1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

PopUps & "AntiSpy Programs"

Discussion in 'Windows XP' started by phool, Jul 31, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. phool

    phool Thread Starter

    Joined:
    Jan 2, 2006
    Messages:
    50
    Logfile of HijackThis v1.99.1
    Scan saved at 11:15:37 PM, on 7/30/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ACS.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\dXNlcg\command.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Network Monitor\netmon.exe
    c:\Toshiba\IVP\swupdate\swupdtmr.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\LimeWire\LimeWire.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\cvn0.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\dwwin.exe
    C:\WINDOWS\system32\n9nyb.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
    R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\xwwdp.exe
    F2 - REG:system.ini: UserInit=userinit.exe,irehaad.exe
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\system32\cvn0.exe
    O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
    O4 - HKLM\..\Run: [sys01252488409-] C:\WINDOWS\sys01252488409-.exe
    O4 - HKLM\..\Run: [lpjedthA] C:\WINDOWS\lpjedthA.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O15 - Trusted Zone: *.adgate.info
    O15 - Trusted Zone: *.dollarrevenue.com
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: *.imagesrvr.com
    O15 - Trusted Zone: *.matcash.com
    O15 - Trusted Zone: *.media-motor.com
    O15 - Trusted Zone: *.mediatickets.net
    O15 - Trusted Zone: *.snipernet.biz
    O15 - Trusted Zone: *.systemdoctor.com
    O15 - Trusted Zone: *.winantivirus.com
    O15 - Trusted Zone: *.adgate.info (HKLM)
    O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
    O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
    O15 - Trusted Zone: *.imagesrvr.com (HKLM)
    O15 - Trusted Zone: *.matcash.com (HKLM)
    O15 - Trusted Zone: *.media-motor.com (HKLM)
    O15 - Trusted Zone: *.mediatickets.net (HKLM)
    O15 - Trusted Zone: *.snipernet.biz (HKLM)
    O15 - Trusted Zone: *.systemdoctor.com (HKLM)
    O15 - Trusted Zone: *.winantivirus.com (HKLM)
    O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
    O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\o2pq0c75ef.dll
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dXNlcg\command.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\lpjedth.exe

    Here's my HIJACK log.
    I'm almost 100% sure that something is definitely wrong.
    I tried going to msconfig and unchecking to making them not start..but they just uncheckec themselves.
    Thanks to whoever picks up this thread. :)
     
  2. Jimmy the Hand

    Jimmy the Hand

    Joined:
    Jul 28, 2006
    Messages:
    1,223
    At first look I should say cease using IE, and switch to something more secure, like Firefox.
    But what is your problem exactly?
     
  3. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    http://www.atribune.org/ccount/click.php?id=7 to download Look2Me-Destroyer.exe and save it to your desktop.
    · Close all windows before continuing.
    · Double-click Look2Me-Destroyer.exe to run it.
    · click the Scan for L2M button, your desktop icons will disappear, this is normal.
    · Once it's done scanning, click the Remove L2M button.
    · You will receive a Done Scanning message, click OK.
    · When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
    · Your computer will then shutdown.
    · Turn your computer back on.
    · Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
    If Look2Me-Destroyer does not reopen automatically, reboot and try again.

    If you receive a message from your firewall about this program accessing the internet please allow it.

    If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.

    http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
    ============================
    download http://www.mvps.org/winhelp2002/DelDomains.inf

    Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute.

    Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.
    ==================

    Go to the link below and download the trial version of SpySweeper:

    SpySweeper http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=tsg

    * Click the Free Trial link under "SpySweeper" to download the program.
    * Install it. Once the program is installed, it will open.
    * It will prompt you to update to the latest definitions, click Yes.
    * Once the definitions are installed, click Options on the left side.
    * Click the Sweep Options tab.
    * Under What to Sweep please put a check next to the following:
    o Sweep Memory
    o Sweep Registry
    o Sweep Cookies
    o Sweep All User Accounts
    o Enable Direct Disk Sweeping
    o Sweep Contents of Compressed Files
    o Sweep for Rootkits

    o Please UNCHECK Do not Sweep System Restore Folder.

    * Click Sweep Now on the left side.
    * Click the Start button.
    * When it's done scanning, click the Next button.
    * Make sure everything has a check next to it, then click the Next button.
    * It will remove all of the items found.
    * Click Session Log in the upper right corner, copy everything in that window.
    * Click the Summary tab and click Finish.
    * Paste the contents of the session log you copied into your next reply.
    Also post a new Hijack This log.
     
  4. phool

    phool Thread Starter

    Joined:
    Jan 2, 2006
    Messages:
    50
    There are a lot of popups and ones that also say to download these "Anti-spy" and "Antivirus" programs. I've fallen for them before, and it hurt my comp, so I know for sure it shouldn't happen. I will follow the steps in your post and post my log. Thanks. :)
     
  5. phool

    phool Thread Starter

    Joined:
    Jan 2, 2006
    Messages:
    50
    I did the first part of your post..but it never seems to restart when I reboot. Here is the log anyway and HiJack.


    Look2Me-Destroyer V1.0.12

    Scanning for infected files.....
    Scan started at 7/31/2006 5:40:03 PM


    Attempting to delete infected files...

    Making registry repairs.


    Restoring Windows certificates.

    Replaced hosts file with default windows hosts file


    Restoring SeDebugPrivilege for Administrators - Succeeded










    ==================


    Logfile of HijackThis v1.99.1
    Scan saved at 6:11:39 PM, on 7/31/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ACS.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\dXNlcg\command.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Network Monitor\netmon.exe
    C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\sys01252488409-.exe
    C:\WINDOWS\lpjedthA.exe
    C:\Program Files\ipwins\ipwins.exe
    C:\Program Files\Common Files\{F0F35527-07D0-1033-0304-050405130001}\Update.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\LimeWire\LimeWire.exe
    c:\Toshiba\IVP\swupdate\swupdtmr.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
    C:\WINDOWS\lpjedth.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
    R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\xwwdp.exe
    F2 - REG:system.ini: UserInit=userinit.exe,irehaad.exe
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\system32\cvn0.exe
    O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
    O4 - HKLM\..\Run: [sys01252488409-] C:\WINDOWS\sys01252488409-.exe
    O4 - HKLM\..\Run: [lpjedthA] C:\WINDOWS\lpjedthA.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O15 - Trusted Zone: *.adgate.info
    O15 - Trusted Zone: *.dollarrevenue.com
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: *.imagesrvr.com
    O15 - Trusted Zone: *.matcash.com
    O15 - Trusted Zone: *.media-motor.com
    O15 - Trusted Zone: *.mediatickets.net
    O15 - Trusted Zone: *.snipernet.biz
    O15 - Trusted Zone: *.systemdoctor.com
    O15 - Trusted Zone: *.winantivirus.com
    O15 - Trusted Zone: *.adgate.info (HKLM)
    O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
    O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
    O15 - Trusted Zone: *.imagesrvr.com (HKLM)
    O15 - Trusted Zone: *.matcash.com (HKLM)
    O15 - Trusted Zone: *.media-motor.com (HKLM)
    O15 - Trusted Zone: *.mediatickets.net (HKLM)
    O15 - Trusted Zone: *.snipernet.biz (HKLM)
    O15 - Trusted Zone: *.systemdoctor.com (HKLM)
    O15 - Trusted Zone: *.winantivirus.com (HKLM)
    O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dXNlcg\command.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\lpjedth.exe
     
  6. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Do it all and them post the requested logs
    ===================


    1. Download this file :

    http://download.bleepingcomputer.com/sUBs/combofix.exe
    http://www.techsupportforum.com/sectools/combofix.exe

    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

    Note:
    Do not mouseclick combofix's window while its running. That may cause it to stall
    ==========================
    Sorry - HiJackThis is runing from a temp directory and must be moved to run correctly

    Click here to download HJTsetup.exe:

    http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item5
    Scroll down to the download section

    Save HJTsetup.exe to your desktop.

    Double click on the HJTsetup.exe icon on your desktop.
    By default it will install to C:\Program Files\Hijack This.
    Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    Put a check by Create a desktop icon then click Next again.
    Continue to follow the rest of the prompts from there.
    At the final dialogue box click Finish and it will launch Hijack This.
    Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    Click Save to save the log file and then the log will open in notepad.
    Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    Come back here to this thread and Paste the log in your next reply.
    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
    ==============================
    download http://www.mvps.org/winhelp2002/DelDomains.inf

    Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute.

    Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.
    ==========================
    Go to the link below and download the trial version of SpySweeper:

    SpySweeper http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=tsg

    * Click the Free Trial link under "SpySweeper" to download the program.
    * Install it. Once the program is installed, it will open.
    * It will prompt you to update to the latest definitions, click Yes.
    * Once the definitions are installed, click Options on the left side.
    * Click the Sweep Options tab.
    * Under What to Sweep please put a check next to the following:
    o Sweep Memory
    o Sweep Registry
    o Sweep Cookies
    o Sweep All User Accounts
    o Enable Direct Disk Sweeping
    o Sweep Contents of Compressed Files
    o Sweep for Rootkits

    o Please UNCHECK Do not Sweep System Restore Folder.

    * Click Sweep Now on the left side.
    * Click the Start button.
    * When it's done scanning, click the Next button.
    * Make sure everything has a check next to it, then click the Next button.
    * It will remove all of the items found.
    * Click Session Log in the upper right corner, copy everything in that window.
    * Click the Summary tab and click Finish.
    * Paste the contents of the session log you copied into your next reply.
    Also post a new Hijack This log.
     
  7. phool

    phool Thread Starter

    Joined:
    Jan 2, 2006
    Messages:
    50
    Okay here are the logs requested. I wasn't too sure what the DelDomains program did, but I did it anyway.


    Start Time= Mon 07/31/2006 21:39:56.68
    Running from: C:\Documents and Settings\user\Desktop

    QuickScan did not find any signs of infected files

    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2006-07-31 18:19:14 ( .D... ) "C:\Program Files\Webroot"
    2006-07-31 18:19:14 ( .D... ) "C:\Documents and Settings\user\Application Data\Webroot"
    2006-07-31 18:15:56 435 ( A.... ) "C:\WINDOWS\gimfh.dll"
    2006-07-31 16:09:24 ( .D... ) "C:\Program Files\Hidden Expedition Titanic"
    2006-07-31 16:08:24 ( .D... ) "C:\Documents and Settings\user\Application Data\funkitron"
    2006-07-31 16:06:44 ( .D... ) "C:\Program Files\Poker Superstars II"
    2006-07-31 00:49:42 ( .D... ) "C:\Program Files\InetGet2"
    2006-07-30 23:58:20 45056 ( A.... ) "C:\WINDOWS\system32\ghynf.exe"
    2006-07-30 23:52:32 ( .D... ) "C:\Program Files\SymNetDrv"
    2006-07-30 22:43:22 ( .D... ) "C:\Program Files\Common Files\zzzm"
    2006-07-30 22:42:04 36864 ( A.... ) "C:\WINDOWS\system32n9nyb.exe"
    2006-07-30 22:42:02 45056 ( A.... ) "C:\WINDOWS\system32ghynf.exe"
    2006-07-30 22:42:02 0 ( A.... ) "C:\WINDOWS\system32bez6n4r21.exe"
    2006-07-30 22:41:54 36864 ( A.... ) "C:\WINDOWS\system32\n9nyb.exe"
    2006-07-30 22:41:52 28672 ( A.... ) "C:\WINDOWS\system32\bez6n4r21.exe"
    2006-07-30 22:41:44 ( .D... ) "C:\Program Files\Common Files\{F0F35527-07D0-1033-0304-050405130001}"
    2006-07-30 22:41:36 ( .D... ) "C:\Program Files\Cowabanga"
    2006-07-30 21:14:42 ( .D... ) "C:\Program Files\LimeWire"
    2006-07-27 00:00:30 ( .D... ) "C:\Documents and Settings\user\Application Data\Lavasoft"
    2006-07-27 00:00:24 ( .D... ) "C:\Program Files\Lavasoft"
    2006-07-26 15:49:24 159744 ( A.... ) "C:\WINDOWS\system32\cvn0.exe"
    2006-07-20 23:29:20 ( .D... ) "C:\Documents and Settings\user\Application Data\Apple Computer"
    2006-07-20 23:25:16 ( .D... ) "C:\Program Files\iTunes"
    2006-07-20 23:25:16 ( .D... ) "C:\Program Files\iPod"
    2006-07-07 16:54:10 252928 ( A.... ) "C:\WINDOWS\WRUninstall.dll"
    2006-07-07 16:53:54 208896 ( A.... ) "C:\WINDOWS\system32\WRLogonNtf.dll"
    2006-07-07 16:53:52 8704 ( A.... ) "C:\WINDOWS\system32\ssiefr.EXE"
    2006-07-07 16:53:50 20992 ( A.... ) "C:\WINDOWS\system32\wrlzma.dll"
    2006-06-18 01:06:18 ( .D... ) "C:\Program Files\Aveyond"
    2006-06-15 14:10:36 ( .D... ) "C:\Documents and Settings\user\Application Data\PedestrianEntertainment"
    2006-06-15 13:56:40 ( .D... ) "C:\Program Files\BFG"
    2006-05-19 05:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
    2006-05-19 05:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
    2006-05-19 05:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"


    (((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


    2006-07-31 18:19 8,704 C:\WINDOWS\system32\ssiefr.EXE
    2006-07-31 18:19 684,032 C:\WINDOWS\libeay32.dll
    2006-07-31 18:19 252,928 C:\WINDOWS\WRUninstall.dll
    2006-07-31 18:19 208,896 C:\WINDOWS\system32\WRLogonNtf.dll
    2006-07-31 18:19 20,992 C:\WINDOWS\system32\wrlzma.dll
    2006-07-31 18:19 155,648 C:\WINDOWS\ssleay32.dll
    2006-07-30 23:58 45,056 C:\WINDOWS\system32\ghynf.exe
    2006-07-30 23:53 53,248 C:\WINDOWS\UpdtNv28.exe
    2006-07-30 22:44 435 C:\WINDOWS\gimfh.dll
    2006-07-30 22:42 45,056 C:\WINDOWS\system32ghynf.exe
    2006-07-30 22:42 36,864 C:\WINDOWS\system32n9nyb.exe
    2006-07-30 22:42 0 C:\WINDOWS\system32bez6n4r21.exe
    2006-07-30 22:41 36,864 C:\WINDOWS\system32\n9nyb.exe
    2006-07-30 22:41 28,672 C:\WINDOWS\system32\bez6n4r21.exe
    2006-07-30 22:41 159,744 C:\WINDOWS\system32\cvn0.exe
    2006-07-30 21:16 49,250 C:\WINDOWS\system32\javaw.exe
    2006-07-30 21:16 49,248 C:\WINDOWS\system32\java.exe
    2006-07-30 21:16 127,078 C:\WINDOWS\system32\javaws.exe


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "PDUiP6600DMon"="\"C:\\Program Files\\Canon\\Memory Card Utility\\iP6600D\\PDUiP6600DMon.exe\""
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe\""
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "ad8rIU3s"="C:\\WINDOWS\\system32\\cvn0.exe"
    "Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
    "SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
    "{F0F35527-07D0-1033-0304-050405130001}"="\"C:\\Program Files\\Common Files\\{F0F35527-07D0-1033-0304-050405130001}\\Update.exe\" mc-110-12-0000103"

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
    "DeskHtmlVersion"=dword:00000110
    "DeskHtmlMinorVersion"=dword:00000005
    "Settings"=dword:00000001
    "GeneralFlags"=dword:00000000

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091
    "CDRAutoRun"=dword:00000000

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091
    "CDRAutoRun"=dword:00000000

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^aurav.exe]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\aurav.exe"
    "backup"="C:\\WINDOWS\\pss\\aurav.exeCommon Startup"
    "location"="Common Startup"
    "command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\aurav.exe"
    "item"="aurav"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\RAMASST.lnk"
    "backup"="C:\\WINDOWS\\pss\\RAMASST.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\WINDOWS\\system32\\RAMASST.exe "
    "item"="RAMASST"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="v1201"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\v1201.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ad8rIU3s]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="cvn0"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\system32\\cvn0.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="AGRSMMSG"
    "hkey"="HKLM"
    "command"="AGRSMMSG.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="AOLLaunch"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="Ati2mdxx"
    "hkey"="HKLM"
    "command"="Ati2mdxx.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="atiptaxx"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="BearShare"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ccApp"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ctfmon"
    "hkey"="HKCU"
    "command"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dbqrq]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="hmgypu"
    "hkey"="HKCU"
    "command"="C:\\WINDOWS\\system32\\hmgypu.exe reg_run"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="dfndrfg_7"
    "hkey"="HKLM"
    "command"="C:\\\\dfndrfg_7.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="tfswctrl"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hekqps]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="hmgypu"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\system32\\hmgypu.exe reg_run"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="AOLSoftware"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Common Files\\AOL\\1146891318\\ee\\AOLSoftware.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="optimize"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="iTunesHelper"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\k6mmN5IOU]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="wfxqhv"
    "hkey"="HKLM"
    "command"="\"C:\\WINDOWS\\system32\\wfxqhv.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="kybrdfg_7"
    "hkey"="HKLM"
    "command"="C:\\\\kybrdfg_7.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lpjedthA]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="lpjedthA"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\lpjedthA.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="Ltmoh"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="CfgWiz"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Common Files\\Symantec Shared\\CfgWiz.exe /GUID NAV /CMDLINE \"REBOOT\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="NDSTray"
    "hkey"="HKLM"
    "command"="NDSTray.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Osus]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="javaw"
    "hkey"="HKCU"
    "command"="\"C:\\PROGRA~1\\ASKS~1\\javaw.exe\" -vt yazr"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="PadExe"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\TOSHIBA\\Touch and Launch\\PadExe.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="pinger"
    "hkey"="HKLM"
    "command"="c:\\toshiba\\ivp\\ism\\pinger.exe /run"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pop06ap]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="pop06ap2"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\pop06ap2.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="qttask"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="SmoothView"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="Ssk"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\SurfSideKick 3\\Ssk.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="SynTPEnh"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="SynTPLpr"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys01252488409-]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="sys01252488409-"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\sys01252488409-.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="SYSC00"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\SYSC00.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="thotkey"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Toshiba\\Toshiba Applet\\thotkey.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="toscdspd"
    "hkey"="HKCU"
    "command"="C:\\Program Files\\TOSHIBA\\TOSCDSPD\\toscdspd.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="TPSMain"
    "hkey"="HKLM"
    "command"="TPSMain.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="whAgent"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\webHancer\\Programs\\whAgent.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="whSurvey"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\webHancer\\Programs\\whSurvey.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="winstall"
    "hkey"="HKCU"
    "command"="C:\\winstall.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzzm]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="zzzmm"
    "hkey"="HKCU"
    "command"="C:\\PROGRA~1\\COMMON~1\\zzzm\\zzzmm.exe"
    "inimapping"="0"

    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
    Wallpaper REG_SZ !"$%&$#!%&$#!$#%!&$#&%!$#%$"!DF!CXY!DWCER"!

    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\At1.job
    C:\WINDOWS\tasks\At2.job
    C:\WINDOWS\tasks\Symantec NetDetect.job

    Completion time: Mon 07/31/2006 21:40:28.34
    ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

    ====================

    Logfile of HijackThis v1.99.1
    Scan saved at 9:46:59 PM, on 7/31/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ACS.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    c:\Toshiba\IVP\swupdate\swupdtmr.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\LimeWire\LimeWire.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
    R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    F2 - REG:system.ini: UserInit=userinit.exe,irehaad.exe
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [PDUiP6600DMon] "C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\system32\cvn0.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O18 - Filter: text/html - (no CLSID) - (no file)
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
     
  8. phool

    phool Thread Starter

    Joined:
    Jan 2, 2006
    Messages:
    50
    ========================

    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    9:36 PM: Shield States
    9:36 PM: Spyware Definitions: 730
    9:35 PM: Spy Sweeper 5.0.5.1286 started
    6:28 PM: | End of Session, Monday, July 31, 2006 |
    6:28 PM: The Spy Communication shield has blocked access to: WWW.Z-QUEST.COM
    6:28 PM: The Spy Communication shield has blocked access to: WWW.Z-QUEST.COM
    6:26 PM: Your spyware definitions have been updated.
    6:25 PM: The Spy Communication shield has blocked access to: POP10.2Z0O.NET
    6:25 PM: The Spy Communication shield has blocked access to: POP10.2Z0O.NET
    6:23 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    6:23 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    6:23 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    6:23 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    6:23 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    6:23 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    6:23 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    6:23 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    6:23 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    6:23 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    6:22 PM: Shield States
    6:22 PM: Spyware Definitions: 691
    6:22 PM: Spy Sweeper 5.0.5.1286 started
    6:22 PM: Spy Sweeper 5.0.5.1286 started
    6:22 PM: | Start of Session, Monday, July 31, 2006 |
    ********
    9:31 PM: Removal process completed. Elapsed time 00:10:21
    9:31 PM: Preparing to restart your computer. Please wait...
    9:31 PM: Warning: Quarantine process could not restart Explorer.
    9:31 PM: Warning: Timed out waiting for explorer.exe
    9:31 PM: Warning: Timed out waiting for explorer.exe
    9:31 PM: Warning: Timed out waiting for explorer.exe
    9:31 PM: Quarantining All Traces: zedo cookie
    9:31 PM: Quarantining All Traces: seeq cookie
    9:31 PM: Quarantining All Traces: zango cookie
    9:31 PM: Quarantining All Traces: myaffiliateprogram.com cookie
    9:31 PM: Quarantining All Traces: burstbeacon cookie
    9:31 PM: Quarantining All Traces: web-stat cookie
    9:31 PM: Quarantining All Traces: tribalfusion cookie
    9:31 PM: Quarantining All Traces: trafficmp cookie
    9:31 PM: Quarantining All Traces: targetnet cookie
    9:31 PM: Quarantining All Traces: webtrendslive cookie
    9:31 PM: Quarantining All Traces: reliablestats cookie
    9:31 PM: Quarantining All Traces: statcounter cookie
    9:31 PM: Quarantining All Traces: serving-sys cookie
    9:31 PM: Quarantining All Traces: revenue.net cookie
    9:31 PM: Quarantining All Traces: directtrack cookie
    9:31 PM: Quarantining All Traces: valuead cookie
    9:31 PM: Quarantining All Traces: questionmarket cookie
    9:31 PM: Quarantining All Traces: partypoker cookie
    9:31 PM: Quarantining All Traces: nextag cookie
    9:31 PM: Quarantining All Traces: realmedia cookie
    9:31 PM: Quarantining All Traces: mediaplex cookie
    9:31 PM: Quarantining All Traces: top-banners cookie
    9:31 PM: Quarantining All Traces: webtrends cookie
    9:31 PM: Quarantining All Traces: ic-live cookie
    9:31 PM: Quarantining All Traces: clickandtrack cookie
    9:31 PM: Quarantining All Traces: starware.com cookie
    9:31 PM: Quarantining All Traces: wegcash cookie
    9:31 PM: Quarantining All Traces: 888 cookie
    9:31 PM: Quarantining All Traces: fastclick cookie
    9:31 PM: Quarantining All Traces: did-it cookie
    9:31 PM: Quarantining All Traces: dealtime cookie
    9:31 PM: Quarantining All Traces: overture cookie
    9:31 PM: Quarantining All Traces: exitexchange cookie
    9:31 PM: Quarantining All Traces: casalemedia cookie
    9:31 PM: Quarantining All Traces: goclick cookie
    9:31 PM: Quarantining All Traces: burstnet cookie
    9:31 PM: Quarantining All Traces: belnk cookie
    9:31 PM: Quarantining All Traces: searchingbooth cookie
    9:31 PM: Quarantining All Traces: goldenpalace cookie
    9:31 PM: Quarantining All Traces: atwola cookie
    9:31 PM: Quarantining All Traces: atlas dmt cookie
    9:31 PM: Quarantining All Traces: ask cookie
    9:31 PM: Quarantining All Traces: falkag cookie
    9:31 PM: Quarantining All Traces: tacoda cookie
    9:31 PM: Quarantining All Traces: advertising cookie
    9:30 PM: Quarantining All Traces: adultfriendfinder cookie
    9:30 PM: Quarantining All Traces: pointroll cookie
    9:30 PM: Quarantining All Traces: addynamix cookie
    9:30 PM: Quarantining All Traces: adrevolver cookie
    9:30 PM: Quarantining All Traces: adprofile cookie
    9:30 PM: Quarantining All Traces: specificclick.com cookie
    9:30 PM: Quarantining All Traces: adlegend cookie
    9:30 PM: Quarantining All Traces: adknowledge cookie
    9:30 PM: Quarantining All Traces: adecn cookie
    9:30 PM: Quarantining All Traces: yieldmanager cookie
    9:30 PM: Quarantining All Traces: about cookie
    9:30 PM: Quarantining All Traces: go.com cookie
    9:30 PM: Quarantining All Traces: websponsors cookie
    9:30 PM: Quarantining All Traces: 2o7.net cookie
    9:30 PM: Quarantining All Traces: webhancer
    9:30 PM: Quarantining All Traces: effective-i toolbar
    9:30 PM: c:\program files\complus applications\kybevima.html is in use. It will be removed on reboot.
    9:30 PM: c:\program files\windows media player\hoxy.html is in use. It will be removed on reboot.
    9:30 PM: deskwizz is in use. It will be removed on reboot.
    9:30 PM: Quarantining All Traces: deskwizz
    9:30 PM: Quarantining All Traces: mediamotor - popuppers
    9:30 PM: Quarantining All Traces: pesttrap
    9:30 PM: Quarantining All Traces: spywareno! components
    9:30 PM: Quarantining All Traces: findthewebsiteyouneed hijack
    9:30 PM: Quarantining All Traces: mrfindalot hijack
    9:30 PM: C:\WINDOWS\dXNlcg\command.exe is in use. It will be removed on reboot.
    9:30 PM: C:\Program Files\Network Monitor\netmon.exe is in use. It will be removed on reboot.
    9:30 PM: C:\WINDOWS\dXNlcg\asappsrv.dll is in use. It will be removed on reboot.
    9:30 PM: C:\Program Files\Network Monitor\netmon.exe is in use. It will be removed on reboot.
    9:30 PM: C:\WINDOWS\dXNlcg\asappsrv.dll is in use. It will be removed on reboot.
    9:30 PM: C:\Program Files\Network Monitor is in use. It will be removed on reboot.
    9:30 PM: command is in use. It will be removed on reboot.
    9:30 PM: Quarantining All Traces: command
    9:30 PM: Quarantining All Traces: internetoptimizer
    9:30 PM: Quarantining All Traces: trojan-dropper-joiner
    9:30 PM: Quarantining All Traces: trojan-dh
    9:30 PM: Quarantining All Traces: dollarrevenue
    9:30 PM: Quarantining All Traces: targetsaver
    9:30 PM: Quarantining All Traces: zquest
    9:29 PM: Quarantining All Traces: winantivirus pro
    9:29 PM: Quarantining All Traces: cas
    9:29 PM: Quarantining All Traces: elitemediagroup-mediamotor
    9:29 PM: Quarantining All Traces: surfsidekick
    9:29 PM: Quarantining All Traces: enbrowser
    9:28 PM: Quarantining All Traces: maxifiles
    9:28 PM: Quarantining All Traces: forethought
    9:28 PM: Quarantining All Traces: spysheriff fakealert
    9:28 PM: Quarantining All Traces: look2me
    9:28 PM: C:\WINDOWS\lpjedth.exe is in use. It will be removed on reboot.
    9:28 PM: C:\WINDOWS\lpjedthA.exe is in use. It will be removed on reboot.
    9:28 PM: visfx is in use. It will be removed on reboot.
    9:28 PM: Warning: QF[866]: "C:\WINDOWS\lpjedthA.exe": File not found
    9:28 PM: Quarantining All Traces: visfx
    9:28 PM: C:\WINDOWS\system32\xwwdp.exe is in use. It will be removed on reboot.
    9:28 PM: C:\WINDOWS\system32\xwwdp.exe is in use. It will be removed on reboot.
    9:28 PM: C:\WINDOWS\system32\xwwdp.exe is in use. It will be removed on reboot.
    9:28 PM: C:\WINDOWS\system32\hmgypu.exe is in use. It will be removed on reboot.
    9:28 PM: C:\WINDOWS\system32\dmonwv.dll is in use. It will be removed on reboot.
    9:28 PM: C:\WINDOWS\system32\ntfyhdo.dll is in use. It will be removed on reboot.
    9:28 PM: c:\windows\system32\xwwdp.exe is in use. It will be removed on reboot.
    9:28 PM: c:\windows\system32\ntfyhdo.dll is in use. It will be removed on reboot.
    9:28 PM: c:\documents and settings\all users\start menu\programs\startup\aurav.exe is in use. It will be removed on reboot.
    9:28 PM: c:\windows\system32\hmgypu.exe is in use. It will be removed on reboot.
    9:28 PM: clkoptimizer is in use. It will be removed on reboot.
    9:25 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    9:25 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    9:25 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    9:25 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    9:22 PM: Quarantining All Traces: clkoptimizer
    9:21 PM: Removal process initiated
    9:17 PM: Traces Found: 268
    9:17 PM: Full Sweep has completed. Elapsed time 02:45:08
    9:17 PM: Traces Found: 268
    9:17 PM: Full Sweep has completed. Elapsed time 02:45:07
    9:17 PM: File Sweep Complete, Elapsed Time: 02:45:11
    8:37 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    8:37 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    8:37 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    8:37 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    8:18 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\KHIFOHMV\WinAntiVirusPro2006FreeInstall[1].cab (ID = 327827)
    8:17 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    8:17 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    8:17 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    8:17 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    8:13 PM: C:\WINDOWS\dXNlcg\xrh5w0.vbs (ID = 185675)
    8:03 PM: Warning: Failed to open file "c:\documents and settings\user\cookies\[email protected][2].txt". The operation completed successfully
    8:03 PM: Warning: Failed to open file "c:\documents and settings\user\cookies\[email protected][2].txt". The operation completed successfully
    8:03 PM: Warning: Failed to open file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\azov6l6l\queryxx[1].htm". The operation completed successfully
    8:03 PM: Warning: Failed to open file "c:\documents and settings\user\cookies\[email protected][2].txt". The operation completed successfully
    8:03 PM: Warning: Failed to open file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\azov6l6l\campaign[1].htm". The operation completed successfully
    8:03 PM: Warning: Failed to open file "c:\documents and settings\user\cookies\[email protected][1].txt". The operation completed successfully
    8:03 PM: Warning: Failed to open file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\gt63wtmn\ssfsetup4129_1880020065[1].exe:zone.identifier". The operation completed successfully
    8:03 PM: Warning: Failed to open file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\1frf5dse\65569[1].967634357809868". The operation completed successfully
    8:03 PM: Warning: Failed to open file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\gdijkdmf\attest[1].htm". The operation completed successfully
    8:03 PM: Warning: Failed to open file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\1k8715wh\tmp[2].htm". The operation completed successfully
    8:03 PM: Warning: Failed to open file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\6r8xux6t\[email protected][1]". The operation completed successfully
    8:03 PM: Warning: Failed to open file "c:\documents and settings\user\cookies\[email protected][1].txt". The operation completed successfully
    8:03 PM: Warning: Failed to open file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\wlaj4div\counter[1].gif". The operation completed successfully
    8:03 PM: Warning: Failed to open file "c:\documents and settings\user\cookies\[email protected][2].txt". The operation completed successfully
    7:57 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    7:57 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    7:57 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    7:57 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    7:56 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    7:56 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    7:56 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    7:56 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    7:53 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    7:53 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    7:53 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    7:53 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    7:53 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    7:53 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    7:53 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    7:53 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    7:51 PM: Warning: QF[866]: "C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\PORTAL\6277551B.EXE": File not found
    7:51 PM: Spy Installation Shield: found: Trojan Horse: trojan-dropper-joiner, version 1.0.0.0
    7:51 PM: Spy Installation Shield: found: Trojan Horse: trojan-dropper-joiner, version 1.0.0.0
    7:51 PM: Spy Installation Shield: found: Trojan Horse: trojan-dropper-joiner, version 1.0.0.0
    7:51 PM: Warning: TBZipFileCompressor.Compress: Cannot compress a file or directory that does not exist (C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\PORTAL\620C6B91.EXE).
    7:51 PM: Spy Installation Shield: found: Trojan Horse: trojan-downloader-ac2, version 1.0.0.0
    7:51 PM: Spy Installation Shield: found: Trojan Horse: trojan-downloader-ac2, version 1.0.0.0
    7:51 PM: Spy Installation Shield: found: Trojan Horse: trojan-downloader-ac2, version 1.0.0.0
    7:51 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    7:51 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    7:51 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    7:51 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    7:51 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    7:51 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    7:48 PM: The Spy Communication shield has blocked access to: WWW.YOURENHANCEMENT.COM
    7:48 PM: The Spy Communication shield has blocked access to: WWW.YOURENHANCEMENT.COM
    7:45 PM: C:\Documents and Settings\user\Local Settings\Temp\temp.fr7C1A (ID = 159)
    7:45 PM: C:\WINDOWS\optimize.exe (ID = 288489)
    7:45 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\optimize[1].exe (ID = 288489)
    7:45 PM: Found Adware: internetoptimizer
    7:45 PM: The Spy Communication shield has blocked access to: WWW.YOURENHANCEMENT.COM
    7:45 PM: The Spy Communication shield has blocked access to: WWW.YOURENHANCEMENT.COM
    7:44 PM: c:\documents and settings\user\local settings\temporary internet files\content.ie5\uuqzyjyy\webnexmk[1].exe (ID = 299757)
    7:44 PM: Found Trojan Horse: trojan-dropper-joiner
    7:44 PM: Warning: PerformFileOffsetMatch Failed to check file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\uuqzyjyy\ac3_0003[1].exe". "c:\documents and settings\user\local settings\temporary internet files\content.ie5\uuqzyjyy\ac3_0003[1].exe": File not found
    7:44 PM: Warning: Failed to read file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\uuqzyjyy\ac3_0003[1].exe". "c:\documents and settings\user\local settings\temporary internet files\content.ie5\uuqzyjyy\ac3_0003[1].exe": File not found
    7:43 PM: Spy Installation Shield: found: Adware: visfx, version 1.0.0.0
    7:43 PM: Spy Installation Shield: found: Adware: visfx, version 1.0.0.0
    7:43 PM: Spy Installation Shield: found: Adware: visfx, version 1.0.0.0
    7:43 PM: Spy Installation Shield: found: Trojan Horse: trojan-dropper-joiner, version 1.0.0.0
    7:43 PM: Spy Installation Shield: found: Trojan Horse: trojan-dropper-joiner, version 1.0.0.0
    7:43 PM: Spy Installation Shield: found: Trojan Horse: trojan-dropper-joiner, version 1.0.0.0
    7:42 PM: Warning: Failed to read file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\gt63wtmn\626_101[1].exe". "c:\documents and settings\user\local settings\temporary internet files\content.ie5\gt63wtmn\626_101[1].exe": File not found
    7:42 PM: C:\WINDOWS\unwn.exe (ID = 268798)
    7:42 PM: c:\windows\system32\xwwdp.exe (ID = 268934)
    7:42 PM: c:\windows\system32\ntfyhdo.dll (ID = 268933)
    7:42 PM: c:\windows\system32\irehaad.exe (ID = 268932)
    7:42 PM: C:\WINDOWS\system32\nkucc.dat (ID = 268995)
    7:42 PM: c:\documents and settings\all users\start menu\programs\startup\aurav.exe (ID = 268995)
    7:42 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\Software\Microsoft\Windows\CurrentVersion\Run || dbqrq (ID = 0)
    7:42 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || hekqps (ID = 0)
    7:42 PM: c:\windows\system32\hmgypu.exe (ID = 268995)
    7:42 PM: C:\Program Files\Cas2Stub\cas2stub.exe (ID = 295817)
    7:42 PM: C:\Program Files\Common Files\zzzm\zzzmd\vocabulary (ID = 78283)
    7:42 PM: C:\Program Files\Common Files\zzzm\zzzmd\zzzmc.dll (ID = 195129)
    7:42 PM: C:\Program Files\Common Files\zzzm\zzzmd\class-barrel (ID = 78229)
    7:42 PM: C:\Program Files\Common Files\zzzm\zzzmp.exe (ID = 195132)
    7:42 PM: C:\Program Files\Common Files\zzzm\zzzma.exe (ID = 195128)
    7:42 PM: C:\WINDOWS\system32\dmonwv.dll (ID = 268799)
    7:42 PM: C:\Program Files\Common Files\zzzm\zzzml.exe (ID = 195130)
    7:42 PM: C:\Program Files\Common Files\{F0F35527-07D0-1033-0304-050405130001}\Update.exe (ID = 320789)
    7:42 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\pop06ap2[1].exe (ID = 288578)
    7:42 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\whCC-GIANT[1].exe (ID = 83829)
    7:42 PM: Found Adware: webhancer
    7:42 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\fym9bvo[1].exe (ID = 328135)
    7:41 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    7:41 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    7:41 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    7:41 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    7:41 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    7:41 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    7:40 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\dist13[1].exe (ID = 295817)
    7:40 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\installerwnus[1].exe (ID = 271215)
    7:39 PM: C:\Documents and Settings\user\itgcjwtz.exe (ID = 304952)
    7:39 PM: Found Adware: spysheriff fakealert
    7:39 PM: C:\WINDOWS\uninstall_nmon.vbs (ID = 231442)
    7:39 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\Installer[1].exe (ID = 168558)
    7:39 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\SS1001[1].exe (ID = 215896)
    7:36 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    7:36 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    7:36 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    7:36 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    7:36 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\UUQZYJYY\ucmoreiex[1].exe (ID = 59853)
    7:36 PM: Found Adware: effective-i toolbar
    7:36 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\stub_113_4_0_4_0[1].exe (ID = 193995)
    7:36 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\MTE3NDI6ODoxNg[1].exe (ID = 185985)
    7:35 PM: C:\WINDOWS\unin101.exe (ID = 245111)
    7:35 PM: C:\WINDOWS\uni_eh.exe (ID = 245110)
    7:35 PM: C:\WINDOWS\pf78.exe (ID = 244430)
    7:35 PM: Warning: Failed to read file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\uuqzyjyy\numbsoft[1].exe". "c:\documents and settings\user\local settings\temporary internet files\content.ie5\uuqzyjyy\numbsoft[1].exe": File not found
    7:35 PM: C:\Program Files\ComPlus Applications\kybevima.html (ID = 323861)
    7:35 PM: C:\Program Files\Windows Media Player\hoxy.html (ID = 310472)
    7:35 PM: Found Adware: deskwizz
    7:35 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\wallpap[1].exe (ID = 309645)
    7:35 PM: Found Trojan Horse: trojan-dh
    7:35 PM: C:\Documents and Settings\user\Local Settings\Temp\cas2setup.exe (ID = 326584)
    7:35 PM: C:\Documents and Settings\user\Local Settings\Temp\temp.fr2D50 (ID = 159)
    7:35 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\cas2setup[1].exe (ID = 326584)
    7:34 PM: The Spy Communication shield has blocked access to: POP10.2Z0O.NET
    7:34 PM: The Spy Communication shield has blocked access to: POP10.2Z0O.NET
    7:33 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    7:33 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    7:33 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    7:33 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    7:33 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    7:33 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    7:25 PM: The Spy Communication shield has blocked access to: SEARCHPORTAL.INFORMATION.COM
    7:25 PM: The Spy Communication shield has blocked access to: SEARCHPORTAL.INFORMATION.COM
     
  9. phool

    phool Thread Starter

    Joined:
    Jan 2, 2006
    Messages:
    50
    7:20 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    7:20 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    7:20 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    7:20 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    7:20 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    7:20 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    7:16 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    7:16 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    7:16 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    7:16 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    7:12 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    7:12 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    7:12 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    7:12 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    7:12 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    7:12 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    7:07 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\visfx500[1].exe (ID = 244295)
    7:06 PM: The Spy Communication shield has blocked access to: POP10.2Z0O.NET
    7:06 PM: The Spy Communication shield has blocked access to: POP10.2Z0O.NET
    7:03 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    7:03 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    7:03 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    7:03 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    7:03 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    7:03 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    6:56 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    6:56 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    6:56 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    6:56 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    6:55 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    6:55 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    6:55 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    6:55 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    6:55 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    6:55 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    6:53 PM: C:\Program Files\ipwins\Uninst.exe (ID = 315599)
    6:50 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || IpWins (ID = 0)
    6:50 PM: C:\Program Files\ipwins\ipwins.exe (ID = 315610)
    6:47 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    6:47 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    6:47 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    6:47 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    6:47 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    6:47 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    6:46 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\loader[1].exe (ID = 328037)
    6:46 PM: C:\WINDOWS\amm06.ocx (ID = 292476)
    6:46 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\amm06[1].ocx (ID = 292476)
    6:46 PM: C:\Documents and Settings\user\Local Settings\Temp\drsmartload180a.exe (ID = 328081)
    6:46 PM: Found Adware: dollarrevenue
    6:46 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\unstall[1].exe (ID = 304324)
    6:46 PM: C:\Program Files\Common Files\zzzm\zzzmm.exe (ID = 195131)
    6:46 PM: Found Adware: targetsaver
    6:46 PM: C:\Documents and Settings\user\Local Settings\Temp\temp.frBC3A (ID = 231443)
    6:46 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || sys01252488409- (ID = 0)
    6:46 PM: C:\WINDOWS\sys01252488409-.exe (ID = 320461)
    6:46 PM: C:\WINDOWS\dXNlcg\command.exe (ID = 144946)
    6:46 PM: C:\Documents and Settings\user\Local Settings\Temp\temp.fr716D (ID = 144945)
    6:46 PM: C:\Documents and Settings\user\Local Settings\Temp\i1E4.tmp (ID = 253411)
    6:43 PM: C:\WINDOWS\system32\atmtd.dll (ID = 166754)
    6:43 PM: C:\Documents and Settings\user\Local Settings\Temp\tp7543.exe (ID = 209705)
    6:43 PM: C:\Documents and Settings\user\Local Settings\Temp\Temporary Internet Files\Content.IE5\CHAF09QJ\rcverlib[1].exe (ID = 209705)
    6:42 PM: C:\WINDOWS\system32\atmtd.dll._ (ID = 166754)
    6:42 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\012B0DEF\Installer[1].exe (ID = 168558)
    6:42 PM: Found Adware: look2me
    6:41 PM: C:\WINDOWS\Temp\tp7543.exe (ID = 209705)
    6:41 PM: C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WI1FGJCF\rcverlib[1].exe (ID = 209705)
    6:39 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    6:39 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    6:39 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    6:39 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    6:39 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    6:39 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    6:36 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    6:36 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    6:36 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    6:36 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    6:36 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    6:36 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    6:36 PM: C:\WINDOWS\pss\aurav.exeCommon Startup (ID = 268995)
    6:36 PM: C:\Documents and Settings\user\Local Settings\Temp\cmdinst.exe (ID = 231664)
    6:36 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\installer[2].exe (ID = 231664)
    6:35 PM: Spy Installation Shield: found: Adware: zquest, version 1.0.0.0
    6:35 PM: Spy Installation Shield: found: Adware: zquest, version 1.0.0.0
    6:35 PM: Spy Installation Shield: found: Adware: zquest, version 1.0.0.0
    6:34 PM: Warning: Failed to read file "c:\documents and settings\user\local settings\temporary internet files\content.ie5\gt63wtmn\v1201[1].exe". "c:\documents and settings\user\local settings\temporary internet files\content.ie5\gt63wtmn\v1201[1].exe": File not found
    6:34 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GT63WTMN\RDFX4[1].exe (ID = 290920)
    6:34 PM: Found Adware: zquest
    6:34 PM: C:\WINDOWS\system32\iqqr.exe (ID = 327343)
    6:34 PM: C:\WINDOWS\unstall.exe (ID = 304324)
    6:34 PM: Found Adware: mediamotor - popuppers
    6:34 PM: C:\Program Files\Network Monitor\netmon.exe (ID = 231443)
    6:33 PM: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\KHIFOHMV\WinAntiVirusPro2006FreeInstall[1].cab (ID = 327824)
    6:33 PM: Found Adware: winantivirus pro
    6:32 PM: C:\WINDOWS\dXNlcg\asappsrv.dll (ID = 144945)
    6:32 PM: C:\Program Files\Cas2Stub (1 subtraces) (ID = 2147500974)
    6:32 PM: C:\Program Files\ipwins (8 subtraces) (ID = 2147524552)
    6:32 PM: C:\Program Files\PestTrap (2 subtraces) (ID = 2147507944)
    6:32 PM: Found Adware: pesttrap
    6:32 PM: C:\Program Files\Network Monitor (1 subtraces) (ID = 2147507525)
    6:32 PM: Starting File Sweep
    6:32 PM: Cookie Sweep Complete, Elapsed Time: 00:00:07
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 3762)
    6:32 PM: Found Spy Cookie: zedo cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 3332)
    6:32 PM: Found Spy Cookie: seeq cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 3761)
    6:32 PM: Found Spy Cookie: zango cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 3032)
    6:32 PM: Found Spy Cookie: myaffiliateprogram.com cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2337)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2335)
    6:32 PM: Found Spy Cookie: burstbeacon cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 3648)
    6:32 PM: Found Spy Cookie: web-stat cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 3442)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 3589)
    6:32 PM: Found Spy Cookie: tribalfusion cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 3581)
    6:32 PM: Found Spy Cookie: trafficmp cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 3489)
    6:32 PM: Found Spy Cookie: targetnet cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 6444)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 3667)
    6:32 PM: Found Spy Cookie: webtrendslive cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 3254)
    6:32 PM: Found Spy Cookie: reliablestats cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 3447)
    6:32 PM: Found Spy Cookie: statcounter cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2506)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 2729)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 3343)
    6:32 PM: Found Spy Cookie: serving-sys cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2729)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2729)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 3257)
    6:32 PM: Found Spy Cookie: revenue.net cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 2528)
    6:32 PM: Found Spy Cookie: directtrack cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 3627)
    6:32 PM: Found Spy Cookie: valuead cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 3235)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 3217)
    6:32 PM: Found Spy Cookie: questionmarket cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 3111)
    6:32 PM: Found Spy Cookie: partypoker cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 1958)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 5014)
    6:32 PM: Found Spy Cookie: nextag cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 3236)
    6:32 PM: Found Spy Cookie: realmedia cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 1958)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 1958)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 6442)
    6:32 PM: Found Spy Cookie: mediaplex cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 3548)
    6:32 PM: Found Spy Cookie: top-banners cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 2652)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 1958)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 3669)
    6:32 PM: Found Spy Cookie: webtrends cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2821)
    6:32 PM: Found Spy Cookie: ic-live cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 2397)
    6:32 PM: Found Spy Cookie: clickandtrack cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 1958)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 3442)
    6:32 PM: Found Spy Cookie: starware.com cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2728)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2734)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 3682)
    6:32 PM: Found Spy Cookie: wegcash cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2020)
    6:32 PM: Found Spy Cookie: 888 cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2651)
    6:32 PM: Found Spy Cookie: fastclick cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2633)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2038)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 2729)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 1958)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 2293)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2523)
    6:32 PM: Found Spy Cookie: did-it cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 2505)
    6:32 PM: Found Spy Cookie: dealtime cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected]f.overture[2].txt (ID = 3106)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 3106)
    6:32 PM: Found Spy Cookie: overture cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2634)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2634)
    6:32 PM: Found Spy Cookie: exitexchange cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 1958)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 2354)
    6:32 PM: Found Spy Cookie: casalemedia cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 1958)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 2733)
    6:32 PM: Found Spy Cookie: goclick cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 2336)
    6:32 PM: Found Spy Cookie: burstnet cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2292)
    6:32 PM: Found Spy Cookie: belnk cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 3322)
    6:32 PM: Found Spy Cookie: searchingbooth cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 2735)
    6:32 PM: Found Spy Cookie: goldenpalace cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2255)
    6:32 PM: Found Spy Cookie: atwola cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 2253)
    6:32 PM: Found Spy Cookie: atlas dmt cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2245)
    6:32 PM: Found Spy Cookie: ask cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 2650)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2650)
    6:32 PM: Found Spy Cookie: falkag cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 6445)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 6445)
    6:32 PM: Found Spy Cookie: tacoda cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2175)
    6:32 PM: Found Spy Cookie: advertising cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 2165)
    6:32 PM: Found Spy Cookie: adultfriendfinder cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 3148)
    6:32 PM: Found Spy Cookie: pointroll cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 2062)
    6:32 PM: Found Spy Cookie: addynamix cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 2088)
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2088)
    6:32 PM: Found Spy Cookie: adrevolver cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2084)
    6:32 PM: Found Spy Cookie: adprofile cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 3400)
    6:32 PM: Found Spy Cookie: specificclick.com cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2074)
    6:32 PM: Found Spy Cookie: adlegend cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 2072)
    6:32 PM: Found Spy Cookie: adknowledge cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 2063)
    6:32 PM: Found Spy Cookie: adecn cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 3751)
    6:32 PM: Found Spy Cookie: yieldmanager cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 2037)
    6:32 PM: Found Spy Cookie: about cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 2729)
    6:32 PM: Found Spy Cookie: go.com cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][2].txt (ID = 3665)
    6:32 PM: Found Spy Cookie: websponsors cookie
    6:32 PM: c:\documents and settings\user\cookies\[email protected][1].txt (ID = 1957)
    6:32 PM: Found Spy Cookie: 2o7.net cookie
    6:32 PM: Starting Cookie Sweep
    6:31 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    6:31 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    6:31 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    6:31 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
    6:31 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    6:31 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
    6:31 PM: Registry Sweep Complete, Elapsed Time:00:00:36
    6:31 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\software\microsoft\internet explorer\search\searchassistant explorer\main\ || Default_Search_URL (ID = 1554015)
    6:31 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {cbcc61fa-0221-4ccc-b409-cee865caca3a} (ID = 1530952)
    6:31 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\software\ipwins\ (ID = 1516546)
    6:31 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\software\cas2\ (ID = 862278)
    6:31 PM: Found Adware: cas
    6:31 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\software\sno2\ (ID = 782236)
    6:31 PM: Found Adware: spywareno! components
    6:31 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\software\system\sysuid\ (ID = 731748)
    6:31 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
    6:31 PM: Found Adware: findthewebsiteyouneed hijack
    6:31 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\software\microsoft\internet explorer\urlsearchhooks\ || _{02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 165102)
    6:31 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\software\surfsidekick3\ (ID = 143412)
    6:31 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
    6:31 PM: HKCR\protocols\filter\text/html\ || clsid (ID = 1561703)
    6:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\kznbndryg\ (ID = 1561126)
    6:31 PM: HKLM\software\classes\xsdu.ozbyq.1\ (ID = 1560783)
    6:31 PM: HKLM\software\classes\xsdu.ozbyq\ (ID = 1560779)
    6:31 PM: HKLM\software\classes\xsdu.bqok.1\ (ID = 1560775)
    6:31 PM: HKLM\software\classes\xsdu.bqok\ (ID = 1560771)
    6:31 PM: HKLM\software\classes\typelib\{80c0e6bc-1228-47d7-9876-b67ad181477e}\ (ID = 1560761)
    6:31 PM: HKLM\software\classes\clsid\{d623bc2f-a58d-4a75-a10d-cc244a702a35}\ (ID = 1560752)
    6:31 PM: HKLM\software\classes\clsid\{b5f86455-bf18-4e12-965a-6642a0ac0549}\ (ID = 1560743)
    6:31 PM: HKCR\xsdu.ozbyq.1\ (ID = 1560737)
    6:31 PM: HKCR\xsdu.ozbyq\ (ID = 1560733)
    6:31 PM: HKCR\xsdu.bqok.1\ (ID = 1560729)
    6:31 PM: HKCR\xsdu.bqok\ (ID = 1560725)
    6:31 PM: HKCR\typelib\{80c0e6bc-1228-47d7-9876-b67ad181477e}\ (ID = 1560715)
    6:31 PM: HKCR\clsid\{d623bc2f-a58d-4a75-a10d-cc244a702a35}\ (ID = 1560706)
    6:31 PM: HKCR\clsid\{b5f86455-bf18-4e12-965a-6642a0ac0549}\ (ID = 1560697)
    6:31 PM: HKLM\software\microsoft\windows\currentversion\run\ || ipwins (ID = 1557471)
    6:31 PM: HKCR\mm06ocx.mm06ocxf\ (ID = 1556189)
    6:31 PM: HKLM\software\microsoft\internet explorer\search\ || customizesearch (ID = 1554130)
    6:31 PM: HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 1554129)
    6:31 PM: HKLM\software\classes\typelib\{569304ba-83ed-4cff-ac26-be3e482f7208}\ (ID = 1530980)
    6:31 PM: HKCR\typelib\{569304ba-83ed-4cff-ac26-be3e482f7208}\ (ID = 1530936)
    6:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ipwins\ (ID = 1516581)
    6:31 PM: HKLM\software\classes\interface\{db312456-e762-4369-844a-aed9006b1b2f}\ (ID = 1502064)
    6:31 PM: HKLM\software\classes\interface\{41e1565d-b7a8-4251-bd79-e6c5facb2b5f}\ (ID = 1502038)
    6:31 PM: HKCR\interface\{db312456-e762-4369-844a-aed9006b1b2f}\ (ID = 1497938)
    6:31 PM: HKCR\interface\{41e1565d-b7a8-4251-bd79-e6c5facb2b5f}\ (ID = 1497876)
    6:31 PM: HKLM\software\microsoft\internet explorer\search\ || customizesearch (ID = 1354274)
    6:31 PM: HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 1354273)
    6:31 PM: Found Adware: mrfindalot hijack
    6:31 PM: HKLM\software\classes\typelib\{d13decbb-52f8-4bf4-ba6c-b0cc603963c9}\ (ID = 1323842)
    6:31 PM: HKLM\software\classes\clsid\{5526b4c6-63d6-41a1-9783-0fabf529859a}\ (ID = 1323818)
    6:31 PM: HKLM\software\classes\mm06ocx.mm06ocxf\ (ID = 1323810)
    6:31 PM: HKCR\typelib\{d13decbb-52f8-4bf4-ba6c-b0cc603963c9}\ (ID = 1323794)
    6:31 PM: HKCR\clsid\{5526b4c6-63d6-41a1-9783-0fabf529859a}\ (ID = 1323770)
    6:31 PM: Found Adware: elitemediagroup-mediamotor
    6:31 PM: HKLM\software\microsoft\internet explorer\extensions\{4abf810a-f11d-4169-9d5f-7d274f2270a1}\ (ID = 1212690)
    6:31 PM: HKLM\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}\ (ID = 1212686)
    6:31 PM: HKCR\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}\ (ID = 1212684)
    6:31 PM: HKLM\software\classes\clsid\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}\ (ID = 1212651)
    6:31 PM: HKCR\clsid\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}\ (ID = 1212644)
    6:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || uninstallstring (ID = 1134952)
    6:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (ID = 1110756)
    6:31 PM: HKLM\software\microsoft\windows\currentversion\run\ || themonitor (ID = 1028873)
    6:31 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (ID = 1016072)
    6:31 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (ID = 1016064)
    6:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\webnexus\ (ID = 1006191)
    6:31 PM: HKLM\system\currentcontrolset\services\cmdservice\ (ID = 958670)
    6:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || norepair (ID = 958655)
    6:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || noremove (ID = 958654)
    6:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || nomodify (ID = 958653)
    6:31 PM: HKLM\software\system\sysold\ (ID = 926808)
    6:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (ID = 892523)
    6:31 PM: HKLM\software\qstat\ || brr (ID = 877670)
    6:31 PM: HKLM\software\qstat\ (ID = 769771)
    6:31 PM: HKLM\system\currentcontrolset\services\windows overlay components\ (ID = 712954)
    6:31 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ovmon\ (ID = 712951)
    6:31 PM: HKLM\software\surfsidekick3\ (ID = 143413)
    6:31 PM: HKLM\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143400)
    6:31 PM: Found Adware: surfsidekick
    6:31 PM: Starting Registry Sweep
    6:31 PM: Memory Sweep Complete, Elapsed Time: 00:02:16
    6:31 PM: Detected running threat: C:\WINDOWS\lpjedth.exe (ID = 99)
    6:30 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || IpWins (ID = 0)
    6:30 PM: Detected running threat: C:\Program Files\ipwins\ipwins.exe (ID = 315610)
    6:30 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || lpjedthA (ID = 0)
    6:30 PM: Detected running threat: C:\WINDOWS\lpjedthA.exe (ID = 135)
    6:30 PM: Found Adware: visfx
    6:30 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || sys01252488409- (ID = 0)
    6:30 PM: Detected running threat: C:\WINDOWS\sys01252488409-.exe (ID = 320461)
    6:30 PM: Found Adware: enbrowser
    6:30 PM: Detected running threat: C:\WINDOWS\dXNlcg\command.exe (ID = 144946)
    6:30 PM: Detected running threat: C:\WINDOWS\system32\xwwdp.exe (ID = 268934)
    6:30 PM: Detected running threat: C:\WINDOWS\system32\xwwdp.exe (ID = 268934)
    6:30 PM: Detected running threat: C:\WINDOWS\system32\xwwdp.exe (ID = 268934)
    6:30 PM: HKU\S-1-5-21-4142048632-4030779844-956350707-1006\Software\Microsoft\Windows\CurrentVersion\Run || dbqrq (ID = 0)
    6:30 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || hekqps (ID = 0)
    6:30 PM: Detected running threat: C:\WINDOWS\system32\hmgypu.exe (ID = 268995)
    6:30 PM: Detected running threat: C:\WINDOWS\system32\dmonwv.dll (ID = 268799)
    6:29 PM: Detected running threat: C:\Program Files\Common Files\{F0F35527-07D0-1033-0304-050405130001}\Update.exe (ID = 320789)
    6:29 PM: Found Adware: maxifiles
    6:29 PM: Detected running threat: C:\Program Files\Network Monitor\netmon.exe (ID = 231443)
    6:29 PM: Detected running threat: C:\WINDOWS\system32\ntfyhdo.dll (ID = 268933)
    6:29 PM: Found Adware: clkoptimizer
    6:29 PM: Detected running threat: C:\WINDOWS\dXNlcg\asappsrv.dll (ID = 144945)
    6:29 PM: Found Adware: command
    6:28 PM: Starting Memory Sweep
    6:28 PM: HKCR\clsid\{d623bc2f-a58d-4a75-a10d-cc244a702a35}\inprocserver32\ (ID = 1561601)
    6:28 PM: HKCR\clsid\{b5f86455-bf18-4e12-965a-6642a0ac0549}\inprocserver32\ (ID = 1561600)
    6:28 PM: Found Adware: forethought
    6:28 PM: Sweep initiated using definitions version 730
    6:28 PM: Spy Sweeper 5.0.5.1286 started
    6:28 PM: | Start of Session, Monday, July 31, 2006 |
    ********
     
  10. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You may want to print this or save it to notepad as we will go to safe mode.

    Add remove programs – remove Limewire – the likely source of infection

    Fix these with HJT – mark them, close IE, click fix checked

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=

    R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    F2 - REG:system.ini: UserInit=userinit.exe,irehaad.exe

    O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\system32\cvn0.exe

    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

    O18 - Filter: text/html - (no CLSID) - (no file)

    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    =====================

    Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find this exact name

    Network Monitor

    Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. File-Exit the Services utility.


    ========================
    DownLoad http://www.downloads.subratam.org/KillBox.zip

    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\system32\irehaad.exe
    C:\WINDOWS\system32\cvn0.exe
    C:\Program Files\LimeWire

    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Not all temp files will delete and that is normal
    Empty the recycle bin
    Boot and post a new log from normal NOT safe mode

    Please give feedback on what worked/didn’t work and the current status of your system
     
  11. phool

    phool Thread Starter

    Joined:
    Jan 2, 2006
    Messages:
    50
    Thanks for all of your help so far. Everything seems to be working great without popups anymore. I think the SpySweeper did most of that for us. :]

    Here is the HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:55:15 PM, on 8/1/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ACS.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    c:\Toshiba\IVP\swupdate\swupdtmr.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [PDUiP6600DMon] "C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O18 - Filter: text/html - (no CLSID) - (no file)
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


    The first step was completed successfully.
    The entire second step was already done so I didn't do anything there.
    Killbox couldn't delete "C:\WINDOWS\system32\irehaad.exe".
    The temp folder was empty so it didn't delete anything.
     
  12. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Run Spysweeper again, so it can get mrfindalot
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - PopUps AntiSpy Programs
  1. Zygmo
    Replies:
    5
    Views:
    550
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/488013

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice