Tech Support Guy banner
Status
Not open for further replies.

PopUps & "AntiSpy Programs"

1K views 11 replies 3 participants last post by  MFDnNC 
#1 ·
Logfile of HijackThis v1.99.1
Scan saved at 11:15:37 PM, on 7/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\dXNlcg\command.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cvn0.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\n9nyb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\xwwdp.exe
F2 - REG:system.ini: UserInit=userinit.exe,irehaad.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\system32\cvn0.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [sys01252488409-] C:\WINDOWS\sys01252488409-.exe
O4 - HKLM\..\Run: [lpjedthA] C:\WINDOWS\lpjedthA.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\o2pq0c75ef.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dXNlcg\command.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\lpjedth.exe

Here's my HIJACK log.
I'm almost 100% sure that something is definitely wrong.
I tried going to msconfig and unchecking to making them not start..but they just uncheckec themselves.
Thanks to whoever picks up this thread. :)
 
See less See more
#2 ·
At first look I should say cease using IE, and switch to something more secure, like Firefox.
But what is your problem exactly?
 
#3 ·
http://www.atribune.org/ccount/click.php?id=7 to download Look2Me-Destroyer.exe and save it to your desktop.
· Close all windows before continuing.
· Double-click Look2Me-Destroyer.exe to run it.
· click the Scan for L2M button, your desktop icons will disappear, this is normal.
· Once it's done scanning, click the Remove L2M button.
· You will receive a Done Scanning message, click OK.
· When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
· Your computer will then shutdown.
· Turn your computer back on.
· Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.

http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
============================
download http://www.mvps.org/winhelp2002/DelDomains.inf

Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute.

Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.
==================

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
 
#4 ·
Malacka said:
At first look I should say cease using IE, and switch to something more secure, like Firefox.
But what is your problem exactly?
There are a lot of popups and ones that also say to download these "Anti-spy" and "Antivirus" programs. I've fallen for them before, and it hurt my comp, so I know for sure it shouldn't happen. I will follow the steps in your post and post my log. Thanks. :)
 
#5 ·
I did the first part of your post..but it never seems to restart when I reboot. Here is the log anyway and HiJack.

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 7/31/2006 5:40:03 PM

Attempting to delete infected files...

Making registry repairs.

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

==================

Logfile of HijackThis v1.99.1
Scan saved at 6:11:39 PM, on 7/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\dXNlcg\command.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\sys01252488409-.exe
C:\WINDOWS\lpjedthA.exe
C:\Program Files\ipwins\ipwins.exe
C:\Program Files\Common Files\{F0F35527-07D0-1033-0304-050405130001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LimeWire\LimeWire.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\WINDOWS\lpjedth.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\xwwdp.exe
F2 - REG:system.ini: UserInit=userinit.exe,irehaad.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\system32\cvn0.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [sys01252488409-] C:\WINDOWS\sys01252488409-.exe
O4 - HKLM\..\Run: [lpjedthA] C:\WINDOWS\lpjedthA.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dXNlcg\command.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\lpjedth.exe
 
#6 ·
Do it all and them post the requested logs
===================

1. Download this file :

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall
==========================
Sorry - HiJackThis is runing from a temp directory and must be moved to run correctly

Click here to download HJTsetup.exe:

http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item5
Scroll down to the download section

Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
==============================
download http://www.mvps.org/winhelp2002/DelDomains.inf

Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute.

Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.
==========================
Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
 
#7 ·
Okay here are the logs requested. I wasn't too sure what the DelDomains program did, but I did it anyway.

Start Time= Mon 07/31/2006 21:39:56.68
Running from: C:\Documents and Settings\user\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-07-31 18:19:14 ( .D... ) "C:\Program Files\Webroot"
2006-07-31 18:19:14 ( .D... ) "C:\Documents and Settings\user\Application Data\Webroot"
2006-07-31 18:15:56 435 ( A.... ) "C:\WINDOWS\gimfh.dll"
2006-07-31 16:09:24 ( .D... ) "C:\Program Files\Hidden Expedition Titanic"
2006-07-31 16:08:24 ( .D... ) "C:\Documents and Settings\user\Application Data\funkitron"
2006-07-31 16:06:44 ( .D... ) "C:\Program Files\Poker Superstars II"
2006-07-31 00:49:42 ( .D... ) "C:\Program Files\InetGet2"
2006-07-30 23:58:20 45056 ( A.... ) "C:\WINDOWS\system32\ghynf.exe"
2006-07-30 23:52:32 ( .D... ) "C:\Program Files\SymNetDrv"
2006-07-30 22:43:22 ( .D... ) "C:\Program Files\Common Files\zzzm"
2006-07-30 22:42:04 36864 ( A.... ) "C:\WINDOWS\system32n9nyb.exe"
2006-07-30 22:42:02 45056 ( A.... ) "C:\WINDOWS\system32ghynf.exe"
2006-07-30 22:42:02 0 ( A.... ) "C:\WINDOWS\system32bez6n4r21.exe"
2006-07-30 22:41:54 36864 ( A.... ) "C:\WINDOWS\system32\n9nyb.exe"
2006-07-30 22:41:52 28672 ( A.... ) "C:\WINDOWS\system32\bez6n4r21.exe"
2006-07-30 22:41:44 ( .D... ) "C:\Program Files\Common Files\{F0F35527-07D0-1033-0304-050405130001}"
2006-07-30 22:41:36 ( .D... ) "C:\Program Files\Cowabanga"
2006-07-30 21:14:42 ( .D... ) "C:\Program Files\LimeWire"
2006-07-27 00:00:30 ( .D... ) "C:\Documents and Settings\user\Application Data\Lavasoft"
2006-07-27 00:00:24 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-26 15:49:24 159744 ( A.... ) "C:\WINDOWS\system32\cvn0.exe"
2006-07-20 23:29:20 ( .D... ) "C:\Documents and Settings\user\Application Data\Apple Computer"
2006-07-20 23:25:16 ( .D... ) "C:\Program Files\iTunes"
2006-07-20 23:25:16 ( .D... ) "C:\Program Files\iPod"
2006-07-07 16:54:10 252928 ( A.... ) "C:\WINDOWS\WRUninstall.dll"
2006-07-07 16:53:54 208896 ( A.... ) "C:\WINDOWS\system32\WRLogonNtf.dll"
2006-07-07 16:53:52 8704 ( A.... ) "C:\WINDOWS\system32\ssiefr.EXE"
2006-07-07 16:53:50 20992 ( A.... ) "C:\WINDOWS\system32\wrlzma.dll"
2006-06-18 01:06:18 ( .D... ) "C:\Program Files\Aveyond"
2006-06-15 14:10:36 ( .D... ) "C:\Documents and Settings\user\Application Data\PedestrianEntertainment"
2006-06-15 13:56:40 ( .D... ) "C:\Program Files\BFG"
2006-05-19 05:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 05:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 05:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

