 2071)
10:14 PM: Found Spy Cookie: servlet cookie
10:14 PM: [email protected][1].txt (ID = 3345)
10:14 PM: [email protected][2].txt (ID = 3345)
10:14 PM: [email protected][1].txt (ID = 2528)
10:14 PM: [email protected][1].txt (ID = 2506)
10:14 PM: Found Spy Cookie: reliablestats cookie
10:14 PM: [email protected][1].txt (ID = 3254)
10:14 PM: Found Spy Cookie: stlyrics cookie
10:14 PM: [email protected][1].txt (ID = 3461)
10:14 PM: Found Spy Cookie: toplist cookie
10:14 PM: [email protected][2].txt (ID = 3557)
10:14 PM: Found Spy Cookie: tracking cookie
10:14 PM: [email protected][1].txt (ID = 3571)
10:14 PM: [email protected][1].txt (ID = 2038)
10:14 PM: Found Spy Cookie: videodome cookie
10:14 PM: [email protected][1].txt (ID = 3638)
10:14 PM: Found Spy Cookie: gotnailed cookie
10:14 PM: [email protected][1].txt (ID = 2750)
10:14 PM: Found Spy Cookie: hermoment.com cookie
10:14 PM: [email protected][2].txt (ID = 2774)
10:14 PM: Found Spy Cookie: hitboss.com cookie
10:14 PM: [email protected][1].txt (ID = 2782)
10:14 PM: [email protected][1].txt (ID = 3442)
10:14 PM: Found Spy Cookie: xxx69 cookie
10:14 PM: [email protected][1].txt (ID = 3732)
10:14 PM: Found Spy Cookie: xiti cookie
10:14 PM: [email protected][1].txt (ID = 3717)
10:14 PM: Found Spy Cookie: yadro cookie
10:14 PM: [email protected][1].txt (ID = 3743)
10:14 PM: Cookie Sweep Complete, Elapsed Time: 00:00:11
10:14 PM: Starting File Sweep
10:25 PM: File Sweep Complete, Elapsed Time: 00:11:02
10:25 PM: Full Sweep has completed. Elapsed time 00:25:42
10:25 PM: Traces Found: 137
10:30 PM: Removal process initiated
10:30 PM: Quarantining All Traces: manwithnoname_spamrelayer
10:30 PM: Quarantining All Traces: trojan-downloader-hochladen
10:30 PM: Quarantining All Traces: antivirus gold
10:30 PM: Quarantining All Traces: 2o7.net cookie
10:30 PM: Quarantining All Traces: 360i cookie
10:30 PM: Quarantining All Traces: 64.62.232 cookie
10:30 PM: Quarantining All Traces: 888 cookie
10:30 PM: Quarantining All Traces: a cookie
10:30 PM: Quarantining All Traces: about cookie
10:30 PM: Quarantining All Traces: adjuggler cookie
10:30 PM: Quarantining All Traces: adknowledge cookie
10:30 PM: Quarantining All Traces: adlegend cookie
10:30 PM: Quarantining All Traces: adrevservice cookie
10:30 PM: Quarantining All Traces: adultrevenueservice cookie
10:30 PM: Quarantining All Traces: ask cookie
10:30 PM: Quarantining All Traces: askmen cookie
10:30 PM: Quarantining All Traces: atwola cookie
10:30 PM: Quarantining All Traces: banner cookie
10:30 PM: Quarantining All Traces: bannerspace cookie
10:30 PM: Quarantining All Traces: barelylegal cookie
10:30 PM: Quarantining All Traces: belnk cookie
10:30 PM: Quarantining All Traces: bizrate cookie
10:30 PM: Quarantining All Traces: burstbeacon cookie
10:30 PM: Quarantining All Traces: burstnet cookie
10:30 PM: Quarantining All Traces: cc214142 cookie
10:30 PM: Quarantining All Traces: ccbill cookie
10:30 PM: Quarantining All Traces: clickandtrack cookie
10:30 PM: Quarantining All Traces: clickzs cookie
10:30 PM: Quarantining All Traces: dealtime cookie
10:30 PM: Quarantining All Traces: directtrack cookie
10:30 PM: Quarantining All Traces: euniverseads cookie
10:30 PM: Quarantining All Traces: exitexchange cookie
10:30 PM: Quarantining All Traces: experclick cookie
10:30 PM: Quarantining All Traces: gamespy cookie
10:30 PM: Quarantining All Traces: go.com cookie
10:30 PM: Quarantining All Traces: gotnailed cookie
10:30 PM: Quarantining All Traces: hbmediapro cookie
10:30 PM: Quarantining All Traces: hermoment.com cookie
10:31 PM: Quarantining All Traces: hitboss.com cookie
10:31 PM: Quarantining All Traces: ic-live cookie
10:31 PM: Quarantining All Traces: kmpads cookie
10:31 PM: Quarantining All Traces: linkexchange cookie
10:31 PM: Quarantining All Traces: megago cookie
10:31 PM: Quarantining All Traces: nextag cookie
10:31 PM: Quarantining All Traces: offeroptimizer cookie
10:31 PM: Quarantining All Traces: paypopup cookie
10:31 PM: Quarantining All Traces: precisead cookie
10:31 PM: Quarantining All Traces: pridebucks cookie
10:31 PM: Quarantining All Traces: rednova cookie
10:31 PM: Quarantining All Traces: reliablestats cookie
10:31 PM: Quarantining All Traces: reunion cookie
10:31 PM: Quarantining All Traces: rightmedia cookie
10:31 PM: Quarantining All Traces: ru4 cookie
10:31 PM: Quarantining All Traces: servlet cookie
10:31 PM: Quarantining All Traces: specificclick.com cookie
10:31 PM: Quarantining All Traces: starware.com cookie
10:31 PM: Quarantining All Traces: stlyrics cookie
10:31 PM: Quarantining All Traces: tickle cookie
10:31 PM: Quarantining All Traces: toplist cookie
10:31 PM: Quarantining All Traces: tracking cookie
10:31 PM: Quarantining All Traces: videodome cookie
10:31 PM: Quarantining All Traces: websponsors cookie
10:31 PM: Quarantining All Traces: wegcash cookie
10:31 PM: Quarantining All Traces: xiti cookie
10:31 PM: Quarantining All Traces: xxx69 cookie
10:31 PM: Quarantining All Traces: yadro cookie
10:31 PM: Quarantining All Traces: yieldmanager cookie
10:31 PM: Removal process completed. Elapsed time 00:00:10
********
9:58 PM: | Start of Session, Wednesday, January 11, 2006 |
9:58 PM: Spy Sweeper started
9:59 PM: Your spyware definitions have been updated.
9:59 PM: | End of Session, Wednesday, January 11, 2006 |
 

stojsavl

Thread Starter
Joined
Oct 15, 2005
Messages
28
smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 01/11/2006
The current time is: 21:46:26.98

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

SpywareStrike


~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1884 'explorer.exe'
Killing PID 1884 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~

SpywareStrike


~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
post anew HJT log pleae and let us know how the computer is
 

stojsavl

Thread Starter
Joined
Oct 15, 2005
Messages
28
Logfile of HijackThis v1.99.1
Scan saved at 7:37:34 AM, on 1/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108761334609
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 

stojsavl

Thread Starter
Joined
Oct 15, 2005
Messages
28
The messages in the tool bar are gone. The computer seems to be running better. This is not my computer but my teenagers. Do you recommend that I purchase the sweep program since they do alot of chatting and message boards? Surfing in general. Thanks for all the help!!! This site is wonderful!
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
when you have reset the trusted domains so they can't continue to downlaod the rubbish to your computer


go to www.java.com & download the latest version of java 1.5.0.6

install it & then go to add/remove programs and UNINSTALL ALL previous versions of sun java
 

stojsavl

Thread Starter
Joined
Oct 15, 2005
Messages
28
Logfile of HijackThis v1.99.1
Scan saved at 7:06:42 PM, on 1/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108761334609
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
have you used the deldomains.inf as it should have fixed the problems

Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com

reboot &

  • Download WinPFind
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Dont do anything with it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click " Configure Scan Options"
  • Select " Run Add ONs" and then select ALL the options in the box below it, Press Apply
  • Now Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
    • Reboot back to Normal Mode!
    • Go to the WinPFind folder
    • Locate WinPFind.txt
    • Place those results in the next post!. It will be too big to post so you will need to attach it to your reply

and post a new HJT log please
 

stojsavl

Thread Starter
Joined
Oct 15, 2005
Messages
28
Here the log for hijackthis. There is not a section 015.

Logfile of HijackThis v1.99.1
Scan saved at 1:49:21 PM, on 1/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108761334609
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BD7AF76-EA18-4DF3-8705-548C3755DF1A}: NameServer = 205.188.146.145
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top