Popups out of control

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

nicksrocks

Thread Starter
Joined
Jun 16, 2003
Messages
24
just registered my child on neopets, five minutes later popups started freezing the screen. when we exit out of IE popups still come up on computer. Ran Adaware and spybot they got rid of a several things, but popups are still coming up! Please help. Thank you in advance.

Logfile of HijackThis v1.97.6
Scan saved at 3:39:11 PM, on 7/8/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\APPLICATION DATA\UTHM\FAST.EXE
C:\MY DOCUMENTS\ACST\VZDSHDNI.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nicksfix.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;hppav;<local>
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Search - {E8E84A5A-07C4-D37A-E4A7-504F15EB6A5F} - C:\WINDOWS\Gekejlqc.dll (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Uate] "C:\WINDOWS\Application Data\uthm\fast.exe" -vt yazr
O4 - HKCU\..\Run: [Kntkrsk] C:\My Documents\Acst\vzdshdni.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.5.106/display/PopupSh.ocx
 

nicksrocks

Thread Starter
Joined
Jun 16, 2003
Messages
24
Logfile of HijackThis v1.99.1
Scan saved at 4:20:07 PM, on 7/8/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\APPLICATION DATA\UTHM\FAST.EXE
C:\MY DOCUMENTS\ACST\VZDSHDNI.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nicksfix.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;hppav;<local>
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Search - {E8E84A5A-07C4-D37A-E4A7-504F15EB6A5F} - C:\WINDOWS\Gekejlqc.dll (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Uate] "C:\WINDOWS\Application Data\uthm\fast.exe" -vt yazr
O4 - HKCU\..\Run: [Kntkrsk] C:\My Documents\Acst\vzdshdni.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.5.106/display/PopupSh.ocx
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
You have no anti-virus protection.
Get AVG (it's free): http://free.grisoft.com/doc/1
Install it and run a scan.
__________________________________________________________________________

* Click here to download Webroot SpySweeper.

(It's a 2 week trial.)

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.

Also post a new Hijack This log.
 

nicksrocks

Thread Starter
Joined
Jun 16, 2003
Messages
24
I ran Panda/ found LoadImage, Downloader JKO, Reboot.F, Downloader ACE; ProcLog.A; Killapp.A, Killapp C. I believe it took care of those. Then I ran AVG found: counter.exe, couter.cab; mm32.exe, pi1.exe. Next I ran Spysweeper it found: Downloader AFY. Computer still has popups, and internet running very slow. Upon restarting my computer I receive a message from spysweeper notifying me that I have a program "uate" choose to remove? I remove, then upon restart it's there again. Here's a new copy of HJT
Logfile of HijackThis v1.99.1
Scan saved at 3:11:36 PM, on 7/9/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\DELAYRUN.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\RunDLL.exe
C:\MY DOCUMENTS\ACST\VZDSHDNI.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TEMP\!UPDATE.EXE
C:\WINDOWS\APPLICATION DATA\UTHM\FAST.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nicksfix.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;hppav;<local>
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Search - {E8E84A5A-07C4-D37A-E4A7-504F15EB6A5F} - C:\WINDOWS\Gekejlqc.dll (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Kntkrsk] C:\My Documents\Acst\vzdshdni.exe
O4 - HKCU\..\Run: [Uate] "C:\WINDOWS\Application Data\uthm\fast.exe" -vt ndrv
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.5.106/display/PopupSh.ocx
 

nicksrocks

Thread Starter
Joined
Jun 16, 2003
Messages
24
here's a copy of spy sweeper session log: (I deleted my child's name off of cookies before I posted it)