2006-07-31 18:19 8,704 C:\WINDOWS\system32\ssiefr.EXE
2006-07-31 18:19 684,032 C:\WINDOWS\libeay32.dll
2006-07-31 18:19 252,928 C:\WINDOWS\WRUninstall.dll
2006-07-31 18:19 208,896 C:\WINDOWS\system32\WRLogonNtf.dll
2006-07-31 18:19 20,992 C:\WINDOWS\system32\wrlzma.dll
2006-07-31 18:19 155,648 C:\WINDOWS\ssleay32.dll
2006-07-30 23:58 45,056 C:\WINDOWS\system32\ghynf.exe
2006-07-30 23:53 53,248 C:\WINDOWS\UpdtNv28.exe
2006-07-30 22:44 435 C:\WINDOWS\gimfh.dll
2006-07-30 22:42 45,056 C:\WINDOWS\system32ghynf.exe
2006-07-30 22:42 36,864 C:\WINDOWS\system32n9nyb.exe
2006-07-30 22:42 0 C:\WINDOWS\system32bez6n4r21.exe
2006-07-30 22:41 36,864 C:\WINDOWS\system32\n9nyb.exe
2006-07-30 22:41 28,672 C:\WINDOWS\system32\bez6n4r21.exe
2006-07-30 22:41 159,744 C:\WINDOWS\system32\cvn0.exe
2006-07-30 21:16 49,250 C:\WINDOWS\system32\javaw.exe
2006-07-30 21:16 49,248 C:\WINDOWS\system32\java.exe
2006-07-30 21:16 127,078 C:\WINDOWS\system32\javaws.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PDUiP6600DMon"="\"C:\\Program Files\\Canon\\Memory Card Utility\\iP6600D\\PDUiP6600DMon.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ad8rIU3s"="C:\\WINDOWS\\system32\\cvn0.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{F0F35527-07D0-1033-0304-050405130001}"="\"C:\\Program Files\\Common Files\\{F0F35527-07D0-1033-0304-050405130001}\\Update.exe\" mc-110-12-0000103"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^aurav.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\aurav.exe"
"backup"="C:\\WINDOWS\\pss\\aurav.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\aurav.exe"
"item"="aurav"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\RAMASST.lnk"
"backup"="C:\\WINDOWS\\pss\\RAMASST.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\RAMASST.exe "
"item"="RAMASST"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v1201"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\v1201.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ad8rIU3s]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cvn0"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\cvn0.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AGRSMMSG"
"hkey"="HKLM"
"command"="AGRSMMSG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLLaunch"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ati2mdxx"
"hkey"="HKLM"
"command"="Ati2mdxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BearShare"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dbqrq]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hmgypu"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\hmgypu.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrfg_7"
"hkey"="HKLM"
"command"="C:\\\\dfndrfg_7.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tfswctrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hekqps]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hmgypu"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hmgypu.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1146891318\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="optimize"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\k6mmN5IOU]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wfxqhv"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\system32\\wfxqhv.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdfg_7"
"hkey"="HKLM"
"command"="C:\\\\kybrdfg_7.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lpjedthA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lpjedthA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\lpjedthA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ltmoh"
"hkey"="HKLM"
"command"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CfgWiz"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Symantec Shared\\CfgWiz.exe /GUID NAV /CMDLINE \"REBOOT\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NDSTray"
"hkey"="HKLM"
"command"="NDSTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Osus]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="javaw"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\ASKS~1\\javaw.exe\" -vt yazr"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PadExe"
"hkey"="HKLM"
"command"="C:\\Program Files\\TOSHIBA\\Touch and Launch\\PadExe.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pinger"
"hkey"="HKLM"
"command"="c:\\toshiba\\ivp\\ism\\pinger.exe /run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pop06ap]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pop06ap2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\pop06ap2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SmoothView"
"hkey"="HKLM"
"command"="C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ssk"
"hkey"="HKLM"
"command"="C:\\Program Files\\SurfSideKick 3\\Ssk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys01252488409-]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sys01252488409-"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\sys01252488409-.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SYSC00"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SYSC00.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="thotkey"
"hkey"="HKLM"
"command"="C:\\Program Files\\Toshiba\\Toshiba Applet\\thotkey.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="toscdspd"
"hkey"="HKCU"
"command"="C:\\Program Files\\TOSHIBA\\TOSCDSPD\\toscdspd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TPSMain"
"hkey"="HKLM"
"command"="TPSMain.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whAgent"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\webHancer\\Programs\\whAgent.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whSurvey"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\webHancer\\Programs\\whSurvey.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winstall"
"hkey"="HKCU"
"command"="C:\\winstall.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzzm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zzzmm"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\COMMON~1\\zzzm\\zzzmm.exe"
"inimapping"="0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
Wallpaper REG_SZ !"$%&$#!%&$#!$#%!&$#&%!$#%$"!DF!CXY!DWCER"!

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Mon 07/31/2006 21:40:28.34
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

====================

Logfile of HijackThis v1.99.1
Scan saved at 9:46:59 PM, on 7/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe,irehaad.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [PDUiP6600DMon] "C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\system32\cvn0.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
 
#8 ·
========================

Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
9:36 PM: Shield States
9:36 PM: Spyware Definitions: 730
9:35 PM: Spy Sweeper 5.0.5.1286 started
6:28 PM: | End of Session, Monday, July 31, 2006 |
6:28 PM: The Spy Communication shield has blocked access to: WWW.Z-QUEST.COM
6:28 PM: The Spy Communication shield has blocked access to: WWW.Z-QUEST.COM
6:26 PM: Your spyware definitions have been updated.
6:25 PM: The Spy Communication shield has blocked access to: POP10.2Z0O.NET
6:25 PM: The Spy Communication shield has blocked access to: POP10.2Z0O.NET
6:23 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
6:23 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
6:23 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
6:23 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
6:23 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
6:23 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
6:23 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
6:23 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
6:23 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
6:23 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
6:22 PM: Shield States
6:22 PM: Spyware Definitions: 691
6:22 PM: Spy Sweeper 5.0.5.1286 started
6:22 PM: Spy Sweeper 5.0.5.1286 started
6:22 PM: | Start of Session, Monday, July 31, 2006 |
********
9:31 PM: Removal process completed. Elapsed time 00:10:21
9:31 PM: Preparing to restart your computer. Please wait...
9:31 PM: Warning: Quarantine process could not restart Explorer.
9:31 PM: Warning: Timed out waiting for explorer.exe
9:31 PM: Warning: Timed out waiting for explorer.exe
9:31 PM: Warning: Timed out waiting for explorer.exe
9:31 PM: Quarantining All Traces: zedo cookie
9:31 PM: Quarantining All Traces: seeq cookie
9:31 PM: Quarantining All Traces: zango cookie
9:31 PM: Quarantining All Traces: myaffiliateprogram.com cookie
9:31 PM: Quarantining All Traces: burstbeacon cookie
9:31 PM: Quarantining All Traces: web-stat cookie
9:31 PM: Quarantining All Traces: tribalfusion cookie
9:31 PM: Quarantining All Traces: trafficmp cookie
9:31 PM: Quarantining All Traces: targetnet cookie
9:31 PM: Quarantining All Traces: webtrendslive cookie
9:31 PM: Quarantining All Traces: reliablestats cookie
9:31 PM: Quarantining All Traces: statcounter cookie
9:31 PM: Quarantining All Traces: serving-sys cookie
9:31 PM: Quarantining All Traces: revenue.net cookie
9:31 PM: Quarantining All Traces: directtrack cookie
9:31 PM: Quarantining All Traces: valuead cookie
9:31 PM: Quarantining All Traces: questionmarket cookie
9:31 PM: Quarantining All Traces: partypoker cookie
9:31 PM: Quarantining All Traces: nextag cookie
9:31 PM: Quarantining All Traces: realmedia cookie
9:31 PM: Quarantining All Traces: mediaplex cookie
9:31 PM: Quarantining All Traces: top-banners cookie
9:31 PM: Quarantining All Traces: webtrends cookie
9:31 PM: Quarantining All Traces: ic-live cookie
9:31 PM: Quarantining All Traces: clickandtrack cookie
9:31 PM: Quarantining All Traces: starware.com cookie
9:31 PM: Quarantining All Traces: wegcash cookie
9:31 PM: Quarantining All Traces: 888 cookie
9:31 PM: Quarantining All Traces: fastclick cookie
9:31 PM: Quarantining All Traces: did-it cookie
9:31 PM: Quarantining All Traces: dealtime cookie
9:31 PM: Quarantining All Traces: overture cookie
9:31 PM: Quarantining All Traces: exitexchange cookie
9:31 PM: Quarantining All Traces: casalemedia cookie
9:31 PM: Quarantining All Traces: goclick cookie
9:31 PM: Quarantining All Traces: burstnet cookie
9:31 PM: Quarantining All Traces: belnk cookie
9:31 PM: Quarantining All Traces: searchingbooth cookie
9:31 PM: Quarantining All Traces: goldenpalace cookie
9:31 PM: Quarantining All Traces: atwola cookie
9:31 PM: Quarantining All Traces: atlas dmt cookie
9:31 PM: Quarantining All Traces: ask cookie
9:31 PM: Quarantining All Traces: falkag cookie
9:31 PM: Quarantining All Traces: tacoda cookie
9:31 PM: Quarantining All Traces: advertising cookie
9:30 PM: Quarantining All Traces: adultfriendfinder cookie
9:30 PM: Quarantining All Traces: pointroll cookie
9:30 PM: Quarantining All Traces: addynamix cookie
9:30 PM: Quarantining All Traces: adrevolver cookie
9:30 PM: Quarantining All Traces: adprofile cookie
9:30 PM: Quarantining All Traces: specificclick.com cookie
9:30 PM: Quarantining All Traces: adlegend cookie
9:30 PM: Quarantining All Traces: adknowledge cookie
9:30 PM: Quarantining All Traces: adecn cookie
9:30 PM: Quarantining All Traces: yieldmanager cookie
9:30 PM: Quarantining All Traces: about cookie
9:30 PM: Quarantining All Traces: go.com cookie
9:30 PM: Quarantining All Traces: websponsors cookie
9:30 PM: Quarantining All Traces: 2o7.net cookie
9:30 PM: Quarantining All Traces: webhancer
9:30 PM: Quarantining All Traces: effective-i toolbar
9:30 PM: c:\program files\complus applications\kybevima.html is in use. It will be removed on reboot.
9:30 PM: c:\program files\windows media player\hoxy.html is in use. It will be removed on reboot.
9:30 PM: deskwizz is in use. It will be removed on reboot.
9:30 PM: Quarantining All Traces: deskwizz
9:30 PM: Quarantining All Traces: mediamotor - popuppers
9:30 PM: Quarantining All Traces: pesttrap
9:30 PM: Quarantining All Traces: spywareno! components
9:30 PM: Quarantining All Traces: findthewebsiteyouneed hijack
9:30 PM: Quarantining All Traces: mrfindalot hijack
9:30 PM: C:\WINDOWS\dXNlcg\command.exe is in use. It will be removed on reboot.
9:30 PM: C:\Program Files\Network Monitor\netmon.exe is in use. It will be removed on reboot.
9:30 PM: C:\WINDOWS\dXNlcg\asappsrv.dll is in use. It will be removed on reboot.
9:30 PM: C:\Program Files\Network Monitor\netmon.exe is in use. It will be removed on reboot.
9:30 PM: C:\WINDOWS\dXNlcg\asappsrv.dll is in use. It will be removed on reboot.
9:30 PM: C:\Program Files\Network Monitor is in use. It will be removed on reboot.
9:30 PM: command is in use. It will be removed on reboot.
9:30 PM: Quarantining All Traces: command
9:30 PM: Quarantining All Traces: internetoptimizer
9:30 PM: Quarantining All Traces: trojan-dropper-joiner
9:30 PM: Quarantining All Traces: trojan-dh
9:30 PM: Quarantining All Traces: dollarrevenue
9:30 PM: Quarantining All Traces: targetsaver
9:30 PM: Quarantining All Traces: zquest
9:29 PM: Quarantining All Traces: winantivirus pro
9:29 PM: Quarantining All Traces: cas
9:29 PM: Quarantining All Traces: elitemediagroup-mediamotor
9:29 PM: Quarantining All Traces: surfsidekick
9:29 PM: Quarantining All Traces: enbrowser
9:28 PM: Quarantining All Traces: maxifiles
9:28 PM: Quarantining All Traces: forethought
9:28 PM: Quarantining All Traces: spysheriff fakealert
9:28 PM: Quarantining All Traces: look2me
9:28 PM: C:\WINDOWS\lpjedth.exe is in use. It will be removed on reboot.
9:28 PM: C:\WINDOWS\lpjedthA.exe is in use. It will be removed on reboot.
9:28 PM: visfx is in use. It will be removed on reboot.
9:28 PM: Warning: QF[866]: "C:\WINDOWS\lpjedthA.exe": File not found
9:28 PM: Quarantining All Traces: visfx
9:28 PM: C:\WINDOWS\system32\xwwdp.exe is in use. It will be removed on reboot.
9:28 PM: C:\WINDOWS\system32\xwwdp.exe is in use. It will be removed on reboot.
9:28 PM: C:\WINDOWS\system32\xwwdp.exe is in use. It will be removed on reboot.
9:28 PM: C:\WINDOWS\system32\hmgypu.exe is in use. It will be removed on reboot.
9:28 PM: C:\WINDOWS\system32\dmonwv.dll is in use. It will be removed on reboot.
9:28 PM: C:\WINDOWS\system32\ntfyhdo.dll is in use. It will be removed on reboot.
9:28 PM: c:\windows\system32\xwwdp.exe is in use. It will be removed on reboot.
9:28 PM: c:\windows\system32\ntfyhdo.dll is in use. It will be removed on reboot.
9:28 PM: c:\documents and settings\all users\start menu\programs\startup\aurav.exe is in use. It will be removed on reboot.
9:28 PM: c:\windows\system32\hmgypu.exe is in use. It will be removed on reboot.
9:28 PM: clkoptimizer is in use. It will be removed on reboot.
9:25 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
9:25 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
9:25 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
9:25 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
9:22 PM: Quarantining All Traces: clkoptimizer
9:21 PM: Removal process initiated
9:17 PM: Traces Found: 268
9:17 PM: Full Sweep has completed. Elapsed time 02:45:08
9:17 PM: Traces Found: 268
9:17 PM: Full Sweep has completed. Elapsed time 02:45:07
9:17 PM: File Sweep Complete, Elapsed Time: 02:45:11
8:37 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
8:37 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
8:37 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
8:37 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
8:18 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\KHIFOHMV\WinAntiVirusPro2006FreeInstall[1].cab (ID = 327827)
8:17 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
8:17 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
8:17 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
8:17 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
8:13 PM: C:\WINDOWS\dXNlcg\xrh5w0.vbs (ID = 185675)
8:03 PM: Warning: Failed to open file "c:\documents and settings\user\cookies\user@statcounter[2].txt". The operation completed successfully
8:03 PM: Warning: Failed to open file "c:\documents and settings\user\cookies\user@forums.techguy[2].txt". The operation completed successfully
8:03 PM: Warning: Failed to open file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\azov6l6l\queryxx[1].htm". The operation completed successfully
8:03 PM: Warning: Failed to open file "c:\documents and settings\user\cookies\user@servedby.headlinesandnews[2].txt". The operation completed successfully
8:03 PM: Warning: Failed to open file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\azov6l6l\campaign[1].htm". The operation completed successfully
8:03 PM: Warning: Failed to open file "c:\documents and settings\user\cookies\user@mbop[1].txt". The operation completed successfully
8:03 PM: Warning: Failed to open file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\gt63wtmn\ssfsetup4129_1880020065[1].exe:zone.identifier". The operation completed successfully
8:03 PM: Warning: Failed to open file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\1frf5dse\65569[1].967634357809868". The operation completed successfully
8:03 PM: Warning: Failed to open file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\gdijkdmf\attest[1].htm". The operation completed successfully
8:03 PM: Warning: Failed to open file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\1k8715wh\tmp[2].htm". The operation completed successfully
8:03 PM: Warning: Failed to open file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\6r8xux6t\a@x15[1]". The operation completed successfully
8:03 PM: Warning: Failed to open file "c:\documents and settings\user\cookies\user@poptini[1].txt". The operation completed successfully
8:03 PM: Warning: Failed to open file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\wlaj4div\counter[1].gif". The operation completed successfully
8:03 PM: Warning: Failed to open file "c:\documents and settings\user\cookies\user@redorbit[2].txt". The operation completed successfully
7:57 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
7:57 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:57 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
7:57 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:56 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
7:56 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:56 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
7:56 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:53 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:53 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
7:53 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
7:53 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:53 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
7:53 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:53 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
7:53 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:51 PM: Warning: QF[866]: "C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\PORTAL\6277551B.EXE": File not found
7:51 PM: Spy Installation Shield: found: Trojan Horse: trojan-dropper-joiner, version 1.0.0.0
7:51 PM: Spy Installation Shield: found: Trojan Horse: trojan-dropper-joiner, version 1.0.0.0
7:51 PM: Spy Installation Shield: found: Trojan Horse: trojan-dropper-joiner, version 1.0.0.0
7:51 PM: Warning: TBZipFileCompressor.Compress: Cannot compress a file or directory that does not exist (C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\PORTAL\620C6B91.EXE).
7:51 PM: Spy Installation Shield: found: Trojan Horse: trojan-downloader-ac2, version 1.0.0.0
7:51 PM: Spy Installation Shield: found: Trojan Horse: trojan-downloader-ac2, version 1.0.0.0
7:51 PM: Spy Installation Shield: found: Trojan Horse: trojan-downloader-ac2, version 1.0.0.0
7:51 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
7:51 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
7:51 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
7:51 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
7:51 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
7:51 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
7:48 PM: The Spy Communication shield has blocked access to: WWW.YOURENHANCEMENT.COM
7:48 PM: The Spy Communication shield has blocked access to: WWW.YOURENHANCEMENT.COM
7:45 PM: C:\Documents and Settings\user\Local Settings\Temp\temp.fr7C1A (ID = 159)
7:45 PM: C:\WINDOWS\optimize.exe (ID = 288489)
7:45 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\optimize[1].exe (ID = 288489)
7:45 PM: Found Adware: internetoptimizer
7:45 PM: The Spy Communication shield has blocked access to: WWW.YOURENHANCEMENT.COM
7:45 PM: The Spy Communication shield has blocked access to: WWW.YOURENHANCEMENT.COM
7:44 PM: c:\documents and settings\user\local settings\temporary internet files\content.ie5\uuqzyjyy\webnexmk[1].exe (ID = 299757)
7:44 PM: Found Trojan Horse: trojan-dropper-joiner
7:44 PM: Warning: PerformFileOffsetMatch Failed to check file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\uuqzyjyy\ac3_0003[1].exe". "c:\documents and settings\user\local settings\temporary internet files\content.ie5\uuqzyjyy\ac3_0003[1].exe": File not found
7:44 PM: Warning: Failed to read file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\uuqzyjyy\ac3_0003[1].exe". "c:\documents and settings\user\local settings\temporary internet files\content.ie5\uuqzyjyy\ac3_0003[1].exe": File not found
7:43 PM: Spy Installation Shield: found: Adware: visfx, version 1.0.0.0
7:43 PM: Spy Installation Shield: found: Adware: visfx, version 1.0.0.0
7:43 PM: Spy Installation Shield: found: Adware: visfx, version 1.0.0.0
7:43 PM: Spy Installation Shield: found: Trojan Horse: trojan-dropper-joiner, version 1.0.0.0
7:43 PM: Spy Installation Shield: found: Trojan Horse: trojan-dropper-joiner, version 1.0.0.0
7:43 PM: Spy Installation Shield: found: Trojan Horse: trojan-dropper-joiner, version 1.0.0.0
7:42 PM: Warning: Failed to read file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\gt63wtmn\626_101[1].exe". "c:\documents and settings\user\local settings\temporary internet files\content.ie5\gt63wtmn\626_101[1].exe": File not found
7:42 PM: C:\WINDOWS\unwn.exe (ID = 268798)
7:42 PM: c:\windows\system32\xwwdp.exe (ID = 268934)
7:42 PM: c:\windows\system32\ntfyhdo.dll (ID = 268933)
7:42 PM: c:\windows\system32\irehaad.exe (ID = 268932)
7:42 PM: C:\WINDOWS\system32\nkucc.dat (ID = 268995)
7:42 PM: c:\documents and settings\all users\start menu\programs\startup\aurav.exe (ID = 268995)
7:42 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\Software\Microsoft\Windows\CurrentVersion\Run || dbqrq (ID = 0)
7:42 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || hekqps (ID = 0)
7:42 PM: c:\windows\system32\hmgypu.exe (ID = 268995)
7:42 PM: C:\Program Files\Cas2Stub\cas2stub.exe (ID = 295817)
7:42 PM: C:\Program Files\Common Files\zzzm\zzzmd\vocabulary (ID = 78283)
7:42 PM: C:\Program Files\Common Files\zzzm\zzzmd\zzzmc.dll (ID = 195129)
7:42 PM: C:\Program Files\Common Files\zzzm\zzzmd\class-barrel (ID = 78229)
7:42 PM: C:\Program Files\Common Files\zzzm\zzzmp.exe (ID = 195132)
7:42 PM: C:\Program Files\Common Files\zzzm\zzzma.exe (ID = 195128)
7:42 PM: C:\WINDOWS\system32\dmonwv.dll (ID = 268799)
7:42 PM: C:\Program Files\Common Files\zzzm\zzzml.exe (ID = 195130)
7:42 PM: C:\Program Files\Common Files\{F0F35527-07D0-1033-0304-050405130001}\Update.exe (ID = 320789)
7:42 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\pop06ap2[1].exe (ID = 288578)
7:42 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\whCC-GIANT[1].exe (ID = 83829)
7:42 PM: Found Adware: webhancer
7:42 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\fym9bvo[1].exe (ID = 328135)
7:41 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
7:41 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
7:41 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
7:41 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
7:41 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
7:41 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
7:40 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\dist13[1].exe (ID = 295817)
7:40 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\installerwnus[1].exe (ID = 271215)
7:39 PM: C:\Documents and Settings\user\itgcjwtz.exe (ID = 304952)
7:39 PM: Found Adware: spysheriff fakealert
7:39 PM: C:\WINDOWS\uninstall_nmon.vbs (ID = 231442)
7:39 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\Installer[1].exe (ID = 168558)
7:39 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\SS1001[1].exe (ID = 215896)
7:36 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
7:36 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
7:36 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:36 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:36 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\UUQZYJYY\ucmoreiex[1].exe (ID = 59853)
7:36 PM: Found Adware: effective-i toolbar
7:36 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\stub_113_4_0_4_0[1].exe (ID = 193995)
7:36 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\MTE3NDI6ODoxNg[1].exe (ID = 185985)
7:35 PM: C:\WINDOWS\unin101.exe (ID = 245111)
7:35 PM: C:\WINDOWS\uni_eh.exe (ID = 245110)
7:35 PM: C:\WINDOWS\pf78.exe (ID = 244430)
7:35 PM: Warning: Failed to read file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\uuqzyjyy\numbsoft[1].exe". "c:\documents and settings\user\local settings\temporary internet files\content.ie5\uuqzyjyy\numbsoft[1].exe": File not found
7:35 PM: C:\Program Files\ComPlus Applications\kybevima.html (ID = 323861)
7:35 PM: C:\Program Files\Windows Media Player\hoxy.html (ID = 310472)
7:35 PM: Found Adware: deskwizz
7:35 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\wallpap[1].exe (ID = 309645)
7:35 PM: Found Trojan Horse: trojan-dh
7:35 PM: C:\Documents and Settings\user\Local Settings\Temp\cas2setup.exe (ID = 326584)
7:35 PM: C:\Documents and Settings\user\Local Settings\Temp\temp.fr2D50 (ID = 159)
7:35 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\cas2setup[1].exe (ID = 326584)
7:34 PM: The Spy Communication shield has blocked access to: POP10.2Z0O.NET
7:34 PM: The Spy Communication shield has blocked access to: POP10.2Z0O.NET
7:33 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
7:33 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
7:33 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
7:33 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
7:33 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
7:33 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
7:25 PM: The Spy Communication shield has blocked access to: SEARCHPORTAL.INFORMATION.COM
7:25 PM: The Spy Communication shield has blocked access to: SEARCHPORTAL.INFORMATION.COM
 
#9 ·
7:20 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
7:20 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
7:20 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
7:20 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
7:20 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
7:20 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
7:16 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
7:16 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
7:16 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:16 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:12 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
7:12 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
7:12 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
7:12 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
7:12 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
7:12 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
7:07 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\visfx500[1].exe (ID = 244295)
7:06 PM: The Spy Communication shield has blocked access to: POP10.2Z0O.NET
7:06 PM: The Spy Communication shield has blocked access to: POP10.2Z0O.NET
7:03 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
7:03 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
7:03 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
7:03 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
7:03 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
7:03 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
6:56 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
6:56 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
6:56 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
6:56 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
6:55 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
6:55 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
6:55 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
6:55 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
6:55 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
6:55 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
6:53 PM: C:\Program Files\ipwins\Uninst.exe (ID = 315599)
6:50 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || IpWins (ID = 0)
6:50 PM: C:\Program Files\ipwins\ipwins.exe (ID = 315610)
6:47 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
6:47 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
6:47 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
6:47 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
6:47 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
6:47 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
6:46 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\loader[1].exe (ID = 328037)
6:46 PM: C:\WINDOWS\amm06.ocx (ID = 292476)
6:46 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\amm06[1].ocx (ID = 292476)
6:46 PM: C:\Documents and Settings\user\Local Settings\Temp\drsmartload180a.exe (ID = 328081)
6:46 PM: Found Adware: dollarrevenue
6:46 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\unstall[1].exe (ID = 304324)
6:46 PM: C:\Program Files\Common Files\zzzm\zzzmm.exe (ID = 195131)
6:46 PM: Found Adware: targetsaver
6:46 PM: C:\Documents and Settings\user\Local Settings\Temp\temp.frBC3A (ID = 231443)
6:46 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || sys01252488409- (ID = 0)
6:46 PM: C:\WINDOWS\sys01252488409-.exe (ID = 320461)
6:46 PM: C:\WINDOWS\dXNlcg\command.exe (ID = 144946)
6:46 PM: C:\Documents and Settings\user\Local Settings\Temp\temp.fr716D (ID = 144945)
6:46 PM: C:\Documents and Settings\user\Local Settings\Temp\i1E4.tmp (ID = 253411)
6:43 PM: C:\WINDOWS\system32\atmtd.dll (ID = 166754)
6:43 PM: C:\Documents and Settings\user\Local Settings\Temp\tp7543.exe (ID = 209705)
6:43 PM: C:\Documents and Settings\user\Local Settings\Temp\Temporary Internet Files\Content.IE5\CHAF09QJ\rcverlib[1].exe (ID = 209705)
6:42 PM: C:\WINDOWS\system32\atmtd.dll._ (ID = 166754)
6:42 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\012B0DEF\Installer[1].exe (ID = 168558)
6:42 PM: Found Adware: look2me
6:41 PM: C:\WINDOWS\Temp\tp7543.exe (ID = 209705)
6:41 PM: C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WI1FGJCF\rcverlib[1].exe (ID = 209705)
6:39 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
6:39 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
6:39 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
6:39 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
6:39 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
6:39 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
6:36 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
6:36 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
6:36 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
6:36 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
6:36 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
6:36 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
6:36 PM: C:\WINDOWS\pss\aurav.exeCommon Startup (ID = 268995)
6:36 PM: C:\Documents and Settings\user\Local Settings\Temp\cmdinst.exe (ID = 231664)
6:36 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\installer[2].exe (ID = 231664)
6:35 PM: Spy Installation Shield: found: Adware: zquest, version 1.0.0.0
6:35 PM: Spy Installation Shield: found: Adware: zquest, version 1.0.0.0
6:35 PM: Spy Installation Shield: found: Adware: zquest, version 1.0.0.0
6:34 PM: Warning: Failed to read file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\gt63wtmn\v1201[1].exe". "c:\documents and settings\user\local settings\temporary internet files\content.ie5\gt63wtmn\v1201[1].exe": File not found
6:34 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\RDFX4[1].exe (ID = 290920)
6:34 PM: Found Adware: zquest
6:34 PM: C:\WINDOWS\system32\iqqr.exe (ID = 327343)
6:34 PM: C:\WINDOWS\unstall.exe (ID = 304324)
6:34 PM: Found Adware: mediamotor - popuppers
6:34 PM: C:\Program Files\Network Monitor\netmon.exe (ID = 231443)
6:33 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\KHIFOHMV\WinAntiVirusPro2006FreeInstall[1].cab (ID = 327824)
6:33 PM: Found Adware: winantivirus pro
6:32 PM: C:\WINDOWS\dXNlcg\asappsrv.dll (ID = 144945)
6:32 PM: C:\Program Files\Cas2Stub (1 subtraces) (ID = 2147500974)
6:32 PM: C:\Program Files\ipwins (8 subtraces) (ID = 2147524552)
6:32 PM: C:\Program Files\PestTrap (2 subtraces) (ID = 2147507944)
6:32 PM: Found Adware: pesttrap
6:32 PM: C:\Program Files\Network Monitor (1 subtraces) (ID = 2147507525)
6:32 PM: Starting File Sweep
6:32 PM: Cookie Sweep Complete, Elapsed Time: 00:00:07
6:32 PM: c:\documents and settings\user\cookies\user@zedo[1].txt (ID = 3762)
6:32 PM: Found Spy Cookie: zedo cookie
6:32 PM: c:\documents and settings\user\cookies\user@www48.seeq[1].txt (ID = 3332)
6:32 PM: Found Spy Cookie: seeq cookie
6:32 PM: c:\documents and settings\user\cookies\user@www.zango[1].txt (ID = 3761)
6:32 PM: Found Spy Cookie: zango cookie
6:32 PM: c:\documents and settings\user\cookies\user@www.myaffiliateprogram[1].txt (ID = 3032)
6:32 PM: Found Spy Cookie: myaffiliateprogram.com cookie
6:32 PM: c:\documents and settings\user\cookies\user@www.burstnet[1].txt (ID = 2337)
6:32 PM: c:\documents and settings\user\cookies\user@www.burstbeacon[1].txt (ID = 2335)
6:32 PM: Found Spy Cookie: burstbeacon cookie
6:32 PM: c:\documents and settings\user\cookies\user@web-stat[2].txt (ID = 3648)
6:32 PM: Found Spy Cookie: web-stat cookie
6:32 PM: c:\documents and settings\user\cookies\user@try.starware[1].txt (ID = 3442)
6:32 PM: c:\documents and settings\user\cookies\user@tribalfusion[1].txt (ID = 3589)
6:32 PM: Found Spy Cookie: tribalfusion cookie
6:32 PM: c:\documents and settings\user\cookies\user@trafficmp[1].txt (ID = 3581)
6:32 PM: Found Spy Cookie: trafficmp cookie
6:32 PM: c:\documents and settings\user\cookies\user@targetnet[1].txt (ID = 3489)
6:32 PM: Found Spy Cookie: targetnet cookie
6:32 PM: c:\documents and settings\user\cookies\user@tacoda[1].txt (ID = 6444)
6:32 PM: c:\documents and settings\user\cookies\user@statse.webtrendslive[2].txt (ID = 3667)
6:32 PM: Found Spy Cookie: webtrendslive cookie
6:32 PM: c:\documents and settings\user\cookies\user@stats1.reliablestats[1].txt (ID = 3254)
6:32 PM: Found Spy Cookie: reliablestats cookie
6:32 PM: c:\documents and settings\user\cookies\user@statcounter[2].txt (ID = 3447)
6:32 PM: Found Spy Cookie: statcounter cookie
6:32 PM: c:\documents and settings\user\cookies\user@stat.dealtime[1].txt (ID = 2506)
6:32 PM: c:\documents and settings\user\cookies\user@sports.espn.go[2].txt (ID = 2729)
6:32 PM: c:\documents and settings\user\cookies\user@serving-sys[2].txt (ID = 3343)
6:32 PM: Found Spy Cookie: serving-sys cookie
6:32 PM: c:\documents and settings\user\cookies\user@rsi.espn.go[1].txt (ID = 2729)
6:32 PM: c:\documents and settings\user\cookies\user@rsi.abc.go[1].txt (ID = 2729)
6:32 PM: c:\documents and settings\user\cookies\user@revenue[2].txt (ID = 3257)
6:32 PM: Found Spy Cookie: revenue.net cookie
6:32 PM: c:\documents and settings\user\cookies\user@revenuegateway.directtrack[2].txt (ID = 2528)
6:32 PM: Found Spy Cookie: directtrack cookie
6:32 PM: c:\documents and settings\user\cookies\user@reduxads.valuead[1].txt (ID = 3627)
6:32 PM: Found Spy Cookie: valuead cookie
6:32 PM: c:\documents and settings\user\cookies\user@realmedia[2].txt (ID = 3235)
6:32 PM: c:\documents and settings\user\cookies\user@questionmarket[2].txt (ID = 3217)
6:32 PM: Found Spy Cookie: questionmarket cookie
6:32 PM: c:\documents and settings\user\cookies\user@partypoker[2].txt (ID = 3111)
6:32 PM: Found Spy Cookie: partypoker cookie
6:32 PM: c:\documents and settings\user\cookies\user@partygaming.122.2o7[1].txt (ID = 1958)
6:32 PM: c:\documents and settings\user\cookies\user@nextag[2].txt (ID = 5014)
6:32 PM: Found Spy Cookie: nextag cookie
6:32 PM: c:\documents and settings\user\cookies\user@network.realmedia[1].txt (ID = 3236)
6:32 PM: Found Spy Cookie: realmedia cookie
6:32 PM: c:\documents and settings\user\cookies\user@msnportal.112.2o7[1].txt (ID = 1958)
6:32 PM: c:\documents and settings\user\cookies\user@msnclassifieds.112.2o7[1].txt (ID = 1958)
6:32 PM: c:\documents and settings\user\cookies\user@mediaplex[1].txt (ID = 6442)
6:32 PM: Found Spy Cookie: mediaplex cookie
6:32 PM: c:\documents and settings\user\cookies\user@media.top-banners[1].txt (ID = 3548)
6:32 PM: Found Spy Cookie: top-banners cookie
6:32 PM: c:\documents and settings\user\cookies\user@media.fastclick[2].txt (ID = 2652)
6:32 PM: c:\documents and settings\user\cookies\user@maxis.112.2o7[1].txt (ID = 1958)
6:32 PM: c:\documents and settings\user\cookies\user@m.webtrends[1].txt (ID = 3669)
6:32 PM: Found Spy Cookie: webtrends cookie
6:32 PM: c:\documents and settings\user\cookies\user@ic-live[1].txt (ID = 2821)
6:32 PM: Found Spy Cookie: ic-live cookie
6:32 PM: c:\documents and settings\user\cookies\user@hits.clickandtrack[2].txt (ID = 2397)
6:32 PM: Found Spy Cookie: clickandtrack cookie
6:32 PM: c:\documents and settings\user\cookies\user@heavycom.122.2o7[1].txt (ID = 1958)
6:32 PM: c:\documents and settings\user\cookies\user@h.starware[1].txt (ID = 3442)
6:32 PM: Found Spy Cookie: starware.com cookie
6:32 PM: c:\documents and settings\user\cookies\user@go[1].txt (ID = 2728)
6:32 PM: c:\documents and settings\user\cookies\user@goldenpalace[1].txt (ID = 2734)
6:32 PM: c:\documents and settings\user\cookies\user@free.wegcash[2].txt (ID = 3682)
6:32 PM: Found Spy Cookie: wegcash cookie
6:32 PM: c:\documents and settings\user\cookies\user@free.888[1].txt (ID = 2020)
6:32 PM: Found Spy Cookie: 888 cookie
6:32 PM: c:\documents and settings\user\cookies\user@fastclick[1].txt (ID = 2651)
6:32 PM: Found Spy Cookie: fastclick cookie
6:32 PM: c:\documents and settings\user\cookies\user@exitexchange[1].txt (ID = 2633)
6:32 PM: c:\documents and settings\user\cookies\user@exercise.about[1].txt (ID = 2038)
6:32 PM: c:\documents and settings\user\cookies\user@espn.go[2].txt (ID = 2729)
6:32 PM: c:\documents and settings\user\cookies\user@dowjones.122.2o7[1].txt (ID = 1958)
6:32 PM: c:\documents and settings\user\cookies\user@dist.belnk[2].txt (ID = 2293)
6:32 PM: c:\documents and settings\user\cookies\user@did-it[1].txt (ID = 2523)
6:32 PM: Found Spy Cookie: did-it cookie
6:32 PM: c:\documents and settings\user\cookies\user@dealtime[2].txt (ID = 2505)
6:32 PM: Found Spy Cookie: dealtime cookie
6:32 PM: c:\documents and settings\user\cookies\user@data4.perf.overture[2].txt (ID = 3106)
6:32 PM: c:\documents and settings\user\cookies\user@data2.perf.overture[1].txt (ID = 3106)
6:32 PM: Found Spy Cookie: overture cookie
6:32 PM: c:\documents and settings\user\cookies\user@count2.exitexchange[1].txt (ID = 2634)
6:32 PM: c:\documents and settings\user\cookies\user@count1.exitexchange[1].txt (ID = 2634)
6:32 PM: Found Spy Cookie: exitexchange cookie
6:32 PM: c:\documents and settings\user\cookies\user@cbs.112.2o7[1].txt (ID = 1958)
6:32 PM: c:\documents and settings\user\cookies\user@casalemedia[2].txt (ID = 2354)
6:32 PM: Found Spy Cookie: casalemedia cookie
6:32 PM: c:\documents and settings\user\cookies\user@capitalone.122.2o7[1].txt (ID = 1958)
6:32 PM: c:\documents and settings\user\cookies\user@c.goclick[2].txt (ID = 2733)
6:32 PM: Found Spy Cookie: goclick cookie
6:32 PM: c:\documents and settings\user\cookies\user@burstnet[2].txt (ID = 2336)
6:32 PM: Found Spy Cookie: burstnet cookie
6:32 PM: c:\documents and settings\user\cookies\user@belnk[1].txt (ID = 2292)
6:32 PM: Found Spy Cookie: belnk cookie
6:32 PM: c:\documents and settings\user\cookies\user@banners.searchingbooth[1].txt (ID = 3322)
6:32 PM: Found Spy Cookie: searchingbooth cookie
6:32 PM: c:\documents and settings\user\cookies\user@banner.goldenpalace[2].txt (ID = 2735)
6:32 PM: Found Spy Cookie: goldenpalace cookie
6:32 PM: c:\documents and settings\user\cookies\user@atwola[1].txt (ID = 2255)
6:32 PM: Found Spy Cookie: atwola cookie
6:32 PM: c:\documents and settings\user\cookies\user@atdmt[2].txt (ID = 2253)
6:32 PM: Found Spy Cookie: atlas dmt cookie
6:32 PM: c:\documents and settings\user\cookies\user@ask[1].txt (ID = 2245)
6:32 PM: Found Spy Cookie: ask cookie
6:32 PM: c:\documents and settings\user\cookies\user@as-us.falkag[2].txt (ID = 2650)
6:32 PM: c:\documents and settings\user\cookies\user@as-eu.falkag[1].txt (ID = 2650)
6:32 PM: Found Spy Cookie: falkag cookie
6:32 PM: c:\documents and settings\user\cookies\user@anat.tacoda[2].txt (ID = 6445)
6:32 PM: c:\documents and settings\user\cookies\user@anad.tacoda[1].txt (ID = 6445)
6:32 PM: Found Spy Cookie: tacoda cookie
6:32 PM: c:\documents and settings\user\cookies\user@advertising[1].txt (ID = 2175)
6:32 PM: Found Spy Cookie: advertising cookie
6:32 PM: c:\documents and settings\user\cookies\user@adultfriendfinder[2].txt (ID = 2165)
6:32 PM: Found Spy Cookie: adultfriendfinder cookie
6:32 PM: c:\documents and settings\user\cookies\user@ads.pointroll[2].txt (ID = 3148)
6:32 PM: Found Spy Cookie: pointroll cookie
6:32 PM: c:\documents and settings\user\cookies\user@ads.addynamix[2].txt (ID = 2062)
6:32 PM: Found Spy Cookie: addynamix cookie
6:32 PM: c:\documents and settings\user\cookies\user@adrevolver[2].txt (ID = 2088)
6:32 PM: c:\documents and settings\user\cookies\user@adrevolver[1].txt (ID = 2088)
6:32 PM: Found Spy Cookie: adrevolver cookie
6:32 PM: c:\documents and settings\user\cookies\user@adprofile[1].txt (ID = 2084)
6:32 PM: Found Spy Cookie: adprofile cookie
6:32 PM: c:\documents and settings\user\cookies\user@adopt.specificclick[1].txt (ID = 3400)
6:32 PM: Found Spy Cookie: specificclick.com cookie
6:32 PM: c:\documents and settings\user\cookies\user@adlegend[1].txt (ID = 2074)
6:32 PM: Found Spy Cookie: adlegend cookie
6:32 PM: c:\documents and settings\user\cookies\user@adknowledge[2].txt (ID = 2072)
6:32 PM: Found Spy Cookie: adknowledge cookie
6:32 PM: c:\documents and settings\user\cookies\user@adecn[2].txt (ID = 2063)
6:32 PM: Found Spy Cookie: adecn cookie
6:32 PM: c:\documents and settings\user\cookies\user@ad.yieldmanager[1].txt (ID = 3751)
6:32 PM: Found Spy Cookie: yieldmanager cookie
6:32 PM: c:\documents and settings\user\cookies\user@about[2].txt (ID = 2037)
6:32 PM: Found Spy Cookie: about cookie
6:32 PM: c:\documents and settings\user\cookies\user@abc.go[1].txt (ID = 2729)
6:32 PM: Found Spy Cookie: go.com cookie
6:32 PM: c:\documents and settings\user\cookies\user@a.websponsors[2].txt (ID = 3665)
6:32 PM: Found Spy Cookie: websponsors cookie
6:32 PM: c:\documents and settings\user\cookies\user@2o7[1].txt (ID = 1957)
6:32 PM: Found Spy Cookie: 2o7.net cookie
6:32 PM: Starting Cookie Sweep
6:31 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
6:31 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
6:31 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
6:31 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
6:31 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
6:31 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
6:31 PM: Registry Sweep Complete, Elapsed Time:00:00:36
6:31 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\software\microsoft\internet explorer\search\searchassistant explorer\main\ || Default_Search_URL (ID = 1554015)
6:31 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {cbcc61fa-0221-4ccc-b409-cee865caca3a} (ID = 1530952)
6:31 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\software\ipwins\ (ID = 1516546)
6:31 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\software\cas2\ (ID = 862278)
6:31 PM: Found Adware: cas
6:31 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\software\sno2\ (ID = 782236)
6:31 PM: Found Adware: spywareno! components
6:31 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\software\system\sysuid\ (ID = 731748)
6:31 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
6:31 PM: Found Adware: findthewebsiteyouneed hijack
6:31 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\software\microsoft\internet explorer\urlsearchhooks\ || _{02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 165102)
6:31 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\software\surfsidekick3\ (ID = 143412)
6:31 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
6:31 PM: HKCR\protocols\filter\text/html\ || clsid (ID = 1561703)
6:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\kznbndryg\ (ID = 1561126)
6:31 PM: HKLM\software\classes\xsdu.ozbyq.1\ (ID = 1560783)
6:31 PM: HKLM\software\classes\xsdu.ozbyq\ (ID = 1560779)
6:31 PM: HKLM\software\classes\xsdu.bqok.1\ (ID = 1560775)
6:31 PM: HKLM\software\classes\xsdu.bqok\ (ID = 1560771)
6:31 PM: HKLM\software\classes\typelib\{80c0e6bc-1228-47d7-9876-b67ad181477e}\ (ID = 1560761)
6:31 PM: HKLM\software\classes\clsid\{d623bc2f-a58d-4a75-a10d-cc244a702a35}\ (ID = 1560752)
6:31 PM: HKLM\software\classes\clsid\{b5f86455-bf18-4e12-965a-6642a0ac0549}\ (ID = 1560743)
6:31 PM: HKCR\xsdu.ozbyq.1\ (ID = 1560737)
6:31 PM: HKCR\xsdu.ozbyq\ (ID = 1560733)
6:31 PM: HKCR\xsdu.bqok.1\ (ID = 1560729)
6:31 PM: HKCR\xsdu.bqok\ (ID = 1560725)
6:31 PM: HKCR\typelib\{80c0e6bc-1228-47d7-9876-b67ad181477e}\ (ID = 1560715)
6:31 PM: HKCR\clsid\{d623bc2f-a58d-4a75-a10d-cc244a702a35}\ (ID = 1560706)
6:31 PM: HKCR\clsid\{b5f86455-bf18-4e12-965a-6642a0ac0549}\ (ID = 1560697)
6:31 PM: HKLM\software\microsoft\windows\currentversion\run\ || ipwins (ID = 1557471)
6:31 PM: HKCR\mm06ocx.mm06ocxf\ (ID = 1556189)
6:31 PM: HKLM\software\microsoft\internet explorer\search\ || customizesearch (ID = 1554130)
6:31 PM: HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 1554129)
6:31 PM: HKLM\software\classes\typelib\{569304ba-83ed-4cff-ac26-be3e482f7208}\ (ID = 1530980)
6:31 PM: HKCR\typelib\{569304ba-83ed-4cff-ac26-be3e482f7208}\ (ID = 1530936)
6:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ipwins\ (ID = 1516581)
6:31 PM: HKLM\software\classes\interface\{db312456-e762-4369-844a-aed9006b1b2f}\ (ID = 1502064)
6:31 PM: HKLM\software\classes\interface\{41e1565d-b7a8-4251-bd79-e6c5facb2b5f}\ (ID = 1502038)
6:31 PM: HKCR\interface\{db312456-e762-4369-844a-aed9006b1b2f}\ (ID = 1497938)
6:31 PM: HKCR\interface\{41e1565d-b7a8-4251-bd79-e6c5facb2b5f}\ (ID = 1497876)
6:31 PM: HKLM\software\microsoft\internet explorer\search\ || customizesearch (ID = 1354274)
6:31 PM: HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 1354273)
6:31 PM: Found Adware: mrfindalot hijack
6:31 PM: HKLM\software\classes\typelib\{d13decbb-52f8-4bf4-ba6c-b0cc603963c9}\ (ID = 1323842)
6:31 PM: HKLM\software\classes\clsid\{5526b4c6-63d6-41a1-9783-0fabf529859a}\ (ID = 1323818)
6:31 PM: HKLM\software\classes\mm06ocx.mm06ocxf\ (ID = 1323810)
6:31 PM: HKCR\typelib\{d13decbb-52f8-4bf4-ba6c-b0cc603963c9}\ (ID = 1323794)
6:31 PM: HKCR\clsid\{5526b4c6-63d6-41a1-9783-0fabf529859a}\ (ID = 1323770)
6:31 PM: Found Adware: elitemediagroup-mediamotor
6:31 PM: HKLM\software\microsoft\internet explorer\extensions\{4abf810a-f11d-4169-9d5f-7d274f2270a1}\ (ID = 1212690)
6:31 PM: HKLM\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}\ (ID = 1212686)
6:31 PM: HKCR\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}\ (ID = 1212684)
6:31 PM: HKLM\software\classes\clsid\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}\ (ID = 1212651)
6:31 PM: HKCR\clsid\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}\ (ID = 1212644)
6:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || uninstallstring (ID = 1134952)
6:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (ID = 1110756)
6:31 PM: HKLM\software\microsoft\windows\currentversion\run\ || themonitor (ID = 1028873)
6:31 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (ID = 1016072)
6:31 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (ID = 1016064)
6:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\webnexus\ (ID = 1006191)
6:31 PM: HKLM\system\currentcontrolset\services\cmdservice\ (ID = 958670)
6:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || norepair (ID = 958655)
6:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || noremove (ID = 958654)
6:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || nomodify (ID = 958653)
6:31 PM: HKLM\software\system\sysold\ (ID = 926808)
6:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (ID = 892523)
6:31 PM: HKLM\software\qstat\ || brr (ID = 877670)
6:31 PM: HKLM\software\qstat\ (ID = 769771)
6:31 PM: HKLM\system\currentcontrolset\services\windows overlay components\ (ID = 712954)
6:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ovmon\ (ID = 712951)
6:31 PM: HKLM\software\surfsidekick3\ (ID = 143413)
6:31 PM: HKLM\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143400)
6:31 PM: Found Adware: surfsidekick
6:31 PM: Starting Registry Sweep
6:31 PM: Memory Sweep Complete, Elapsed Time: 00:02:16
6:31 PM: Detected running threat: C:\WINDOWS\lpjedth.exe (ID = 99)
6:30 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || IpWins (ID = 0)
6:30 PM: Detected running threat: C:\Program Files\ipwins\ipwins.exe (ID = 315610)
6:30 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || lpjedthA (ID = 0)
6:30 PM: Detected running threat: C:\WINDOWS\lpjedthA.exe (ID = 135)
6:30 PM: Found Adware: visfx
6:30 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || sys01252488409- (ID = 0)
6:30 PM: Detected running threat: C:\WINDOWS\sys01252488409-.exe (ID = 320461)
6:30 PM: Found Adware: enbrowser
6:30 PM: Detected running threat: C:\WINDOWS\dXNlcg\command.exe (ID = 144946)
6:30 PM: Detected running threat: C:\WINDOWS\system32\xwwdp.exe (ID = 268934)
6:30 PM: Detected running threat: C:\WINDOWS\system32\xwwdp.exe (ID = 268934)
6:30 PM: Detected running threat: C:\WINDOWS\system32\xwwdp.exe (ID = 268934)
6:30 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\Software\Microsoft\Windows\CurrentVersion\Run || dbqrq (ID = 0)
6:30 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || hekqps (ID = 0)
6:30 PM: Detected running threat: C:\WINDOWS\system32\hmgypu.exe (ID = 268995)
6:30 PM: Detected running threat: C:\WINDOWS\system32\dmonwv.dll (ID = 268799)
6:29 PM: Detected running threat: C:\Program Files\Common Files\{F0F35527-07D0-1033-0304-050405130001}\Update.exe (ID = 320789)
6:29 PM: Found Adware: maxifiles
6:29 PM: Detected running threat: C:\Program Files\Network Monitor\netmon.exe (ID = 231443)
6:29 PM: Detected running threat: C:\WINDOWS\system32\ntfyhdo.dll (ID = 268933)
6:29 PM: Found Adware: clkoptimizer
6:29 PM: Detected running threat: C:\WINDOWS\dXNlcg\asappsrv.dll (ID = 144945)
6:29 PM: Found Adware: command
6:28 PM: Starting Memory Sweep
6:28 PM: HKCR\clsid\{d623bc2f-a58d-4a75-a10d-cc244a702a35}\inprocserver32\ (ID = 1561601)
6:28 PM: HKCR\clsid\{b5f86455-bf18-4e12-965a-6642a0ac0549}\inprocserver32\ (ID = 1561600)
6:28 PM: Found Adware: forethought
6:28 PM: Sweep initiated using definitions version 730
6:28 PM: Spy Sweeper 5.0.5.1286 started
6:28 PM: | Start of Session, Monday, July 31, 2006 |
********
 
#10 ·
You may want to print this or save it to notepad as we will go to safe mode.

Add remove programs – remove Limewire – the likely source of infection

Fix these with HJT – mark them, close IE, click fix checked

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=

R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

F2 - REG:system.ini: UserInit=userinit.exe,irehaad.exe

O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\system32\cvn0.exe

O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

O18 - Filter: text/html - (no CLSID) - (no file)

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
=====================

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find this exact name

Network Monitor

Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. File-Exit the Services utility.

========================
DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\system32\irehaad.exe
C:\WINDOWS\system32\cvn0.exe
C:\Program Files\LimeWire

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
 
#11 ·
Thanks for all of your help so far. Everything seems to be working great without popups anymore. I think the SpySweeper did most of that for us. :]

Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:55:15 PM, on 8/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [PDUiP6600DMon] "C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

The first step was completed successfully.
The entire second step was already done so I didn't do anything there.
Killbox couldn't delete "C:\WINDOWS\system32\irehaad.exe".
The temp folder was empty so it didn't delete anything.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top