1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: LOTS OF PROBLEMS WITH SPYWARE/MALWARE VIRUS! HELP HELP HELP! Lots of details!

Discussion in 'Virus & Other Malware Removal' started by KTchan, Jul 27, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. KTchan

    KTchan Thread Starter

    Joined:
    Jul 27, 2006
    Messages:
    12

    Hi, my name's Katie and I'm having major virus/spyware,adware,malware removal issues! I

    have a lot of different things going on here, and can't make any sense of it. I tried

    following other people's solved threads, but they didn't solve my issues, so I guess I need

    personalized help. I have Windows security running (well, I usually do when it's working

    properly,) and I run Ad-Aware and Spybot regularly, but it appears that they cannot solve

    my issue. Anyway, here's a list of things that have been happening to my computer since the

    virus happened...

    1. I KNOW the virus was contracted in AIM. An IM came in from a friend with only a link. It

    didn't look suspicious to me, so I clicked it, and all of a sudden I had IMEd everyone in

    my buddy list the link, and received about a million IMs back (didn't have time to read

    them before My Computer's virtual memory ran out and crashed AIM on me.

    2.When the computer starts up, sometimes a default background appears before the logon

    screen with the user accounts appears.

    3.After logon, the same thing in general happens every time. Spybot comes up with a bunch

    of messages saying that there is a registry change to my homepage or something else

    happening. I deny it, and it denies it over and over again to seemingly no avail. A .txt

    file appears on the desktop. I have never opened this file, don't know what it is, and

    delete it every time. My homepage is constantly being changed or almost changed. Then, an

    error message appears. The window is labled "RUNDLL" and reads:"An exception occured when

    trying to run C:\WINDOWS\system32\lhcmgr10.dll,DLLGetVersion." Also, something labled

    "Project" tries to run every time I log on. Sometimes my theme changes and some icons or

    programs are invisible; usually restarting remedies this.

    4.Sometimes, I get favorites and icons added to my computer out of nowhere.

    5.These programs called "Command Service" and "Network Monitor" are listed in my programs

    and cannot be removed. They are shut down by Spybot when they try to run, at least that's

    what the Spybot pop-up message tells me.

    6.Once,while trying to browse the internet to solve this problem, my theme changed, then

    the computer shut down. No idea what happened.

    7.I semi-frequently lose my background. Annoying.

    8.Having LOTS of pop-ups. They are overloading my virtual memory. VERY ANNOYING. They are

    for the same websites every time; usually fake virus removal, personals ads,etc. I don't

    even have to open Internet Explorer myself for them to appear.

    9. Sometimes, my Ad-Aware files are "violated" and the definitions won't load and I can't

    use it until I reboot.

    10. Windows Security settings have been changed several times without any action on my

    part. Sometimes I cannot turn on the firewall. Right now, it says it is on. This is

    unpredictable.

    11.I have opted to disable system restore until the virus is gone for fear of the problem

    being restored.

    12. Finally, sometimes I get this error message in a window labled "iedw.exe Application

    Error" It reads: "The application failed to initialize properly (0xc0000142) click OK to

    terminate"

    I HAVE NO CLUE WHAT TO DO! Somebody, anybody who knows how to help me, please tell me what

    I need to do. Thanks so much!
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Click here to download HJTsetup.exe:

    http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item5
    Scroll down to the download section

    Save HJTsetup.exe to your desktop.

    Double click on the HJTsetup.exe icon on your desktop.
    By default it will install to C:\Program Files\Hijack This.
    Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    Put a check by Create a desktop icon then click Next again.
    Continue to follow the rest of the prompts from there.
    At the final dialogue box click Finish and it will launch Hijack This.
    Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    Click Save to save the log file and then the log will open in notepad.
    Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    Come back here to this thread and Paste the log in your next reply.
    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. KTchan

    KTchan Thread Starter

    Joined:
    Jul 27, 2006
    Messages:
    12
    Here's the logfile...

    Logfile of HijackThis v1.99.1
    Scan saved at 6:36:11 PM, on 7/27/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\kybrdef_7.exe
    C:\WINDOWS\win32067060-59556.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\COMMON~1\frou\froum.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\Microsoft Shared\Works

    Shared\wkcalrem.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

    about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

    about:blank
    R0 - HKLM\Software\Microsoft\Internet

    Explorer\Search,SearchAssistant = about:blank
    R3 - URLSearchHook: (no name) -

    {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program

    Files\SurfSideKick 3\SskBho.dll
    F2 - REG:system.ini: Shell=Explorer.exe,

    C:\WINDOWS\system32\ewbsy.exe
    F2 - REG:system.ini: UserInit=userinit.exe,osiwjvs.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint

    Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP

    Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [acvb] C:\WINDOWS\acvb.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

    Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [fmvozsbA] C:\WINDOWS\fmvozsbA.exe
    O4 - HKLM\..\Run: [keyboard] C:\\kybrdef_7.exe
    O4 - HKLM\..\Run: [defender] C:\\dfndref_7.exe
    O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
    O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
    O4 - HKLM\..\Run: [win32067060-59556]

    C:\WINDOWS\win32067060-59556.exe
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0

    -u
    O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick

    3\Ssk.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

    /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot -

    Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [frou] C:\PROGRA~1\COMMON~1\frou\froum.exe
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick

    3\Ssk.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program

    Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program

    Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel -

    res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

    C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet

    Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft

    Script Runner Class) -

    http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class)

    - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec

    AntiVirus scanner) -

    http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI

    Utility Class) -

    http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.c

    ab
    O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure

    Data Transfer Control) -

    http://www.youbet.com/controls/ybrequest.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl

    Class) -

    http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/cl

    ient/muweb_site.cab?1153755723291
    O20 - AppInit_DLLs: repairs303169590.dll
    O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\enlsl1371.dll
    O20 - Winlogon Notify: Extensions - C:\WINDOWS\
    O20 - Winlogon Notify: Reinstall - C:\WINDOWS\
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Creative Service for CDROM Access - Creative

    Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

    Corporation - C:\Program Files\Common

    Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

    Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International,

    Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Pml Driver HPZ12 - HP -

    C:\WINDOWS\system32\HPZipm12.exe
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    When you post the next log make sure that in notepad you go to FORMAT and check wordwrap
    =========================
    Add remove programs - remove all occurences of Viewpoint

    =============================

    You have no active AntiVirus!