Part One
11:00 AM: | Start of Session, Sunday, July 09, 2006 |
11:00 AM: Spy Sweeper started
11:00 AM: Sweep initiated using definitions version 714
11:00 AM: Starting Memory Sweep
11:12 AM: Found Adware: purityscan
11:12 AM: Detected running threat: C:\WINDOWS\Application Data\uthm\fast.exe (ID = 320101)
11:14 AM: Memory Sweep Complete, Elapsed Time: 00:13:38
11:14 AM: Starting Registry Sweep
11:16 AM: Found Adware: rapidblaster
11:16 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/activeinstaller.dll\ (2 subtraces) (ID = 139221)
11:16 AM: Found Adware: websearch toolbar
11:16 AM: HKCR\msielink.relatedlinksprotocol\ (3 subtraces) (ID = 146361)
11:16 AM: HKLM\software\classes\msielink.relatedlinksprotocol\ (3 subtraces) (ID = 146424)
11:17 AM: Found Adware: hotbar
11:17 AM: HKU\.DEFAULT\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585)
11:17 AM: Found Trojan Horse: trojan-downloader-afy
11:17 AM: HKU\.DEFAULT\software\microsoft\windows\currentversion\shel\ || klop (ID = 1497546)
11:17 AM: Registry Sweep Complete, Elapsed Time:00:02:59
11:17 AM: Starting Cookie Sweep
11:17 AM: Found Spy Cookie: tvguide cookie
11:17 AM: @sdc.tvguide[1].txt (ID = 3600)
11:17 AM: @tvguide[1].txt (ID = 3599)
11:17 AM: @rsi.tvguide[1].txt (ID = 3600)
11:17 AM: Found Spy Cookie: nextag cookie
11:17 AM: @nextag[2].txt (ID = 5014)
11:17 AM: Found Spy Cookie: ask cookie
11:17 AM: @ask[1].txt (ID = 2245)
11:17 AM: Found Spy Cookie: atwola cookie
11:17 AM: @atwola[1].txt (ID = 2255)
11:17 AM: Found Spy Cookie: precisead cookie
11:17 AM: @adopt.precisead[2].txt (ID = 3182)
11:17 AM: Found Spy Cookie: belnk cookie
11:17 AM: @belnk[1].txt (ID = 2292)
11:17 AM: Found Spy Cookie: yieldmanager cookie
11:17 AM: @ad.yieldmanager[1].txt (ID = 3751)
11:17 AM: Found Spy Cookie: burstnet cookie
11:17 AM: @burstnet[1].txt (ID = 2336)
11:17 AM: Found Spy Cookie: adorigin cookie
11:17 AM: @adorigin[1].txt (ID = 2082)
11:17 AM: @dist.belnk[2].txt (ID = 2293)
11:17 AM: Found Spy Cookie: about cookie
11:17 AM: @about[2].txt (ID = 2037)
11:17 AM: Found Spy Cookie: rightmedia cookie
11:17 AM: @rightmedia[1].txt (ID = 3259)
11:17 AM: Found Spy Cookie: burstbeacon cookie
11:17 AM: @www.burstbeacon[1].txt (ID = 2335)
11:17 AM: @math.about[2].txt (ID = 2038)
11:17 AM: Found Spy Cookie: adknowledge cookie
11:17 AM: @adknowledge[2].txt (ID = 2072)
11:17 AM: @sdc.tvguide[2].txt (ID = 3600)
11:17 AM: @rsi.tvguide[2].txt (ID = 3600)
11:17 AM: Found Spy Cookie: go.com cookie
11:17 AM: @www.disney.go[1].txt (ID = 2729)
11:17 AM: @psc.disney.go[1].txt (ID = 2729)
11:17 AM: @go[2].txt (ID = 2728)
11:17 AM: @ask[2].txt (ID = 2245)
11:17 AM: @go[1].txt (ID = 2728)
11:17 AM: @tvguide[2].txt (ID = 3599)
11:17 AM: Found Spy Cookie: adecn cookie
11:17 AM: @adecn[1].txt (ID = 2063)
11:17 AM: Found Spy Cookie: yadro cookie
11:17 AM: @yadro[2].txt (ID = 3743)
11:17 AM: @dist.belnk[3].txt (ID = 2293)
11:17 AM: Found Spy Cookie: zedo cookie
11:17 AM: @zedo[1].txt (ID = 3762)
11:17 AM: Found Spy Cookie: 2o7.net cookie
11:17 AM: @entrepreneur.122.2o7[1].txt (ID = 1958)
11:17 AM: @adknowledge[3].txt (ID = 2072)
11:17 AM: @www.disney.go[2].txt (ID = 2729)
11:17 AM: @psc.disney.go[2].txt (ID = 2729)
11:17 AM: Found Spy Cookie: clickzs cookie
11:17 AM: @cz3.clickzs[2].txt (ID = 2413)
11:17 AM: @www.burstbeacon[2].txt (ID = 2335)
11:17 AM: @adecn[2].txt (ID = 2063)
11:17 AM: @ask[3].txt (ID = 2245)
11:17 AM: @partygaming.122.2o7[1].txt (ID = 1958)
11:17 AM: @ad.yieldmanager[2].txt (ID = 3751)
11:17 AM: Found Spy Cookie: tacoda cookie
11:17 AM: @tacoda[1].txt (ID = 6444)
11:17 AM: @coxhsi.112.2o7[1].txt (ID = 1958)
11:17 AM: Found Spy Cookie: specificclick.com cookie
11:17 AM: @adopt.specificclick[2].txt (ID = 3400)
11:17 AM: Found Spy Cookie: exitexchange cookie
11:17 AM: @exitexchange[1].txt (ID = 2633)
11:17 AM: Found Spy Cookie: videodome cookie
11:17 AM: @videodome[1].txt (ID = 3638)
11:17 AM: Found Spy Cookie: partypoker cookie
11:17 AM: @partypoker[2].txt (ID = 3111)
11:17 AM: @count.exitexchange[1].txt (ID = 2634)
11:17 AM: Found Spy Cookie: apmebf cookie
11:17 AM: @apmebf[1].txt (ID = 2229)
11:17 AM: @count1.exitexchange[1].txt (ID = 2634)
11:17 AM: Found Spy Cookie: falkag cookie
11:17 AM: @as-us.falkag[1].txt (ID = 2650)
11:17 AM: @count2.exitexchange[1].txt (ID = 2634)
11:17 AM: Found Spy Cookie: searchingbooth cookie
11:17 AM: @banners.searchingbooth[1].txt (ID = 3322)
11:17 AM: Found Spy Cookie: directtrack cookie
11:17 AM: @directtrack[1].txt (ID = 2527)
11:17 AM: @rapidresponse.directtrack[2].txt (ID = 2528)
11:17 AM: @ad.yieldmanager[4].txt (ID = 3751)
11:17 AM: Found Spy Cookie: statcounter cookie
11:17 AM: @statcounter[1].txt (ID = 3447)
11:17 AM: Cookie Sweep Complete, Elapsed Time: 00:00:08
11:17 AM: Starting File Sweep
11:21 AM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because it is being used by another process
11:21 AM: Found Adware: ezsearchbar
11:21 AM: addr_var.ini (ID = 60329)
11:21 AM: birth_var.ini (ID = 60332)
11:21 AM: city_var.ini (ID = 60333)
11:21 AM: name_var.ini (ID = 60352)
11:21 AM: states.ini (ID = 60360)
11:21 AM: name_gender.ini (ID = 60351)
11:21 AM: zip_var.ini (ID = 60362)
11:21 AM: phone_var.ini (ID = 60353)
11:26 AM: !update.exe (ID = 320101)
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs5bf8ad23-8745-4080-9507-9923f1e27b5d.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs39bf6e99-4f5d-4dda-9345-9e8ce418231f.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc3d00f1f-ed53-44f2-9775-387f15b52a44.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs256a993d-0658-45fa-8fc9-f059c17acae7.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsde1e0cfb-3b0d-4569-a96a-9147e16d2367.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs13cf6a9a-b20c-4510-893d-579a9c522057.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsdf6ebae6-5a42-4b26-87ae-09638bea55d5.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs2ed0183a-52f9-4f06-9d5d-60bc46d47e0c.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs3a50a46b-4b39-4e08-93db-183a8aac172e.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs728c42a4-d28a-4eff-9ac5-fcd3f6bd157d.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8a226044-fa22-4997-9b05-b9398479a95a.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs7701dbd6-03bc-4f68-97b6-eca552a9ab54.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsb047a556-1d3e-45db-b90b-1c428bd2e05c.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs88310ebe-66b3-439f-afcc-e9a4c59b3e06.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs44b9f369-e183-4ffc-9846-302d72c93816.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs1c2c6b37-9dbb-4581-a4fa-588f8f360e52.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs6fb9283e-e7a3-4c5c-a828-9522fd48b636.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc088c0ac-fb1e-45c6-aad6-90b0d51768dc.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs287e31d5-6c79-4d97-999e-1b5aa6f0a4f0.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsdc41b3b0-1e5d-4bd0-8ef1-4be0c0086b6e.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsa34d52e5-d323-41aa-bb45-75744566c877.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs2606c694-da55-4f73-807f-8db9eabbcc34.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsdf990930-3e6f-4f4b-9852-f13f1588e2bf.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsb381b3ba-6a85-41ea-83ec-b7b49d3a3d48.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs5f9713a2-fe54-47a7-8c20-287a49111452.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs416fb6b2-bc0f-4a37-a77e-84b5eb14375c.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs43621070-c53d-4b97-93a6-65f1f6b6e612.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs564ddb24-24ad-4515-b36e-e5b9731a8837.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs0c280dff-061b-411e-94b3-1787c37e8fe0.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs906d63a6-842f-4a43-80f8-acd12274ec30.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs4067ef54-0f29-4fa5-9a5d-b2b716ce334a.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs99ac5277-79ba-4ce0-9599-cb51470cdeb0.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs95b2b95a-0f02-4361-91d5-3c5a27630b80.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs22df12df-d994-4eaf-8727-c73cdafe3d21.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8fde5a14-5f24-4486-9cbb-9a318adb5543.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc4ced1ec-e1fa-4890-87cf-98d7e0b440e0.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc0066f45-a3cf-4706-bfeb-7fd43aad51ca.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsf0c8158f-89f9-42b8-8095-9cd1158dc514.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsfa062cbf-9642-462d-a1d7-d6fd2e93d852.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs69bf8f6c-79ad-43e7-bc02-c1ea16c6c738.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs741f6d72-284f-4203-8a6a-016a8d383ddc.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsb652b6b7-b6cf-471a-adb5-b4f67f0f52c1.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs22e49d46-6992-44b1-898b-3a187599827c.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs1bb8913c-5bd0-46dc-984f-9feca289bde7.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsd16bc3f1-7020-4d55-9785-abfa4b2d711a.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8552a304-71e6-4d34-ad14-e69bc92ac65c.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs2d163f0d-c258-4189-b2ab-9512b76ebc8b.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsebe6decc-9d83-4d72-88ba-8def31f22b01.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs48ee0ced-02fa-49ef-be15-e47b1b55575f.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs084640c5-7f05-43f2-aaed-ad42b23d1418.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsbc71e2f9-1409-4d3d-87e7-46c88972be9a.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc3c74f5b-11d4-4048-b824-76699e18b5e2.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs058e1b69-bbf2-453a-bac3-e72f759a2ac9.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs2864a684-0a58-4277-b7ec-d2afee3e9c13.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc7c0c146-3cf9-4ab3-888b-9544194fdd6a.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs4ba4a95d-6c36-4457-9241-fe28f58d5246.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsf3afd1e9-5e4c-47b2-adb6-4881818ffa64.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsa568c35f-3dc5-4871-9d53-0b877a38a551.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs72347fd4-32d9-4f8e-8120-b49cf61fdc34.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc76ab1fd-eba1-45be-938a-ce01e2c82efb.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsb88bb69f-15c4-44a4-939f-06c151321325.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs33e70168-3252-4901-af73-b0ae3f49bf77.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs7a960bef-1411-4948-a91e-d17d275646d0.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs986a502a-9dca-42fb-83e8-853b1576b85c.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsb95fbd7d-ba05-4d51-ab17-9edd652569c2.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs1d3ccf16-682f-4317-b541-c2b4e49d3f6c.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs0a78ef86-ecaf-41d2-898a-2f86b29e4a66.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs60f01359-8638-46c7-b77a-545a4045b506.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs9ebfb275-ebc4-4251-87f2-906efc11ce64.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs166aa49a-3509-46ff-b444-63b7be4b8c7f.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsab35114d-3e7d-42d3-a6e6-60493d351e92.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs0f8ee641-417a-4388-bc14-125c0a1fb8b7.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs32cb5ed7-97bf-44b0-a3c1-227f59eb6399.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsa0ce0dc7-72f3-4be0-aedf-443a7ed2d89b.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs351a04b0-9195-4e6d-988e-5794d7c07118.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsf6ce6fdb-e868-43ff-9005-0093630922f4.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs18d81e2d-17cc-44c0-964d-0fc6a412a6ed.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsa13f28d9-2d7c-43ce-acf6-784a82f55a43.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsae84c0cd-440f-4240-a65d-ea206ecce188.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs3d786d64-06fd-49f6-a7e6-7082f2bf4a5d.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs69bf8ca6-4169-4281-ad06-193cb93327f1.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs36fdecc8-22e0-45a3-9187-3caae379c55a.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs2891995f-8af0-4ab7-807f-3c3f0f8bc09e.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsbbe6962d-d28e-4e97-91f4-a87a786f5021.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs1e358b62-2a0d-4c22-a348-20814a22e8b2.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsee6f8ad3-2d33-4a2b-b997-cf8d16a0c091.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscscbf6a0db-8cba-4662-910d-beca54763d25.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsce3156b3-88d8-4e9c-ac59-3a2907d53838.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs096909c1-d29b-4a11-be8e-e6f4f3201ec2.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs231635e5-f196-4237-a183-9d6b32f4a23e.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs22322c9b-36a7-4b9f-9713-db681cdfc779.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs711841b5-f668-45d6-b784-7c2be354f49b.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs0584e26a-510b-46a6-8e5a-6d89da94e188.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs223fc161-a96a-4245-91e7-72438deb2105.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs2fd67ae7-fb0e-4352-9338-90de05fac0be.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs83365731-8f16-47b3-9daf-f0cdcd569789.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsd9e9abdf-930e-44df-becd-1e55a4ab3cfe.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsb6b2d2e8-d36f-4478-9e50-f30841146f71.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs75eca7fc-ff55-48d9-bfcf-52ae3e591689.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs68130ce7-0a3b-4ea0-a0b0-b1839bb91f1a.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs6992130a-4628-4187-8f72-43b5d892b035.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs9b0c3d9a-59f7-4d90-bbc4-0bab6884e5aa.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs4e60c6d5-f08a-48dc-b2b4-19d5d77223e2.tmp". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs1b3cb653-9534-4edb-8149-a63afaa2be55.tmp". The process cannot access the file because it is being used by another process
12:32 PM: sentry.inf (ID = 60358)
12:35 PM: fast.exe (ID = 320101)
1:09 PM: Warning: Unhandled Archive Type
1:09 PM: Warning: Unhandled Archive Type
1:10 PM: Warning: Invalid Stream
1:10 PM: File Sweep Complete, Elapsed Time: 01:52:48
1:10 PM: Full Sweep has completed. Elapsed time 02:09:48
1:10 PM: Traces Found: 80
|
 

nicksrocks

Thread Starter
Joined
Jun 16, 2003
Messages
24
Part Two:

1:20 PM: Removal process initiated
1:20 PM: Quarantining All Traces: purityscan
1:20 PM: Quarantining All Traces: websearch toolbar
1:20 PM: Quarantining All Traces: hotbar
1:20 PM: Quarantining All Traces: trojan-downloader-afy
1:20 PM: Quarantining All Traces: ezsearchbar
1:20 PM: Quarantining All Traces: rapidblaster
1:20 PM: Quarantining All Traces: 2o7.net cookie
1:20 PM: Quarantining All Traces: about cookie
1:20 PM: Quarantining All Traces: adecn cookie
1:20 PM: Quarantining All Traces: adknowledge cookie
1:20 PM: Quarantining All Traces: adorigin cookie
1:20 PM: Quarantining All Traces: apmebf cookie
1:20 PM: Quarantining All Traces: ask cookie
1:20 PM: Quarantining All Traces: atwola cookie
1:20 PM: Quarantining All Traces: belnk cookie
1:21 PM: Quarantining All Traces: burstbeacon cookie
1:21 PM: Quarantining All Traces: burstnet cookie
1:21 PM: Quarantining All Traces: clickzs cookie
1:21 PM: Quarantining All Traces: directtrack cookie
1:21 PM: Quarantining All Traces: exitexchange cookie
1:21 PM: Quarantining All Traces: falkag cookie
1:21 PM: Quarantining All Traces: go.com cookie
1:21 PM: Quarantining All Traces: nextag cookie
1:21 PM: Quarantining All Traces: partypoker cookie
1:21 PM: Quarantining All Traces: precisead cookie
1:21 PM: Quarantining All Traces: rightmedia cookie
1:21 PM: Quarantining All Traces: searchingbooth cookie
1:21 PM: Quarantining All Traces: specificclick.com cookie
1:21 PM: Quarantining All Traces: statcounter cookie
1:21 PM: Quarantining All Traces: tacoda cookie
1:21 PM: Quarantining All Traces: tvguide cookie
1:21 PM: Quarantining All Traces: videodome cookie
1:21 PM: Quarantining All Traces: yadro cookie
1:21 PM: Quarantining All Traces: yieldmanager cookie
1:21 PM: Quarantining All Traces: zedo cookie
1:22 PM: Removal process completed. Elapsed time 00:01:52
1:25 PM: Deletion from quarantine initiated
1:25 PM: Processing: 2o7.net cookie
1:25 PM: Processing: about cookie
1:25 PM: Processing: adecn cookie
1:25 PM: Processing: adknowledge cookie
1:25 PM: Processing: adorigin cookie
1:25 PM: Processing: apmebf cookie
1:25 PM: Processing: ask cookie
1:25 PM: Processing: atwola cookie
1:25 PM: Processing: belnk cookie
1:25 PM: Processing: burstbeacon cookie
1:25 PM: Processing: burstnet cookie
1:25 PM: Processing: clickzs cookie
1:25 PM: Processing: directtrack cookie
1:25 PM: Processing: exitexchange cookie
1:25 PM: Processing: ezsearchbar
1:25 PM: Processing: falkag cookie
1:25 PM: Processing: go.com cookie
1:25 PM: Processing: hotbar
1:25 PM: Processing: nextag cookie
1:25 PM: Processing: partypoker cookie
1:25 PM: Processing: precisead cookie
1:25 PM: Processing: purityscan
1:25 PM: Processing: rapidblaster
1:25 PM: Processing: rightmedia cookie
1:25 PM: Processing: searchingbooth cookie
1:25 PM: Processing: specificclick.com cookie
1:25 PM: Processing: statcounter cookie
1:25 PM: Processing: tacoda cookie
1:25 PM: Processing: trojan-downloader-afy
1:25 PM: Processing: tvguide cookie
1:25 PM: Processing: videodome cookie
1:25 PM: Processing: websearch toolbar
1:25 PM: Processing: yadro cookie
1:25 PM: Processing: yieldmanager cookie
1:25 PM: Processing: zedo cookie
1:25 PM: Deletion from quarantine completed. Elapsed time 00:00:15
********
9:42 AM: | Start of Session, Sunday, July 09, 2006 |
9:42 AM: Spy Sweeper started
9:42 AM: Sweep initiated using definitions version 714
9:42 AM: Starting Memory Sweep
9:56 AM: Found Adware: purityscan
9:56 AM: Detected running threat: C:\WINDOWS\Application Data\uthm\fast.exe (ID = 320101)
9:57 AM: Memory Sweep Complete, Elapsed Time: 00:15:16
9:57 AM: Starting Registry Sweep
9:59 AM: Found Adware: rapidblaster
9:59 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/activeinstaller.dll\ (2 subtraces) (ID = 139221)
9:59 AM: Found Adware: websearch toolbar
9:59 AM: HKCR\msielink.relatedlinksprotocol\ (3 subtraces) (ID = 146361)
9:59 AM: HKLM\software\classes\msielink.relatedlinksprotocol\ (3 subtraces) (ID = 146424)
10:00 AM: Found Adware: hotbar
10:00 AM: HKU\.DEFAULT\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585)
10:00 AM: Found Trojan Horse: trojan-downloader-afy
10:00 AM: HKU\.DEFAULT\software\microsoft\windows\currentversion\shel\ || klop (ID = 1497546)
10:00 AM: Registry Sweep Complete, Elapsed Time:00:02:51
10:00 AM: Starting Cookie Sweep
10:00 AM: Found Spy Cookie: tvguide cookie
10:00 AM: @sdc.tvguide[1].txt (ID = 3600)
10:00 AM: @tvguide[1].txt (ID = 3599)
10:00 AM: @rsi.tvguide[1].txt (ID = 3600)
10:00 AM: Found Spy Cookie: nextag cookie
10:00 AM: @nextag[2].txt (ID = 5014)
10:00 AM: Found Spy Cookie: ask cookie
10:00 AM: @ask[1].txt (ID = 2245)
10:00 AM: Found Spy Cookie: atwola cookie
10:00 AM: @atwola[1].txt (ID = 2255)
10:00 AM: Found Spy Cookie: precisead cookie
10:00 AM: @adopt.precisead[2].txt (ID = 3182)
10:00 AM: Found Spy Cookie: belnk cookie
10:00 AM: @belnk[1].txt (ID = 2292)
10:00 AM: Found Spy Cookie: yieldmanager cookie
10:00 AM: @ad.yieldmanager[1].txt (ID = 3751)
10:00 AM: Found Spy Cookie: burstnet cookie
10:00 AM: @burstnet[1].txt (ID = 2336)
10:00 AM: Found Spy Cookie: adorigin cookie
10:00 AM: @adorigin[1].txt (ID = 2082)
10:00 AM: @dist.belnk[2].txt (ID = 2293)
10:00 AM: Found Spy Cookie: about cookie
10:00 AM: @about[2].txt (ID = 2037)
10:00 AM: Found Spy Cookie: rightmedia cookie
10:00 AM: @rightmedia[1].txt (ID = 3259)
10:00 AM: Found Spy Cookie: burstbeacon cookie
10:00 AM: @www.burstbeacon[1].txt (ID = 2335)
10:00 AM: @math.about[2].txt (ID = 2038)
10:00 AM: Found Spy Cookie: adknowledge cookie
10:00 AM: @adknowledge[2].txt (ID = 2072)
10:00 AM: @sdc.tvguide[2].txt (ID = 3600)
10:00 AM: @rsi.tvguide[2].txt (ID = 3600)
10:00 AM: Found Spy Cookie: go.com cookie
10:00 AM: @www.disney.go[1].txt (ID = 2729)
10:00 AM: @psc.disney.go[1].txt (ID = 2729)
10:00 AM: @go[2].txt (ID = 2728)
10:00 AM: @ask[2].txt (ID = 2245)
10:00 AM: @go[1].txt (ID = 2728)
10:00 AM: @tvguide[2].txt (ID = 3599)
10:00 AM: Found Spy Cookie: adecn cookie
10:00 AM: @adecn[1].txt (ID = 2063)
10:00 AM: Found Spy Cookie: yadro cookie
10:00 AM: @yadro[2].txt (ID = 3743)
10:00 AM: @dist.belnk[3].txt (ID = 2293)
10:00 AM: Found Spy Cookie: zedo cookie
10:00 AM: @zedo[1].txt (ID = 3762)
10:00 AM: Found Spy Cookie: 2o7.net cookie
10:00 AM: @entrepreneur.122.2o7[1].txt (ID = 1958)
10:00 AM: @adknowledge[3].txt (ID = 2072)
10:00 AM: @www.disney.go[2].txt (ID = 2729)
10:00 AM: @psc.disney.go[2].txt (ID = 2729)
10:00 AM: Found Spy Cookie: clickzs cookie
10:00 AM: @cz3.clickzs[2].txt (ID = 2413)
10:00 AM: @www.burstbeacon[2].txt (ID = 2335)
10:00 AM: @adecn[2].txt (ID = 2063)
10:00 AM: @ad.yieldmanager[3].txt (ID = 3751)
10:00 AM: @ask[3].txt (ID = 2245)
10:00 AM: @partygaming.122.2o7[1].txt (ID = 1958)
10:00 AM: @ad.yieldmanager[2].txt (ID = 3751)
10:00 AM: Found Spy Cookie: tacoda cookie
10:00 AM: @tacoda[1].txt (ID = 6444)
10:00 AM: @coxhsi.112.2o7[1].txt (ID = 1958)
10:00 AM: Found Spy Cookie: specificclick.com cookie
10:00 AM: @adopt.specificclick[2].txt (ID = 3400)
10:00 AM: Found Spy Cookie: exitexchange cookie
10:00 AM: @exitexchange[1].txt (ID = 2633)
10:00 AM: Found Spy Cookie: videodome cookie
10:00 AM: @videodome[1].txt (ID = 3638)
10:00 AM: Found Spy Cookie: partypoker cookie
10:00 AM: @partypoker[2].txt (ID = 3111)
10:00 AM: @count.exitexchange[1].txt (ID = 2634)
10:00 AM: Found Spy Cookie: apmebf cookie
10:00 AM: @apmebf[1].txt (ID = 2229)
10:00 AM: @count1.exitexchange[1].txt (ID = 2634)
10:00 AM: Found Spy Cookie: falkag cookie
10:00 AM: @as-us.falkag[1].txt (ID = 2650)
10:00 AM: @count2.exitexchange[1].txt (ID = 2634)
10:00 AM: Found Spy Cookie: searchingbooth cookie
10:00 AM: @banners.searchingbooth[1].txt (ID = 3322)
10:00 AM: Found Spy Cookie: directtrack cookie
10:00 AM: @directtrack[1].txt (ID = 2527)
10:00 AM: @rapidresponse.directtrack[2].txt (ID = 2528)
10:00 AM: Found Spy Cookie: statcounter cookie
10:00 AM: @statcounter[2].txt (ID = 3447)
10:00 AM: Cookie Sweep Complete, Elapsed Time: 00:00:12
10:00 AM: Starting File Sweep
10:04 AM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because it is being used by another process
10:04 AM: Found Adware: ezsearchbar
10:04 AM: addr_var.ini (ID = 60329)
10:04 AM: birth_var.ini (ID = 60332)
10:04 AM: city_var.ini (ID = 60333)
10:04 AM: name_var.ini (ID = 60352)
10:04 AM: states.ini (ID = 60360)
10:04 AM: name_gender.ini (ID = 60351)
10:04 AM: zip_var.ini (ID = 60362)
10:04 AM: phone_var.ini (ID = 60353)
10:09 AM: !update.exe (ID = 320101)
10:58 AM: Sweep Canceled
10:58 AM: File Sweep Complete, Elapsed Time: 00:58:07
10:58 AM: Traces Found: 78
11:00 AM: | End of Session, Sunday, July 09, 2006 |
********
9:40 AM: | Start of Session, Sunday, July 09, 2006 |
9:40 AM: Spy Sweeper started
9:42 AM: Your spyware definitions have been updated.
9:42 AM: | End of Session, Sunday, July 09, 2006
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Rescan with Hijack This.
Close all browser windows except Hijack This.
Put a check mark beside these entries and click "Fix Checked".

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O3 - Toolbar: Search - {E8E84A5A-07C4-D37A-E4A7-504F15EB6A5F} - C:\WINDOWS\Gekejlqc.dll (file missing)

O4 - HKCU\..\Run: [Kntkrsk] C:\My Documents\Acst\vzdshdni.exe

O4 - HKCU\..\Run: [Uate] "C:\WINDOWS\Application Data\uthm\fast.exe" -vt ndrv


Close Hijack This

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\My Documents\Acst\
    C:\WINDOWS\Application Data\uthm\


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Post a new Hijack This log
 

nicksrocks

Thread Starter
Joined
Jun 16, 2003
Messages
24
I ran hjt fixed four entries; I ran Killbox deleted both files/ I did not get the message (OK to any PendingFileRenameOperations prompt). upon reboot I spysweeper still says I have Uate. I have also rebooted several times. Here is a new copy of HJT


Logfile of HijackThis v1.99.1
Scan saved at 11:49:36 AM, on 7/11/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\DELAYRUN.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nicksfix.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;hppav;<local>
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.5.106/display/PopupSh.ocx
 

nicksrocks

Thread Starter
Joined
Jun 16, 2003
Messages
24
C:/windows/Application Data\uthm

I went there looked in folder and it was empty, I deleted it and have restarted my computer about 10 times. Spysweeper has not identified again.
 

nicksrocks

Thread Starter
Joined
Jun 16, 2003
Messages
24
the pop-ups are now gone. I ran an AVG scan and found Dropper.Agent.2AM. AVG identified this as a trojan, but did not remove it.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top