    Get the free AVG 7 install it, check for updates and run a full scan

    AVG 7 - http://free.grisoft.com/freeweb.php/doc/2/

    ============================

    1. Download this file :

    http://download.bleepingcomputer.com/sUBs/combofix.exe
    http://www.techsupportforum.com/sectools/combofix.exe

    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

    Note:
    Do not mouseclick combofix's window while its running. That may cause it to stall
    ===========================

    Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
    · Install ewido.
    · Run the application
    · Click on scanner
    · Click Complete System Scan and the scan will begin.
    · When the scan is finished, Set all items to delete
    · Apply all actions
    · look at the bottom of the screen and click the Save report button.
    · Save the report to your C: Drive
    This will take some time to run!
    RE-Boot
    Post that log and a new HiJack log
     
  5. KTchan

    KTchan Thread Starter

    Joined:
    Jul 27, 2006
    Messages:
    12
    Hey, I followed your directions, and things are running better! There were no Spybot warnings on my last boot, no homepage changes, and no pop-ups :)

    The only things that I noticed as unusual were the default background appearing before the logon screen and a font change to bold on the logon screen...plus the logon was a little slower than usual. Here are the logs you wanted. Anything else I should do?

    Here's the combofix log:

    Start Time= Thu 07/27/2006 21:57:47.71
    Running from: C:\Documents and Settings\Katie\Desktop

    ((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))


    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon\Settings
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


    * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    REGISTRY ENTRIES REMOVED:

    [HKEY_CLASSES_ROOT\clsid\{433ED77C-4892-48F0-ADFC-32525E8C28B5}]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{433ED77C-4892-48F0-ADFC-32525E8C28B5}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{433ED77C-4892-48F0-ADFC-32525E8C28B5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{433ED77C-4892-48F0-ADFC-32525E8C28B5}\InprocServer32]
    @="C:\\WINDOWS\\system32\\rxched20.dll"
    "ThreadingModel"="Apartment"

    * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    FILES REMOVED:

    C:\WINDOWS\SYSTEM32\fp8203loe.dll
    C:\WINDOWS\SYSTEM32\guard.tmp
    C:\WINDOWS\SYSTEM32\j24olch31f4.dll
    C:\WINDOWS\SYSTEM32\jt0207doe.dll
    C:\WINDOWS\SYSTEM32\rxched20.dll


    Granting sedebugprivilege to Administrators ... successful


    ((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

    22:06:31.38

    Not all files found by this method are bad. There may be legitimate files found
    This log should be examined by a trained analyst


    * * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *




    * * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    2006-05-03 02:56:58 127,078 "C:\WINDOWS\system32\javaws.exe"
    2006-06-03 09:12:08 302,646 "C:\WINDOWS\system32\m247es.exe"
    2006-07-20 16:31:36 1,163,264 "C:\WINDOWS\system32\wfxqhv.exe"
    2006-07-23 13:47:04 45,056 "C:\WINDOWS\system32\ghynf.exe"
    2006-05-03 01:19:40 53,346 "C:\WINDOWS\system32\javaw.exe"
    2006-05-19 08:59:42 148,480 "C:\WINDOWS\system32\dnsapi.dll"
    2006-05-10 01:23:00 55,808 "C:\WINDOWS\system32\extmgr.dll"
    2006-05-10 01:23:00 96,256 "C:\WINDOWS\system32\inseng.dll"
    2006-05-19 11:08:32 3,052,544 "C:\WINDOWS\system32\mshtml.dll"
    2006-05-10 01:23:02 532,480 "C:\WINDOWS\system32\mstime.dll"
    2006-05-10 01:23:02 613,888 "C:\WINDOWS\system32\urlmon.dll"
    2006-06-19 16:19:26 304,944 "C:\WINDOWS\system32\WgaTray.exe"
    2006-05-10 01:23:00 151,040 "C:\WINDOWS\system32\cdfview.dll"
    2006-05-10 01:23:00 357,888 "C:\WINDOWS\system32\dxtmsft.dll"
    2006-05-10 01:23:00 205,312 "C:\WINDOWS\system32\dxtrans.dll"
    2006-05-10 01:23:00 251,392 "C:\WINDOWS\system32\iepeers.dll"
    2006-06-01 14:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
    2006-06-01 14:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
    2006-05-18 01:24:26 450,560 "C:\WINDOWS\system32\jscript.dll"
    2006-05-10 01:23:00 16,384 "C:\WINDOWS\system32\jsproxy.dll"
    2006-05-10 01:23:02 39,424 "C:\WINDOWS\system32\pngfilt.dll"
    2006-05-14 04:44:08 181,248 "C:\WINDOWS\system32\rasmans.dll"
    2006-05-29 11:30:34 1,494,016 "C:\WINDOWS\system32\shdocvw.dll"
    2006-05-10 01:23:02 474,112 "C:\WINDOWS\system32\shlwapi.dll"
    2006-05-10 01:23:04 658,432 "C:\WINDOWS\system32\wininet.dll"
    2006-05-10 01:23:00 1,054,208 "C:\WINDOWS\system32\danim.dll"
    2006-07-23 13:47:06 221,184 "C:\WINDOWS\system32\xeymi.dll"
    2006-07-27 18:46:30 400 "C:\WINDOWS\liqvp.dll"
    2006-07-26 00:06:36 53 "C:\WINDOWS\noeepc.dat"


    * * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


    07/26/2006 12:06 AM 53 noeepc.dat.vir


    DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


    * * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    2006-06-19 16:19:26 304,944 "C:\WINDOWS\system32\WgaTray.exe"
    2006-05-03 02:56:58 127,078 "C:\WINDOWS\system32\javaws.exe"
    2006-06-03 09:12:08 302,646 "C:\WINDOWS\system32\m247es.exe"
    2006-07-20 16:31:36 1,163,264 "C:\WINDOWS\system32\wfxqhv.exe"
    2006-07-23 13:47:04 45,056 "C:\WINDOWS\system32\ghynf.exe"
    2006-05-03 01:19:40 53,346 "C:\WINDOWS\system32\javaw.exe"
    2006-05-10 01:23:00 151,040 "C:\WINDOWS\system32\cdfview.dll"
    2006-05-10 01:23:00 357,888 "C:\WINDOWS\system32\dxtmsft.dll"
    2006-05-10 01:23:00 205,312 "C:\WINDOWS\system32\dxtrans.dll"
    2006-05-10 01:23:00 251,392 "C:\WINDOWS\system32\iepeers.dll"
    2006-06-01 14:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
    2006-06-01 14:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
    2006-05-18 01:24:26 450,560 "C:\WINDOWS\system32\jscript.dll"
    2006-05-10 01:23:00 16,384 "C:\WINDOWS\system32\jsproxy.dll"
    2006-05-10 01:23:02 39,424 "C:\WINDOWS\system32\pngfilt.dll"
    2006-05-14 04:44:08 181,248 "C:\WINDOWS\system32\rasmans.dll"
    2006-05-29 11:30:34 1,494,016 "C:\WINDOWS\system32\shdocvw.dll"
    2006-05-10 01:23:02 474,112 "C:\WINDOWS\system32\shlwapi.dll"
    2006-05-10 01:23:04 658,432 "C:\WINDOWS\system32\wininet.dll"
    2006-05-19 08:59:42 148,480 "C:\WINDOWS\system32\dnsapi.dll"
    2006-05-10 01:23:00 55,808 "C:\WINDOWS\system32\extmgr.dll"
    2006-05-10 01:23:00 96,256 "C:\WINDOWS\system32\inseng.dll"
    2006-05-19 11:08:32 3,052,544 "C:\WINDOWS\system32\mshtml.dll"
    2006-05-10 01:23:02 532,480 "C:\WINDOWS\system32\mstime.dll"
    2006-05-10 01:23:02 613,888 "C:\WINDOWS\system32\urlmon.dll"
    2006-05-10 01:23:00 1,054,208 "C:\WINDOWS\system32\danim.dll"
    2006-07-23 13:47:06 221,184 "C:\WINDOWS\system32\xeymi.dll"
    2006-07-27 18:46:30 400 "C:\WINDOWS\liqvp.dll"


    (((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\repairs303169590.dll
    C:\Documents and Settings\Katie\Application Data\Sskdmns.dll
    C:\Documents and Settings\Katie\Application Data\Sskknwrd.dll
    C:\Documents and Settings\Katie\Application Data\Sskuknwrd.dll
    C:\Documents and Settings\Katie\Local Settings\Temporary Internet Files\Ssk.log
    C:\Program Files\SurfSideKick 3\Ssk.exe
    C:\Program Files\SurfSideKick 3\SskBho.dll
    C:\Program Files\SurfSideKick 3\SskCore.dll
    C:\WINDOWS\Prefetch\SSK.EXE-20EC298C.pf
    C:\WINDOWS\Prefetch\SSKUPDATER3.EXE-0423742D.pf
    C:\WINDOWS\system32\bk.exe


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



    22:28:26.47
    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\keyboard1.dat


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2006-07-27 19:03:46 ( .D... ) "C:\Documents and Settings\Katie\Application Data\AVG7"
    2006-07-27 19:02:24 ( .D... ) "C:\Program Files\Grisoft"
    2006-07-27 18:46:30 400 ( A.... ) "C:\WINDOWS\liqvp.dll"
    2006-07-27 18:35:40 ( .D... ) "C:\Program Files\Hijackthis"
    2006-07-26 00:11:06 61440 ( A.... ) "C:\WINDOWS\system32\aaa00000.dll"
    2006-07-26 00:11:06 1064 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys"
    2006-07-26 00:11:06 1064 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys"
    2006-07-26 00:05:32 ( .D... ) "C:\Program Files\System Files"
    2006-07-26 00:03:50 232749 ( A.... ) "C:\WINDOWS\pf78.exe"
    2006-07-25 00:34:42 ( .D... ) "C:\Program Files\Symantec"
    2006-07-23 13:48:02 ( .D... ) "C:\Program Files\Common Files\frou"
    2006-07-23 13:47:06 221184 ( A.... ) "C:\WINDOWS\system32\xeymi.dll"
    2006-07-23 13:47:06 45056 ( A.... ) "C:\WINDOWS\system32ghynf.exe"
    2006-07-23 13:47:06 28672 ( A.... ) "C:\WINDOWS\system32bez6n4r21.exe"
    2006-07-23 13:47:06 28672 ( A.... ) "C:\WINDOWS\system32\iqqr.exe"
    2006-07-23 13:47:04 45056 ( A.... ) "C:\WINDOWS\system32\ghynf.exe"
    2006-07-23 13:47:04 28672 ( A.... ) "C:\WINDOWS\system32\bez6n4r21.exe"
    2006-07-21 18:55:38 127578 ( A.... ) "C:\WINDOWS\system32\tsuninst.exe"
    2006-07-20 16:31:36 1163264 ( A.... ) "C:\WINDOWS\system32\wfxqhv.exe"
    2006-07-20 16:30:00 159744 ( A.... ) "C:\WINDOWS\system32\cvn0.exe"
    2006-07-20 14:22:06 ( .D... ) "C:\Program Files\StepMania CVS"
    2006-07-10 16:19:06 ( .D... ) "C:\Program Files\Common Files\HP"
    2006-07-09 15:07:22 ( .D... ) "C:\Program Files\QuickTime"
    2006-07-09 15:03:56 ( .D... ) "C:\Program Files\iTunes"
    2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
    2006-06-15 14:08:22 ( .D... ) "C:\Documents and Settings\Katie\Application Data\Sun"
    2006-06-15 14:04:56 ( .D... ) "C:\Program Files\Java"
    2006-06-15 14:04:16 ( .D... ) "C:\Program Files\Common Files\Java"
    2006-06-10 18:09:28 545280 ( A.... ) "C:\WINDOWS\flashax.exe"
    2006-06-10 18:09:28 12288 ( A.... ) "C:\WINDOWS\impborl.dll"
    2006-06-10 15:29:10 31535 ( A.... ) "C:\Documents and Settings\Katie\Application Data\PatchUpdate_HP_CounterReport_Update_HPSU.log"
    2006-06-10 15:23:28 2065 ( A.... ) "C:\Documents and Settings\Katie\Application Data\HPSU_48BitScanUpdate.log"
    2006-06-10 15:21:30 5157 ( A.... ) "C:\Documents and Settings\Katie\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log"
    2006-06-10 15:17:10 59080 ( A.... ) "C:\Documents and Settings\Katie\Application Data\Update_HP_RedboxHprblog_HPSU.log"
    2006-06-10 08:20:42 ( .D... ) "C:\Documents and Settings\Katie\Application Data\Image Zone Express"
    2006-06-07 13:55:52 3753 ( A.... ) "C:\Program Files\Common Files\kyfef.html"
    2006-06-04 13:35:56 ( .D... ) "C:\Documents and Settings\Katie\Application Data\Leadertech"
    2006-06-03 09:12:08 302646 ( A.... ) "C:\WINDOWS\system32\m247es.exe"
    2006-06-03 09:11:56 408688 ( A.... ) "C:\WINDOWS\system32\mgsb.exe"
    2006-06-01 18:06:38 59112 ( A.... ) "C:\Documents and Settings\Katie\Application Data\GDIPFONTCACHEV1.DAT"
    2006-05-19 08:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
    2006-05-19 08:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
    2006-05-19 08:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
    2006-05-16 10:34:32 247808 ( A.... ) "C:\WINDOWS\WINSTRUN.EXE"
    2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
    2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
    2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"


    (((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


    2006-07-26 00:11 61,440 C:\WINDOWS\system32\aaa00000.dll
    2006-07-26 00:11 1,064 C:\WINDOWS\system32\aaa00000.sys
    2006-07-26 00:06 400 C:\WINDOWS\liqvp.dll
    2006-07-26 00:04 127,578 C:\WINDOWS\system32\tsuninst.exe
    2006-07-26 00:03 232,749 C:\WINDOWS\pf78.exe
    2006-07-25 00:14 133,799,936 C:\hiberfil.sys
    2006-07-24 11:44 127,208 C:\WINDOWS\system32\mucltui.dll
    2006-07-23 17:05 221,184 C:\WINDOWS\system32\wmpns.dll
    2006-07-23 13:47 45,056 C:\WINDOWS\system32ghynf.exe
    2006-07-23 13:47 45,056 C:\WINDOWS\system32\ghynf.exe
    2006-07-23 13:47 28,672 C:\WINDOWS\system32bez6n4r21.exe
    2006-07-23 13:47 28,672 C:\WINDOWS\system32\iqqr.exe
    2006-07-23 13:47 28,672 C:\WINDOWS\system32\bez6n4r21.exe
    2006-07-23 13:47 221,184 C:\WINDOWS\system32\xeymi.dll
    2006-07-23 13:47 159,744 C:\WINDOWS\system32\cvn0.exe
    2006-07-23 13:47 1,163,264 C:\WINDOWS\system32\wfxqhv.exe
    2006-06-15 14:06 53,346 C:\WINDOWS\system32\javaw.exe
    2006-06-15 14:06 49,248 C:\WINDOWS\system32\java.exe
    2006-06-15 14:06 127,078 C:\WINDOWS\system32\javaws.exe
    2006-06-13 10:01 97,848 C:\WINDOWS\system32\bass.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
    "acvb"="C:\\WINDOWS\\acvb.exe"
    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "fmvozsbA"="C:\\WINDOWS\\fmvozsbA.exe"
    "ACTX1"="C:\\WINDOWS\\v1201.exe"
    "TheMonitor"="C:\\WINDOWS\\SYSC00.exe"
    "UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
    6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
    "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
    "ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
    "frou"="C:\\PROGRA~1\\COMMON~1\\frou\\froum.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
    "flags"=dword:00000008

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoActiveDesktopChanges"=dword:00000000

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
    "DeskHtmlVersion"=dword:00000110
    "DeskHtmlMinorVersion"=dword:00000005
    "Settings"=dword:00000001
    "GeneralFlags"=dword:00000001

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    "Source"="C:\\Program Files\\Common Files\\kyfef.html"
    "SubscribedURL"=""
    "FriendlyName"=""
    "Flags"=dword:00002000
    "Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
    03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
    "CurrentState"=hex:01,00,00,40
    "OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
    00,00,01,00,00,00
    "RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
    "Source"="C:\\Program Files\\Internet Explorer\\hocycow.html"
    "SubscribedURL"=""
    "FriendlyName"=""
    "Flags"=dword:00002000
    "Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
    03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
    "CurrentState"=hex:01,00,00,40
    "OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
    00,00,01,00,00,00
    "RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"
    "Flags"=dword:00000002
    "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState"=hex:04,00,00,40
    "OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
    00,00,04,00,00,40
    "RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
    00,00,01,00,00,00

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
    "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
    "{203B1C4D9-BC71-8916-38AD-9DEA5D213614}"="OLE Module"
    "{31EE3286-D785-4E3F-95FC-51D00FDABC01}"="Master Browseui"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
    NoColorChoice REG_DWORD 0 (0x0)
    NoSizeChoice REG_DWORD 0 (0x0)
    NoDispScrSavPage REG_DWORD 0 (0x0)
    NoDispCPL REG_DWORD 0 (0x0)
    NoVisualStyleChoice REG_DWORD 0 (0x0)
    NoDispSettingsPage REG_DWORD 0 (0x0)
    DisableRegistryTools REG_DWORD 0 (0x0)



    Contents of the 'Scheduled Tasks' folder

    Completion time: Thu 07/27/2006 22:28:53.64
    ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

    Here's the Ewido log:

    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 11:43:16 PM 7/27/2006

    + Scan result:



    C:\Program Files\System Files\plugin.dll -> Adware.CASClient : Cleaned.
    C:\Documents and Settings\Katie\Local Settings\Temporary Internet Files\Content.IE5\9RRV9XGE\ac3[1].txt -> Adware.IEHelper : Cleaned.
    C:\WINDOWS\system32\aaa00000.dll -> Adware.IEHelper : Cleaned.
    C:\WINDOWS\system32\iqqr.exe -> Adware.Suggestor : Cleaned.
    C:\WINDOWS\system32\xeymi.dll -> Adware.Suggestor : Cleaned.
    C:\Program Files\Common Files\frou\froup.exe -> Downloader.TSUpdate.f : Cleaned.
    C:\Program Files\Common Files\frou\froua.exe -> Downloader.TSUpdate.l : Cleaned.
    C:\Program Files\Common Files\frou\froul.exe -> Downloader.TSUpdate.r : Cleaned.
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\5DDNJFYF\click_me[1].exe -> Downloader.VB.aiw : Cleaned.
    C:\WINDOWS\system32\dllcache\window.exe -> Downloader.VB.aiw : Cleaned.
    C:\Documents and Settings\Katie\Local Settings\Temporary Internet Files\Content.IE5\EDRWX4ZE\popup[1].htm -> Hijacker.Agent.a : Cleaned.
    C:\Documents and Settings\Katie\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Katie\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Katie\Cookies\[email protected][1].txt -> TrackingCookie.Adjuggler : Cleaned.
    C:\Documents and Settings\Katie\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned.
    C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt -> TrackingCookie.Goclick : Cleaned.
    C:\Documents and Settings\Katie\Cookies\[email protected][2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
    C:\Documents and Settings\Katie\Cookies\[email protected][1].txt -> TrackingCookie.Revenue : Cleaned.
    C:\Documents and Settings\Katie\Cookies\[email protected][1].txt -> TrackingCookie.Searchingbooth : Cleaned.
    C:\Documents and Settings\Katie\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned.
    C:\Documents and Settings\Katie\Cookies\[email protected][1].txt -> TrackingCookie.Top-banners : Cleaned.
    C:\Documents and Settings\Katie\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.


    ::Report end

    And here's the Hijack Log from after that scan:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:53:59 PM, on 7/27/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [acvb] C:\WINDOWS\acvb.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [fmvozsbA] C:\WINDOWS\fmvozsbA.exe
    O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
    O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [frou] C:\PROGRA~1\COMMON~1\frou\froum.exe
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://www.youbet.com/controls/ybrequest.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153755723291
    O20 - Winlogon Notify: Applets - C:\WINDOWS\
    O20 - Winlogon Notify: BITS - C:\WINDOWS\
    O20 - Winlogon Notify: Extensions - C:\WINDOWS\
    O20 - Winlogon Notify: Reinstall - C:\WINDOWS\
    O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
     
  6. KTchan

    KTchan Thread Starter

    Joined:
    Jul 27, 2006
    Messages:
    12
    Small update:

    A few minutes ago, I got a message (not really a warning) that said something about there being a record of adult sites on my computer and asking if I wanted to install something which I recognized as the name of a pop-up I've gotten before. I also got another pop up for DriveCleaner which is also bad.

    Could I have gotten spyware from MySpace a few minutes ago?
     
  7. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You may want to print this or save it to notepad as we will go to safe mode.

    Add remove programs – remove all occurrences of Viewpoint - SurfSideKick 3

    Fix these with HJT – mark them, close IE, click fix checked

    O4 - HKLM\..\Run: [acvb] C:\WINDOWS\acvb.exe

    O4 - HKLM\..\Run: [fmvozsbA] C:\WINDOWS\fmvozsbA.exe

    O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe

    O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe

    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 –u

    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    O4 - HKCU\..\Run: [frou] C:\PROGRA~1\COMMON~1\frou\froum.exe

    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

    O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://www.youbet.com/controls/ybrequest.cab

    O20 - Winlogon Notify: Applets - C:\WINDOWS\

    O20 - Winlogon Notify: BITS - C:\WINDOWS\

    O20 - Winlogon Notify: Extensions - C:\WINDOWS\

    O20 - Winlogon Notify: Reinstall - C:\WINDOWS\

    O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\


    DownLoad http://www.downloads.subratam.org/KillBox.zip

    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\acvb.exe
    C:\WINDOWS\fmvozsbA.exe
    C:\WINDOWS\v1201.exe
    C:\WINDOWS\SYSC00.exe
    C:\Program Files\Viewpoint\Viewpoint Manager
    C:\PROGRA~1\COMMON~1\frou
    C:\Program Files\SurfSideKick 3

    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Not all temp files will delete and that is normal
    Empty the recycle bin
    Boot and post a new log from normal NOT safe mode

    Please give feedback on what worked/didn’t work and the current status of your system
     
  8. KTchan

    KTchan Thread Starter

    Joined:
    Jul 27, 2006
    Messages:
    12
    Alright, I did everything.Those two programs you told me to delete were not in the list.
    All of the temporary files deleted. The background didn't appear before logon, which seems more normal. The logon was slow, but no problems. SpyBot warned me about the things I deleted and I allowed all of the registry changes I made. Everything seems to have worked...everything seems to be running ok...

    Here's the HT logfile

    Logfile of HijackThis v1.99.1
    Scan saved at 11:46:22 AM, on 7/28/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} -
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153755723291
    O20 - Winlogon Notify: Applets - C:\WINDOWS\
    O20 - Winlogon Notify: BITS - C:\WINDOWS\
    O20 - Winlogon Notify: Extensions - C:\WINDOWS\
    O20 - Winlogon Notify: Reinstall - C:\WINDOWS\
    O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    Is there anything wrong still?
     
  9. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Try and fix those O20's again but first do this

    Go to the link below and download the trial version of SpySweeper:

    SpySweeper http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=tsg

    * Click the Free Trial link under "SpySweeper" to download the program.
    * Install it. Once the program is installed, it will open.
    * It will prompt you to update to the latest definitions, click Yes.
    * Once the definitions are installed, click Options on the left side.
    * Click the Sweep Options tab.
    * Under What to Sweep please put a check next to the following:
    o Sweep Memory
    o Sweep Registry
    o Sweep Cookies
    o Sweep All User Accounts
    o Enable Direct Disk Sweeping
    o Sweep Contents of Compressed Files
    o Sweep for Rootkits

    o Please UNCHECK Do not Sweep System Restore Folder.

    * Click Sweep Now on the left side.
    * Click the Start button.
    * When it's done scanning, click the Next button.
    * Make sure everything has a check next to it, then click the Next button.
    * It will remove all of the items found.
    * Click Session Log in the upper right corner, copy everything in that window.
    * Click the Summary tab and click Finish.
    * Paste the contents of the session log you copied into your next reply.
    Also post a new Hijack This log.
     
  10. KTchan

    KTchan Thread Starter

    Joined:
    Jul 27, 2006
    Messages:
    12
    The link for spysweeper is dead. I tried installing the free trial twice, but it didn't work. Turns out that doesn't eist anymore. It's only a scan now. Anything else I could use?
     
  11. KTchan

    KTchan Thread Starter

    Joined:
    Jul 27, 2006
    Messages:
    12
    Also, I was having problems with SpyBot overloading my system with alerts, so I uninstalled it for now.
     
  12. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    No its not - look to the right column
     
  13. KTchan

    KTchan Thread Starter

    Joined:
    Jul 27, 2006
    Messages:
    12
    The past two times I tried it, It went to the website, but in red text at the top, it said the link was broken and showed pictures of the products. It only showed a free scan. Sorry, but that's what happened last time. Of course, as soon as I ask for help it works.
     
  14. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Great - stuff happens!
     
  15. KTchan

    KTchan Thread Starter

    Joined:
    Jul 27, 2006
    Messages:
    12
    Hey again, sorry that took so long.

    I've had the same stuff happening at logon, but that was before the scan, so we'll see next time I reboot. I also had one pop-up. But no more. Computer is slow enough without extra programs and bad stuff running, so it's slow going. But again, we'll see with the reboot.

    Also, SpySweeper said there were things it could not delete until the next reboot.

    I'm leaving for the night, so I'll be here sometime tomorrow to work on this.

    Here's the log from SpySweeper:

    6:52 PM: Removal process completed. Elapsed time 00:02:07
    6:52 PM: A reboot was required but declined.
    6:51 PM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST11D.tmp". Reason: The system cannot find the file specified
    6:51 PM: Warning: Failed to delete profile shadow file ".log". Reason: The system cannot find the file specified
    6:51 PM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST11D.tmp". Reason: The system cannot find the file specified
    6:51 PM: Warning: Failed to delete profile shadow file ".log". Reason: The system cannot find the file specified
    6:51 PM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST11D.tmp". Reason: The system cannot find the file specified
    6:51 PM: Warning: Failed to delete profile shadow file ".log". Reason: The system cannot find the file specified
    6:51 PM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST11D.tmp". Reason: The system cannot find the file specified
    6:51 PM: Warning: Failed to delete profile shadow file ".log". Reason: The system cannot find the file specified
    6:51 PM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST11D.tmp". Reason: The system cannot find the file specified
    6:51 PM: Warning: Failed to delete profile shadow file ".log". Reason: The system cannot find the file specified
    6:51 PM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST11D.tmp". Reason: The system cannot find the file specified
    6:51 PM: Warning: Failed to delete profile shadow file ".log". Reason: The system cannot find the file specified
    6:51 PM: Quarantining All Traces: 66.246.209 cookie
    6:51 PM: Quarantining All Traces: zedo cookie
    6:51 PM: Quarantining All Traces: statcounter cookie
    6:51 PM: Quarantining All Traces: revenue.net cookie
    6:51 PM: Quarantining All Traces: questionmarket cookie
    6:51 PM: Quarantining All Traces: partypoker cookie
    6:51 PM: Quarantining All Traces: webtrends cookie
    6:51 PM: Quarantining All Traces: ic-live cookie
    6:51 PM: Quarantining All Traces: directtrack cookie
    6:51 PM: Quarantining All Traces: searchingbooth cookie
    6:51 PM: Quarantining All Traces: atwola cookie
    6:51 PM: Quarantining All Traces: tacoda cookie
    6:51 PM: Quarantining All Traces: addynamix cookie
    6:51 PM: Quarantining All Traces: adrevolver cookie
    6:51 PM: Quarantining All Traces: yieldmanager cookie
    6:51 PM: Quarantining All Traces: 2o7.net cookie
    6:51 PM: Quarantining All Traces: allstar search hijacker
    6:51 PM: c:\program files\common files\kyfef.html is in use. It will be removed on reboot.
    6:51 PM: deskwizz is in use. It will be removed on reboot.
    6:51 PM: Quarantining All Traces: deskwizz
    6:51 PM: Quarantining All Traces: ieplugin
    6:51 PM: Quarantining All Traces: clocksync
    6:51 PM: Quarantining All Traces: findthewebsiteyouneed hijack
    6:50 PM: Quarantining All Traces: command
    6:50 PM: Quarantining All Traces: cas
    6:50 PM: Quarantining All Traces: forethought
    6:50 PM: Quarantining All Traces: targetsaver
    6:50 PM: Quarantining All Traces: comet cursor
    6:50 PM: Quarantining All Traces: bookedspace
    6:50 PM: Quarantining All Traces: sidesearch
    6:50 PM: Quarantining All Traces: enbrowser
    6:50 PM: Quarantining All Traces: trojan-downloader-silly
    6:50 PM: Quarantining All Traces: coolwebsearch (cws)
    6:50 PM: Quarantining All Traces: trojan-backdoor-satellite
    6:50 PM: Quarantining All Traces: look2me
    6:50 PM: Quarantining All Traces: trojan-downloader-2pursuit
    6:50 PM: Removal process initiated
    6:49 PM: Traces Found: 70
    6:49 PM: Full Sweep has completed. Elapsed time 00:54:26
    6:48 PM: File Sweep Complete, Elapsed Time: 00:41:34
    6:47 PM: Warning: Stream read error
    6:47 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    6:47 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    6:47 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    6:47 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    6:41 PM: Warning: Failed to access drive D:
    6:41 PM: C:\WINDOWS\system32\mscnf.dll (ID = 107173)
    6:41 PM: Found Adware: allstar search hijacker
    6:41 PM: C:\WINDOWS\system32\bre32.dll (ID = 199801)
    6:41 PM: C:\WINDOWS\U3pjenlwaW5za2k\oaD3yB5TuqcWuZ4.vbs (ID = 185675)
    6:38 PM: C:\WINDOWS\system32\wfxqhv.exe (ID = 328039)
    6:38 PM: C:\!KillBox\frou\froud\class-barrel (ID = 78229)
    6:37 PM: C:\WINDOWS\system32\ghynf.exe (ID = 327340)
    6:37 PM: C:\WINDOWS\system32\cvn0.exe (ID = 328032)
    6:37 PM: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\5DDNJFYF\cas2setup[1].exe (ID = 326584)
    6:37 PM: Found Adware: cas
    6:34 PM: C:\Program Files\Internet Explorer\hocycow.html (ID = 310472)
    6:34 PM: C:\Program Files\Common Files\kyfef.html (ID = 323861)
    6:34 PM: Found Adware: deskwizz
    6:31 PM: C:\WINDOWS\system32bez6n4r21.exe (ID = 327338)
    6:31 PM: C:\WINDOWS\system32ghynf.exe (ID = 327340)
    6:31 PM: C:\!KillBox\frou\froud\vocabulary (ID = 78283)
    6:31 PM: C:\WINDOWS\system32\bez6n4r21.exe (ID = 327338)
    6:31 PM: Found Adware: forethought
    6:30 PM: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\5DDNJFYF\tsupdate2[1].ini (ID = 193498)
    6:30 PM: Found Adware: targetsaver
    6:26 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    6:26 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    6:26 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    6:26 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    6:26 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    6:26 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    6:23 PM: C:\WINDOWS\pf78.exe (ID = 244430)
    6:22 PM: c:\windows\downloaded program files\dm.inf (ID = 53551)
    6:22 PM: Found Adware: comet cursor
    6:07 PM: C:\WINDOWS\zAbstract (6 subtraces) (ID = 2147518024)
    6:07 PM: Found Adware: bookedspace
    6:07 PM: Starting File Sweep
    6:07 PM: Warning: Failed to access drive A:
    6:07 PM: Cookie Sweep Complete, Elapsed Time: 00:00:05
    6:07 PM: c:\documents and settings\deb\cookies\[email protected][1].txt (ID = 2821)
    6:07 PM: c:\documents and settings\deb\cookies\[email protected][2].txt (ID = 1997)
    6:07 PM: Found Spy Cookie: 66.246.209 cookie
    6:07 PM: c:\documents and settings\katie\cookies\[email protected][2].txt (ID = 3762)
    6:07 PM: Found Spy Cookie: zedo cookie
    6:07 PM: c:\documents and settings\katie\cookies\[email protected][2].txt (ID = 3447)
    6:07 PM: Found Spy Cookie: statcounter cookie
    6:07 PM: c:\documents and settings\katie\cookies\[email protected][1].txt (ID = 3321)
    6:07 PM: c:\documents and settings\katie\cookies\[email protected][2].txt (ID = 3257)
    6:07 PM: Found Spy Cookie: revenue.net cookie
    6:07 PM: c:\documents and settings\katie\cookies\[email protected][2].txt (ID = 2528)
    6:07 PM: c:\documents and settings\katie\cookies\[email protected][1].txt (ID = 3217)
    6:07 PM: Found Spy Cookie: questionmarket cookie
    6:07 PM: c:\documents and settings\katie\cookies\ka[email protected][1].txt (ID = 3111)
    6:07 PM: Found Spy Cookie: partypoker cookie
    6:07 PM: c:\documents and settings\katie\cookies\[email protected][1].txt (ID = 1958)
    6:07 PM: c:\documents and settings\katie\cookies\[email protected][1].txt (ID = 2089)
    6:07 PM: c:\documents and settings\katie\cookies\[email protected][1].txt (ID = 3669)
    6:07 PM: Found Spy Cookie: webtrends cookie
    6:07 PM: c:\documents and settings\katie\cookies\[email protected][1].txt (ID = 2821)
    6:07 PM: Found Spy Cookie: ic-live cookie
    6:07 PM: c:\documents and settings\katie\cookies\[email protected][1].txt (ID = 2527)
    6:07 PM: Found Spy Cookie: directtrack cookie
    6:07 PM: c:\documents and settings\katie\cookies\[email protected][1].txt (ID = 3322)
    6:07 PM: Found Spy Cookie: searchingbooth cookie
    6:07 PM: c:\documents and settings\katie\cookies\[email protected][1].txt (ID = 2255)
    6:07 PM: Found Spy Cookie: atwola cookie
    6:07 PM: c:\documents and settings\katie\cookies\[email protected][1].txt (ID = 6445)
    6:07 PM: c:\documents and settings\katie\cookies\[email protected][1].txt (ID = 6445)
    6:07 PM: Found Spy Cookie: tacoda cookie
    6:07 PM: c:\documents and settings\katie\cookies\[email protected][1].txt (ID = 2062)
    6:07 PM: Found Spy Cookie: addynamix cookie
    6:07 PM: c:\documents and settings\katie\cookies\[email protected][1].txt (ID = 2088)
    6:07 PM: Found Spy Cookie: adrevolver cookie
    6:07 PM: c:\documents and settings\katie\cookies\[email protected][2].txt (ID = 3751)
    6:07 PM: Found Spy Cookie: yieldmanager cookie
    6:07 PM: c:\documents and settings\katie\cookies\[email protected][2].txt (ID = 1957)
    6:07 PM: Found Spy Cookie: 2o7.net cookie
    6:07 PM: Starting Cookie Sweep
    6:07 PM: Registry Sweep Complete, Elapsed Time:00:01:58
    6:07 PM: HKU\S-1-5-18\software\microsoft\moviemaker\recordsettings\captureset\ (ID = 1021450)
    6:07 PM: HKU\S-1-5-18\software\microsoft\search assistant\ || defaultsearchurl (ID = 841067)
    6:06 PM: HKU\S-1-5-19\software\microsoft\search assistant\ || defaultsearchurl (ID = 841067)
    6:06 PM: HKU\S-1-5-20\software\microsoft\search assistant\ || defaultsearchurl (ID = 841067)
    6:06 PM: HKU\WRSS_Profile_S-1-5-21-776561741-436374069-842925246-1003\software\microsoft\moviemaker\recordsettings\captureset\ (ID = 1021450)
    6:06 PM: Found Trojan Horse: trojan-backdoor-satellite
    6:06 PM: HKU\WRSS_Profile_S-1-5-21-776561741-436374069-842925246-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 841067)
    6:06 PM: Found Adware: ieplugin
    6:06 PM: HKU\WRSS_Profile_S-1-5-21-776561741-436374069-842925246-1003\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
    6:06 PM: Found Adware: sidesearch
    6:06 PM: HKU\WRSS_Profile_S-1-5-21-776561741-436374069-842925246-1003\software\microsoft\windows\currentversion\run\ || xp_system (ID = 112421)
    6:06 PM: HKU\WRSS_Profile_S-1-5-21-776561741-436374069-842925246-1003\software\microsoft\internet explorer\sites\ (ID = 109822)
    6:06 PM: HKU\WRSS_Profile_S-1-5-21-776561741-436374069-842925246-1003\software\microsoft\windows\currentversion\run\ || clocksync (ID = 106141)
    6:06 PM: Found Adware: clocksync
    6:06 PM: HKU\S-1-5-21-776561741-436374069-842925246-1005\software\microsoft\internet explorer\search\searchassistant explorer\main\ || Default_Search_URL (ID = 1554015)
    6:06 PM: HKU\S-1-5-21-776561741-436374069-842925246-1005\software\system\sysuid\ (ID = 731748)
    6:06 PM: HKU\S-1-5-21-776561741-436374069-842925246-1005\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
    6:06 PM: Found Adware: findthewebsiteyouneed hijack
    6:06 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\extensions\ (ID = 1169275)
    6:06 PM: Found Adware: look2me
    6:06 PM: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {31ee3286-d785-4e3f-95fc-51d00fdabc01} (ID = 1094560)
    6:06 PM: HKLM\software\classes\clsid\{31ee3286-d785-4e3f-95fc-51d00fdabc01}\ (ID = 1094538)
    6:06 PM: HKCR\clsid\{31ee3286-d785-4e3f-95fc-51d00fdabc01}\ (ID = 1094393)
    6:06 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (ID = 1016072)
    6:06 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (ID = 1016064)
    6:06 PM: HKLM\system\currentcontrolset\services\cmdservice\ (ID = 958670)
    6:06 PM: Found Adware: command
    6:06 PM: HKLM\software\system\sysold\ (ID = 926808)
    6:06 PM: Found Adware: enbrowser
    6:06 PM: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {203b1c4d9-bc71-8916-38ad-9dea5d213614} (ID = 867140)
    6:06 PM: Found Trojan Horse: trojan-downloader-silly
    6:06 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    6:06 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    6:06 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    6:06 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    6:06 PM: The Spy Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
    6:06 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
    6:05 PM: Starting Registry Sweep
    6:05 PM: Memory Sweep Complete, Elapsed Time: 00:09:49
    5:55 PM: Starting Memory Sweep
    5:54 PM: HKU\WRSS_Profile_S-1-5-21-776561741-436374069-842925246-1003\software\microsoft\windows\currentversion\run\ || xp_system (ID = 1058917)
    5:54 PM: Found Adware: coolwebsearch (cws)
    5:54 PM: HKCR\clsid\{31ee3286-d785-4e3f-95fc-51d00fdabc01}\inprocserver32\ (ID = 1098696)
    5:54 PM: Found Trojan Horse: trojan-downloader-2pursuit
    5:54 PM: Sweep initiated using definitions version 729
    5:54 PM: Spy Sweeper 5.0.5.1286 started
    5:54 PM: | Start of Session, Friday, July 28, 2006 |
    ********
    5:54 PM: | End of Session, Friday, July 28, 2006 |
    5:54 PM: Your spyware definitions have been updated.
    5:52 PM: The Spy Communication shield has blocked access to: WWW.Z-QUEST.COM
    5:52 PM: The Spy Communication shield has blocked access to: WWW.Z-QUEST.COM
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    5:39 PM: Shield States
    5:38 PM: Spyware Definitions: 691
    5:36 PM: Spy Sweeper 5.0.5.1286 started
    5:36 PM: Spy Sweeper 5.0.5.1286 started
    5:36 PM: | Start of Session, Friday, July 28, 2006 |
    ********

    And a new Hijack Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 7:08:03 PM, on 7/28/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Katie\Desktop\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} -
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153755723291
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/486998

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice