Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

I seriously need have getting rid of this thing like everyone else


  • This topic is locked This topic is locked
29 replies to this topic

#1 Mikey_D

Mikey_D

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 01 December 2005 - 05:03 AM

Just a few days ago, I've noticed in my Task Manager that 3 Internet Explorer tasks are running alongside the original one. I tried to end the tasks, but they just come back and I discovered that the tasks "DELETE LOGO BLUE.EXE" and "OPEN POLL.EXE" appeared for a couple of secs then disappeared. So I went onto search the computer for those files and as expected, they were found in the folder "C:/Windows/Prefetch" and went onto deleting them, along with the rest of the folder.

When that didn't work, I used a search engine to find forum topics on these files and discovered that my computer could be infected with the LOP.com infection. He adviced the user to install a file by the name "new_uninstall.exe" I tried installing it, then the Antivirus picked it up as a virus and tried to run it...nothing happened.

So then I tried running several scans on the system, starting with Spybot - Search and Destory, Ad-Aware and Spyware Doctor to name but a few...none of these have managed to solve the problem and remove those "internet explorer" tasks outta the task manager. I've noticed mutliple pop-ups coming up, despite having a pop-up blocker and a general slowing in the running of Internet Explorer.

I've recently done a scan with HijackThis and here's the log for it:

Logfile of HijackThis v1.99.1
Scan saved at 9:38:12 PM, on 12/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\Avast!\aswUpdSv.exe
D:\Programs\Avast!\ashserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
D:\Programs\Avast!\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Programs\SpywareGuard\sgmain.exe
D:\Programs\Avast!\ashMaiSv.exe
D:\Programs\Avast!\ashWebSv.exe
D:\Programs\SpywareGuard\sgbhp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
D:\Programs\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - <default> - (no file)
O1 - Hosts: 64.233.167.104 www.symantec.com
O1 - Hosts: 64.233.167.104 www.sophos.com
O1 - Hosts: 64.233.167.104 www.mcafee.com
O1 - Hosts: 64.233.167.104 www.viruslist.com
O1 - Hosts: 64.233.167.104 www.f-secure.com
O1 - Hosts: 64.233.167.104 www.avp.com
O1 - Hosts: 64.233.167.104 www.kaspersky.com
O1 - Hosts: 64.233.167.104 www.networkassociates.com
O1 - Hosts: 64.233.167.104 www.ca.com
O1 - Hosts: 64.233.167.104 www.my-etrust.com
O1 - Hosts: 64.233.167.104 www.nai.com
O1 - Hosts: 64.233.167.104 www.trendmicro.com
O1 - Hosts: 64.233.167.104 www.grisoft.com
O1 - Hosts: 64.233.167.104 securityresponse.symantec.com
O1 - Hosts: 64.233.167.104 symantec.com
O1 - Hosts: 64.233.167.104 mcafee.com
O1 - Hosts: 64.233.167.104 liveupdate.symantecliveupdate.com
O1 - Hosts: 64.233.167.104 viruslist.com
O1 - Hosts: 64.233.167.104 f-secure.com
O1 - Hosts: 64.233.167.104 kaspersky.com
O1 - Hosts: 64.233.167.104 kaspersky-labs.com
O1 - Hosts: 64.233.167.104 avp.com
O1 - Hosts: 64.233.167.104 networkassociates.com
O1 - Hosts: 64.233.167.104 ca.com
O1 - Hosts: 64.233.167.104 mast.mcafee.com
O1 - Hosts: 64.233.167.104 my-etrust.com
O1 - Hosts: 64.233.167.104 download.mcafee.com
O1 - Hosts: 64.233.167.104 dispatch.mcafee.com
O1 - Hosts: 64.233.167.104 secure.nai.com
O1 - Hosts: 64.233.167.104 nai.com
O1 - Hosts: 64.233.167.104 update.symantec.com
O1 - Hosts: 64.233.167.104 updates.symantec.com
O1 - Hosts: 64.233.167.104 us.mcafee.com
O1 - Hosts: 64.233.167.104 liveupdate.symantec.com
O1 - Hosts: 64.233.167.104 customer.symantec.com
O1 - Hosts: 64.233.167.104 rads.mcafee.com
O1 - Hosts: 64.233.167.104 trendmicro.com
O1 - Hosts: 64.233.167.104 grisoft.com
O1 - Hosts: 64.233.167.104 sandbox.norman.no
O1 - Hosts: 64.233.167.104 www.pandasoftware.com
O1 - Hosts: 64.233.167.104 uk.trendmicro-europe.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\programs\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Programs\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] D:\Programs\Avast!\ashDisp.exe
O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINDOWS\BQTray.exe
O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [STOPzilla] "D:\Programs\STOPzilla\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [CloneCDTray] d:\programs\clone cd\CloneCDTray.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "d:\programs\clone cd\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Wast] C:\WINDOWS\Wast
O4 - HKLM\..\Run: [QuickTime Task] "D:\programs\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinFixer 2005] D:\Programs\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [WhenUSearchWHSE] "C:\Program Files\WhenUSearch\whse.exe"
O4 - HKLM\..\Run: [acesigneachcool] C:\Documents and Settings\All Users\Application Data\does multi ace sign\OpenPoll.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [kdx] C:\WINDOWS\kdx\khost.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [SeekUser] C:\DOCUME~1\michael\APPLIC~1\THATSK~1\DELETE LOGO BLUE.exe
O4 - Startup: SpywareGuard.lnk = D:\Programs\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downlo...dtc32_EN_XP.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.co...pside_web18.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downlo...tia32_EN_XP.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downlo...thv32_EN_XP.cab
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://kdx.kontiki.c...ient403/kdx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downlo...tpe32_EN_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67982281-7588-44BE-B200-96BF6440EF20}: Domain = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Programs\Avast!\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Programs\Avast!\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Programs\Avast!\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Programs\Avast!\ashWebSv.exe" /service (file missing)
O23 - Service: STOPzilla Local Service - Unknown owner - D:\Programs\STOPzilla\szntsvc.exe (file missing)

Please help me a.s.a.p...its literally driving me insane. I've spent 5 hours on the net trying to get rid of the problem and this is the last resort, I don't know what else to do. Any support would be very much appreciated

Mikey

Edited by Mikey_D, 01 December 2005 - 05:38 AM.

    Advertisements

Register to Remove


#2 Mikey_D

Mikey_D

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 05 December 2005 - 03:20 AM

Pop-ups have now been constantly appearing the screen the past few days, despite having a pop-up blocker. Also, the "iexplorer" tasks are still appearing in my task manager and keep increasing in dragging the memory down. I don't know what the hell this worm, trojan or infection is, but nothing seems to pick it up and its just been generally annoying. Please help me with this problem ASAP.

Here is a more recently HiJackThis Log that I just did then, which will be very helpful I'm sure

Logfile of HijackThis v1.99.1
Scan saved at 8:18:20 PM, on 12/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\Avast!\aswUpdSv.exe
D:\Programs\Avast!\ashserv.exe
C:\WINDOWS\System32\svchost.exe
D:\Programs\Avast!\ashMaiSv.exe
D:\Programs\Avast!\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
D:\Programs\Avast!\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\kdx\khost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
D:\Programs\SpywareGuard\sgmain.exe
D:\Programs\SpywareGuard\sgbhp.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Programs\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - <default> - (no file)
O1 - Hosts: 64.233.167.104 www.symantec.com
O1 - Hosts: 64.233.167.104 www.sophos.com
O1 - Hosts: 64.233.167.104 www.mcafee.com
O1 - Hosts: 64.233.167.104 www.viruslist.com
O1 - Hosts: 64.233.167.104 www.f-secure.com
O1 - Hosts: 64.233.167.104 www.avp.com
O1 - Hosts: 64.233.167.104 www.kaspersky.com
O1 - Hosts: 64.233.167.104 www.networkassociates.com
O1 - Hosts: 64.233.167.104 www.ca.com
O1 - Hosts: 64.233.167.104 www.my-etrust.com
O1 - Hosts: 64.233.167.104 www.nai.com
O1 - Hosts: 64.233.167.104 www.trendmicro.com
O1 - Hosts: 64.233.167.104 www.grisoft.com
O1 - Hosts: 64.233.167.104 securityresponse.symantec.com
O1 - Hosts: 64.233.167.104 symantec.com
O1 - Hosts: 64.233.167.104 mcafee.com
O1 - Hosts: 64.233.167.104 liveupdate.symantecliveupdate.com
O1 - Hosts: 64.233.167.104 viruslist.com
O1 - Hosts: 64.233.167.104 f-secure.com
O1 - Hosts: 64.233.167.104 kaspersky.com
O1 - Hosts: 64.233.167.104 kaspersky-labs.com
O1 - Hosts: 64.233.167.104 avp.com
O1 - Hosts: 64.233.167.104 networkassociates.com
O1 - Hosts: 64.233.167.104 ca.com
O1 - Hosts: 64.233.167.104 mast.mcafee.com
O1 - Hosts: 64.233.167.104 my-etrust.com
O1 - Hosts: 64.233.167.104 download.mcafee.com
O1 - Hosts: 64.233.167.104 dispatch.mcafee.com
O1 - Hosts: 64.233.167.104 secure.nai.com
O1 - Hosts: 64.233.167.104 nai.com
O1 - Hosts: 64.233.167.104 update.symantec.com
O1 - Hosts: 64.233.167.104 updates.symantec.com
O1 - Hosts: 64.233.167.104 us.mcafee.com
O1 - Hosts: 64.233.167.104 liveupdate.symantec.com
O1 - Hosts: 64.233.167.104 customer.symantec.com
O1 - Hosts: 64.233.167.104 rads.mcafee.com
O1 - Hosts: 64.233.167.104 trendmicro.com
O1 - Hosts: 64.233.167.104 grisoft.com
O1 - Hosts: 64.233.167.104 sandbox.norman.no
O1 - Hosts: 64.233.167.104 www.pandasoftware.com
O1 - Hosts: 64.233.167.104 uk.trendmicro-europe.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\programs\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Programs\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] D:\Programs\Avast!\ashDisp.exe
O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINDOWS\BQTray.exe
O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [STOPzilla] "D:\Programs\STOPzilla\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [CloneCDTray] d:\programs\clone cd\CloneCDTray.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "d:\programs\clone cd\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Wast] C:\WINDOWS\Wast
O4 - HKLM\..\Run: [QuickTime Task] "D:\programs\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinFixer 2005] D:\Programs\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [WhenUSearchWHSE] "C:\Program Files\WhenUSearch\whse.exe"
O4 - HKLM\..\Run: [acesigneachcool] C:\Documents and Settings\All Users\Application Data\does multi ace sign\OpenPoll.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [kdx] C:\WINDOWS\kdx\khost.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [SeekUser] C:\DOCUME~1\michael\APPLIC~1\THATSK~1\DELETE LOGO BLUE.exe
O4 - Startup: SpywareGuard.lnk = D:\Programs\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downlo...dtc32_EN_XP.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.co...pside_web18.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downlo...tia32_EN_XP.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downlo...thv32_EN_XP.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://kdx.kontiki.c...ient403/kdx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downlo...tpe32_EN_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67982281-7588-44BE-B200-96BF6440EF20}: Domain = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Programs\Avast!\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Programs\Avast!\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Programs\Avast!\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Programs\Avast!\ashWebSv.exe" /service (file missing)
O23 - Service: STOPzilla Local Service - Unknown owner - D:\Programs\STOPzilla\szntsvc.exe (file missing)


Again, any help that you can provide will be much appreciated.

Thanks so much
Mikey

#3 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 06 December 2005 - 04:05 PM

Mikey_D, :D

Welcome to the forum, sorry for the delay but we can't get to logs fast enough as they are being posted.

Just wanted to point out that poor surfing habits have gotten you into this mess, I am looking at Malware, Spyware, Trojans, Viruses and a porn dialer. Once we get you clean, if you continue surfing with the same bad habits, your going to get infected again :rant2: and you will just be wasting my time and your own.

Before we get started, you have to disable Spyware Guard as it may interfere with the fix. Just double click on the Icon in your system tray and when the program loads, go to Options and take the checkmark out of the three entries.

I suggest you print out these instructions as we will be off the internet at times and you need to keep them handy.

The main culprit here is New Dot Net, the only problem with removing it is that not always, but sometimes the removal of this program will disrupt your internet access, not to worry, just follow the instructions and download LSPfix first, so that if your internet access is disrupted, LSPfix will fix it.

I suggest you remove NewDotNet unless you deliberately installed it. It is extremely dubious and commercially sponsored:
First, please open Add/Remove programs and uninstall New.Net or NewDotNet from there if listed. If it is not listed, follow these instructions:

· From a computer that has Internet access, click on the following link:
http://www.new.net/s...install6_76.exe.
· Download and save uninstall6_76.exe to Local Disc C
· Click on Start.
· Click on Run.
· In the Open window type, C:\uninstall6_76.exe.
· Click on the OK button.
· After removal, you may be prompted to reboot. Please reboot if not prompted.

Check your internet access and if not needed, then disregard LSPfix


  • Please download LSPFix from here.
  • Disconnect from the internet.
  • Go to where you downloaded LSPFix and run the LSPFix.exe by double clicking on it.
  • Check the I know what I'm doing box.
  • In the Keep box you should see one or more instances of XXXXX.dll.
  • Select every instance of XXXXX.dll and move each one to the Remove box by clicking the >> button.
  • When you are done click Finish>>.
Look for these programs and remove them in the Add-Remove Programs, don't worry if there not there or if they won't let you remove them, but give it a shot.

C:\Program Files\RVP
C:\Program Files\Windows AdStatus
c:\program files\altnet
C:\Program Files\WhenUSearch
C:\Program Files\LimeShop
D:\Programs\WinFixer 2005




Now enable windows to show all files and folders.

SHOW HIDDEN FILES AND FOLDERS

* Click on MY COMPUTER
* Then on your C: Drive
* Then to TOOLS/ FOLDER OPTIONS/ VIEW
* Choose the radio button to SHOW HIDDEN FILES AND FOLDERS
* Take the checkmark out of HIDE EXTENSIONS FOR KNOWN FILE TYPES
* Then APPLY/ OK

* Don't forget to reverse this once your computer is clean

Boot into Safemode

Reboot your computer into Safemode

* Go to START/ SHUT OF YOUR COMPUTER/ RESTART
* As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly, this will bring up a menu.
* Use the UP AND DOWN ARROW KEYS to scroll up to SAFEMODE
* Then press the ENTER KEY ON YOUR KEYBOARD


Open HJT Scan Only, close all open windows, the only window you should have open is HJT, put a checmark in the following entries and click on Fix Checked. Make sure you don't miss any.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - <default> - (no file)
O1 - Hosts: 64.233.167.104 www.symantec.com
O1 - Hosts: 64.233.167.104 www.sophos.com
O1 - Hosts: 64.233.167.104 www.mcafee.com
O1 - Hosts: 64.233.167.104 www.viruslist.com
O1 - Hosts: 64.233.167.104 www.f-secure.com
O1 - Hosts: 64.233.167.104 www.avp.com
O1 - Hosts: 64.233.167.104 www.kaspersky.com
O1 - Hosts: 64.233.167.104 www.networkassociates.com
O1 - Hosts: 64.233.167.104 www.ca.com
O1 - Hosts: 64.233.167.104 www.my-etrust.com
O1 - Hosts: 64.233.167.104 www.nai.com
O1 - Hosts: 64.233.167.104 www.trendmicro.com
O1 - Hosts: 64.233.167.104 www.grisoft.com
O1 - Hosts: 64.233.167.104 securityresponse.symantec.com
O1 - Hosts: 64.233.167.104 symantec.com
O1 - Hosts: 64.233.167.104 mcafee.com
O1 - Hosts: 64.233.167.104 liveupdate.symantecliveupdate.com
O1 - Hosts: 64.233.167.104 viruslist.com
O1 - Hosts: 64.233.167.104 f-secure.com
O1 - Hosts: 64.233.167.104 kaspersky.com
O1 - Hosts: 64.233.167.104 kaspersky-labs.com
O1 - Hosts: 64.233.167.104 avp.com
O1 - Hosts: 64.233.167.104 networkassociates.com
O1 - Hosts: 64.233.167.104 ca.com
O1 - Hosts: 64.233.167.104 mast.mcafee.com
O1 - Hosts: 64.233.167.104 my-etrust.com
O1 - Hosts: 64.233.167.104 download.mcafee.com
O1 - Hosts: 64.233.167.104 dispatch.mcafee.com
O1 - Hosts: 64.233.167.104 secure.nai.com
O1 - Hosts: 64.233.167.104 nai.com
O1 - Hosts: 64.233.167.104 update.symantec.com
O1 - Hosts: 64.233.167.104 updates.symantec.com
O1 - Hosts: 64.233.167.104 us.mcafee.com
O1 - Hosts: 64.233.167.104 liveupdate.symantec.com
O1 - Hosts: 64.233.167.104 customer.symantec.com
O1 - Hosts: 64.233.167.104 rads.mcafee.com
O1 - Hosts: 64.233.167.104 trendmicro.com
O1 - Hosts: 64.233.167.104 grisoft.com
O1 - Hosts: 64.233.167.104 sandbox.norman.no
O1 - Hosts: 64.233.167.104 www.pandasoftware.com
O1 - Hosts: 64.233.167.104 uk.trendmicro-europe.com
O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [Wast] C:\WINDOWS\Wast
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [WinFixer 2005] D:\Programs\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [WhenUSearchWHSE] "C:\Program Files\WhenUSearch\whse.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downlo...dtc32_EN_XP.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downlo...tia32_EN_XP.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downlo...thv32_EN_XP.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downlo...tpe32_EN_XP.cab

Now while in Safemode, look for and delete the following files and folders in RED

C:\Program Files\RVP
C:\Program Files\Windows AdStatus
c:\program files\altnet
C:\Program Files\WhenUSearch
C:\Program Files\LimeShop
D:\Programs\WinFixer 2005
C:\PROGRAM FILES\NewDotNet
C:\WINDOWS\Wast


Now reboot normally and download the Hoster Program, this will restore your hosts files.

Download Hoster

* Unzip Hoster to your desktop
* Open up Hoster
* Make sure that the Make Hosts Writtable button in the upper right corner is enabled.
* Click Back Up Host Files
* Click on Restore Original Hosts
* Close program

I want you to download, install both of these programs, they are the free evaluation trials

Before you run Ewido, you need to Disable the System Restore program on your computer.

* Right Click on MY COMPUTER
* Click on PROPERTIES
* Click on the SYSTEM RESTORE TAB
* Check TURN OFF SYSTEM RESTORE ON ALL DRIVES
* Click APPLY / OK



http://www.ewido.net/en/


* Download and Install Ewido
* Under "Additional Options" uncheck
* Install background guard"
* Install scan via context menu

* Launch Ewido, there should be an icon on your desktop.
* Click on update
* You should see Update Complete when done.

Now you need to close out Ewido and boot into Safemode. Then open Ewido in Safemode and proceed.



* Click on scanner.
* Run a full system scan
* Let the program scan the machine.
* While the scan is in progress you will be prompted to clean files, click OK.
* Check Perform action on all infections
* Once the scan has completed, Click on Save Report on the bottom of the screen.
* Save the report to your desktop.
* I need you to paste the report into your next post.
* Exit the program.


Now Reboot normally.

Download the trail version of SpySweeper, make sure you download the trial and not the online scan.

http://www.webroot.c...er/latestv.html

Look on the bottom of the page for the 14 day free trial and here are the instructions.


.
Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Now reboot your computer and paste the log from Ewido, Spysweeper and a new HJT log please.

Ken :D

Edited by ken545, 06 December 2005 - 07:40 PM.


 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#4 Mikey_D

Mikey_D

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 09 December 2005 - 05:25 PM

Sorry it has taken so long to post you a reply, but I've recently had the flu and gotten myself into a bit of a rut computer wise. I started following the instructions you posted and found a few problems.

Firstly, I couldn't delete/find these folders: C:/Program Files/RVP, Windows AdStatus, altnet, When U Search and Winfixer 2005. Also, the 010 enteries on HiJackThis couldnt been repaired as they needed LSPfix.exe to be installed.

When it came to unistalling New Dot Net, my internet connection got disputed as you forewarned, but I didn't read that I needed to install LSPfix.exe beforehand and so, had to download the program from my local library computer. I tried installing this on my computer, used it to remove 3 .dll files, but this didn't resolve the problem. My internet connection STILL doesn't work properly.

Now, I've noticed that errors are coming up with my Avast Antivirus program on startup and when I did another scan with HiJackThis, it noted that the files for the program were missing.
Recently, my Windows Firewall has been shutdown and I can't seem to establish a connection to the net to turn it back on. Also, something called Delivery Manager comes up not responding

Also, I thought it was important to mension that I tried to reinstall my modem using the Bigpond Installation CD and halfway through the process, it failed to detect the modem.

Here below is a new HJT log I saved from last night. I really hope you can solve the problem as I've tried everything I can to rectify it, but can't seem to get it working. I've been resorted to the library computer, so please post a reply to this as soon as you can.

Thanks,
Mikey

Logfile of HijackThis v1.99.1
Scan saved at 1:26:08 PM, on 12/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\Avast!\aswUpdSv.exe
D:\Programs\Avast!\ashserv.exe
C:\WINDOWS\System32\svchost.exe
D:\Programs\Avast!\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
D:\Programs\Avast!\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Programs\SpywareGuard\sgmain.exe
c:\progra~1\intern~1\iexplore.exe
D:\Programs\SpywareGuard\sgbhp.exe
D:\Programs\HiJackThis\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\programs\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Programs\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] D:\Programs\Avast!\ashDisp.exe
O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINDOWS\BQTray.exe
O4 - HKLM\..\Run: [STOPzilla] "D:\Programs\STOPzilla\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [CloneCDTray] d:\programs\clone cd\CloneCDTray.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "d:\programs\clone cd\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\programs\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [acesigneachcool] C:\Documents and Settings\All Users\Application Data\does multi ace sign\OpenPoll.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [kdx] C:\WINDOWS\kdx\khost.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [SeekUser] C:\DOCUME~1\michael\APPLIC~1\THATSK~1\DELETE LOGO BLUE.exe
O4 - Startup: SpywareGuard.lnk = D:\Programs\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.co...pside_web18.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://kdx.kontiki.c...ient403/kdx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67982281-7588-44BE-B200-96BF6440EF20}: Domain = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Programs\Avast!\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Programs\Avast!\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Programs\Avast!\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Programs\Avast!\ashWebSv.exe" /service (file missing)
O23 - Service: STOPzilla Local Service - Unknown owner - D:\Programs\STOPzilla\szntsvc.exe (file missing)

#5 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 09 December 2005 - 06:44 PM

Micky,

I tried to make the fix as clear as I could so that you would download LSPfix first. Lets run LSPfix again, this time disable Spyware Guard. It sits in your system tray, it will look like this SG double click on it to open it and then go to Options and take the checkmark out of the three entries. Then click on Save Settings.



  • Please download LSPFix from here.
  • Disconnect from the internet.
  • Go to where you downloaded LSPFix and run the LSPFix.exe by double clicking on it.
  • Check the I know what I'm doing box.
  • In the Keep box you should see one or more instances of XXXXX.dll.
  • Select every instance of XXXXX.dll and move each one to the Remove box by clicking the >> button.
  • When you are done click Finish>>.
If LSPfix doesn't work, try this:

This file will fit on a floppy or thumb drive.

Get a copy of winsockxpfix.exe You just run it and
things should work OK after it reboots your system.

http://www.snapfiles...nsockxpfix.html



As far as these go, there gone, NewNet most likey took them with them when we gave them the boot.

C:\Program Files\RVP
C:\Program Files\Windows AdStatus
c:\program files\altnet
C:\Program Files\WhenUSearch
D:\Programs\WinFixer 2005

The only thing I see left of the bad programs is Limewire
C:\Program Files\LimeShop
This is known to cause you problems, look for Limewire in the Add-Remove Programs in the Control Panel and remove it.

The missing files for Advast is no big thing, sometimes HJT just doesn't find the file, the file is still there. Try uninstalling Advast and then to a clean install and see if that clears up your problem.

Run HJT Scan Only and close all open windows, put a checkmark by these and click on Fix Checked

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R3 - URLSearchHook: (no name) - <default> - (no file)

Do you know what this application is, if not have HJT fix it.
O4 - HKLM\..\Run: [acesigneachcool] C:\Documents and Settings\All Users\Application Data\does multi ace sign\OpenPoll.exe

If you remove Limewire, remove this line, if not leave it alone.
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

Try shutting everything down,
shut down your pc, turn off your modem for about 3 minutes to let it reset, then turn your modem on first, then boot up your computer.

Just so that you know, NewDotNet is gone and so is all the garbage associated with it.

Post back and let me know if your still having problems

Ken :D




Edited by ken545, 09 December 2005 - 07:53 PM.


 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#6 Mikey_D

Mikey_D

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 16 December 2005 - 06:16 PM

I've done everything you've listed in your post including installing and running "Winsockxpfix", removing Limewire and fixing the entries from the HJT Scan. Things seem to be running normal and much more smoothly. BUT my internet connection is still disrupted. It does seem to try harder to make a connection though. However I've noticed something through my MSN Messenger that could explain the problem. When I did a Troubleshooter to try and connect it again, it says that the "DNS is unable to resolve the IP address" and also that there might be a problem with the Firewall settings. As a result, both DNS and Key Port tasks came up with a caution sign !. I tried to repair these problems, but it didn't seem to do anything. Also, I never got around to installing those other programs you mensioned in your first post including Hoster, Ewido and Spysweeper. Would it be worth installing these to try and see if they resolve this problem? I really hope this information will be helpful in getting my internet connection back up and running properly again. Thanks so much for all your help so far. Mikey

#7 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 16 December 2005 - 07:21 PM

Mickey,

Do this..

Flush any DNS caches . Two examples are routers that act as proxy nameservers, and versions of Windows that support DNS caching.

The way to fix the router cache is to power the router off and on.

The way to fix XP/Win2K's is to enter the command "ipconfig /flushdns" at a
cmd.exe prompt.

Click start > all programs >assessories >command prompt and type in ipconfig /flushdns then Enter

Then try installing Hoster to straighten out your host files.



Download Hoster

* Unzip Hoster to your desktop
* Open up Hoster
* Make sure that the Make Hosts Writtable button in the upper right corner is enabled.
* Click Back Up Host Files
* Click on Restore Original Hosts
* Close program

Then run HJT and post a new log please.

Ken :D

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#8 Mikey_D

Mikey_D

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 17 December 2005 - 07:01 PM

Hey there Ken,

I actually got a mate from my Step-dad's work to help find the problem with the internet connection. It was really simple, he just had to enable several of the services in the Control Panel > Administrative Tools and yay, I'm back on the net again :). Despite this, I did what you told me to do, flushed out the DNS and ran the Hoster program. Your help has been so valuable in getting rid of the Spyware stuff from my computer, so thank you so much for that. However, if there's anything that still needs to be done just as a precaution to make sure this doesn't happen again, by all means tell me.

Here's a new HJT log that you requested:

Logfile of HijackThis v1.99.1
Scan saved at 11:54:01 AM, on 12/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Programs\Avast!\aswUpdSv.exe
D:\Programs\Avast!\ashserv.exe
C:\WINDOWS\system32\RunDll32.exe
D:\Programs\Avast!\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\intern~1\iexplore.exe
D:\Programs\SpywareGuard\sgmain.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Programs\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
D:\Programs\Avast!\ashMaiSv.exe
D:\Programs\Avast!\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Programs\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\programs\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Programs\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] D:\Programs\Avast!\ashDisp.exe
O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINDOWS\BQTray.exe
O4 - HKLM\..\Run: [STOPzilla] "D:\Programs\STOPzilla\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [CloneCDTray] d:\programs\clone cd\CloneCDTray.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "d:\programs\clone cd\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\programs\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [SeekUser] C:\DOCUME~1\michael\APPLIC~1\THATSK~1\DELETE LOGO BLUE.exe
O4 - Startup: SpywareGuard.lnk = D:\Programs\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.co...pside_web18.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C0DAA4E-35A3-4970-822E-F5F405E54798}: Domain = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Programs\Avast!\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Programs\Avast!\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Programs\Avast!\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Programs\Avast!\ashWebSv.exe" /service (file missing)
O23 - Service: STOPzilla Local Service - Unknown owner - D:\Programs\STOPzilla\szntsvc.exe (file missing)

Thanks again,
Mikey

P.S. I've just noticed that I'm still getting really annoying pop-ups such as Adult Finder and installing programs to get rid of Spyware. Bugger :( In the meantime, I'll keep running scans with my Spyware progs to try and rid them ;)

Edited by Mikey_D, 17 December 2005 - 07:10 PM.


#9 Mikey_D

Mikey_D

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 17 December 2005 - 08:46 PM

P.P.S. Just in case you needed them, I thought I'd install both Ewido and Spysweeper, run scans and save the reports for them. There is indeed still spyware on the system, so I think it was worth doing. Here are both the reports: --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 12:58:41 PM, 12/18/2005 + Report-Checksum: B6E49D4F + Scan result: HKLM\SOFTWARE\Classes\CLSID\{04079851-5845-4dea-848C-3ECD647AA554} -> Spyware.MySearchBar : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{3f4d4f88-0198-4921-b630-957f3eb814e0} -> Spyware.Altnet : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF} -> Spyware.SecondThought : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{96DA5BEE-4ACC-476C-B3EC-54C6730C4293} -> Spyware.CometCursor : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{04D7391C-AB32-4921-84F3-B63FC0EEDF43} -> Spyware.CometCursor : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{09F19D39-3084-47B0-B1CE-26581074BC36} -> Spyware.CometCursor : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{2CEC1D83-1F31-41A7-B2BC-A2FE25E3BF34} -> Spyware.CometCursor : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{41943AC1-46DC-41EF-A365-713C14C50A06} -> Spyware.CometCursor : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{439508F6-E48B-4095-B000-ADC7A02AB29E} -> Spyware.CometCursor : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{49DB48FF-02B5-4645-B676-94A4DF1AA026} -> Spyware.SecondThought : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{4A0F42B7-A61B-4131-BF41-BF05A2635BFD} -> Spyware.CometCursor : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{4E86A93F-4E89-45FD-866B-80D25B0F21A6} -> Spyware.CometCursor : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{665ABE65-2C16-4341-B4B8-01FF799E8F4C} -> Spyware.CometCursor : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{6E0ED53C-9908-49ED-B055-7CB31B162577} -> Spyware.SecondThought : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{830D3AED-2FA9-454F-B266-D931862BBF34} -> Spyware.SecondThought : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{8C53BD8E-B12D-4C8F-AD0E-C9DDC39D1273} -> Spyware.SecondThought : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{930A2B79-855E-4A18-80BB-4C0595B40798} -> Spyware.CometCursor : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{9603A736-05B9-4D78-BDD5-BDCB0914E522} -> Spyware.WurldMedia : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{9BCDD51B-4A7B-446C-8452-D32D38004582} -> Spyware.SecondThought : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{9DBDD71C-0A7F-48AC-9FFA-E102B3750B9D} -> Spyware.CometCursor : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{A986F4DB-792E-4571-8974-0BB6E024766F} -> Spyware.SecondThought : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{BC12B055-C9F5-407D-9B66-1851973F32AF} -> Spyware.WurldMedia : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{BCCAB53D-0895-40C3-A942-A03538CE227A} -> Spyware.SecondThought : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{C0F88E9E-DCEB-4655-968A-AE508A677C39} -> Spyware.SecondThought : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{C2E56E18-2F04-4AB9-9333-B2DB3C350956} -> Spyware.CometCursor : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{C7E7863D-2EF7-46F9-A2C2-DD08B2B3C0A5} -> Spyware.CometCursor : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{CA74A032-869B-4752-927E-D0DA5677DC23} -> Spyware.CometCursor : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{D7EAC2D8-2D52-4010-A4AD-DFDF60C1706C} -> Spyware.SecondThought : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{E61A0304-C605-441F-BD57-2833B65A69F1} -> Spyware.CometCursor : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{E9CBBEED-20B6-456C-8589-CF364D9D2370} -> Spyware.CometCursor : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{F8C5EA77-7D72-405C-B90A-093655B0F544} -> Spyware.CometCursor : Cleaned with backup HKLM\SOFTWARE\Classes\SWRT01.RT -> Spyware.SecondThought : Cleaned with backup HKLM\SOFTWARE\Classes\SWRT01.RT\Clsid -> Spyware.SecondThought : Cleaned with backup HKLM\SOFTWARE\Classes\TypeLib\{5E594162-60A9-487D-84B8-DBDD716CB862} -> Spyware.VirtualBouncer : Cleaned with backup HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Cleaned with backup HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bargain Buddy -> Spyware.BargainBuddy : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SWAR -> Spyware.CometCursor : Cleaned with backup C:\Documents and Settings\michael\Cookies\michael@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup C:\Documents and Settings\michael\Cookies\michael@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\michael\Cookies\michael@as-eu.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup C:\Documents and Settings\michael\Cookies\michael@bigpond.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup C:\Documents and Settings\michael\Cookies\michael@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup C:\Documents and Settings\michael\Cookies\michael@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup C:\Documents and Settings\michael\Cookies\michael@media.fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup C:\Documents and Settings\michael\Cookies\michael@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup C:\Documents and Settings\michael\Cookies\michael@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup C:\Documents and Settings\michael\Local Settings\Temporary Internet Files\Content.IE5\PZN5V5VO\uninstall6_76[1].exe -> Spyware.NewDotNet : Cleaned with backup C:\Program Files\aaascreensavers\PotterHH\VVSNInst.exe -> Adware.SaveNow : Cleaned with backup C:\Program Files\CashBack -> Spyware.CashBack : Cleaned with backup C:\Program Files\CashBack\2004_09_14.data.zip -> Spyware.CashBack : Cleaned with backup C:\Program Files\FileSubmit\Linkin Park Theme\nnez_388.exe -> Spyware.NewDotNet : Cleaned with backup C:\Program Files\SurfAccuracy -> Adware.SurfAccuracy : Cleaned with backup C:\Program Files\SurfAccuracy\SAcc.cfg -> Adware.SurfAccuracy : Cleaned with backup C:\WINDOWS\bsx32 -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ADBN1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ADBN2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ADBN3.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ADTMI1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ADVC3.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ADVC5.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ADVCTX2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIB9894.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIC29667.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASID12180.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIE17070.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIF29819.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIF4502.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIFA15376.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIFWH29233.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIG21943.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIGT10102.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIH21180.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIH7853.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASII21469.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIL18549.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASILS29399.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIM4381.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIM9740.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIOG19375.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIOT25456.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIPF1965.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIR21184.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIRE20082.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIS24110.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIS31590.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIT17011.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIT26116.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIW11211.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\ASIWS3.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\AUTOS1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\AUTOS2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\BID1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\BingoRoom1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\CARD2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\CARS1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\CARS3.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\CAS1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\CASH1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\CASH2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\CCS1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\DATE3.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\DATE4.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\DEBT1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\DEEPS1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\DENT1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\DRUG3.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\EBAD1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\EDU1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\EECH1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\EML1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\EXPE1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\FAM1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\FAST1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\FINC1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\FINC3.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\FINC4.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\FINC5.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\FindRomance1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\FLWR1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\FMND1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\FOPP1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\GIFT1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\HEAL2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\HEAL4.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\HEAL5.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\HEBE1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\HEBE2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\HEBE3.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\HERBS1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\HGH2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\HOGAR1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\HOGAR2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\HOGAR3.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\HOMES2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\HOMES3.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\INK1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\INSUR1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\INSUR3.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\INSUR4.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\JOBS2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\JOBS3.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\JOBS4.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\KanFinance1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\KanFinance3.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\MORT1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\MORT2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\MORT4.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\MORT5.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\MOVS1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\MOVS2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\NEWS1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\NEWS2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\OPPR2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\OPPR3.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\OPPS1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\PENIS2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\RAM1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\SHOP1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\SHOP2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\Singles1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\SLC1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\SPORT1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TECH1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TECH2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMP1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMP2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TMP3.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TRVL2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TRVL5.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TRVL6.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TV1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\TVEN1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\Useful1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\UTN1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\UTONE1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\UTONE2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\VENUE1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\WIRE1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\WOMEN1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\WOMEN2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\WWW3.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\XCHG1.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\bsx32\XTFL2.bsx -> Spyware.BookedSpace : Cleaned with backup C:\WINDOWS\Downloaded Program Files\YSBactivex.dll -> Downloader.IstBar : Cleaned with backup C:\WINDOWS\NDNuninstall5_20.exe -> Spyware.NewDotNet : Cleaned with backup C:\WINDOWS\NDNuninstall5_40.exe -> Spyware.NewDotNet : Cleaned with backup C:\WINDOWS\NDNuninstall6_10.exe -> Spyware.NewDotNet : Cleaned with backup C:\WINDOWS\NDNuninstall6_22.exe -> Spyware.NewDotNet : Cleaned with backup C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup C:\WINDOWS\NDNuninstall6_90.exe -> Adware.NewDotNet : Cleaned with backup C:\WINDOWS\NDNuninstall6_98.exe -> Adware.NewDotNet : Cleaned with backup C:\WINDOWS\system32\BO2802040113.dll -> Spyware.BargainBuddy : Cleaned with backup C:\WINDOWS\system32\navshext1.dll -> Spyware.Chiem : Cleaned with backup C:\WINDOWS\system32\SWRT01.dll -> Spyware.VirtualBouncer : Cleaned with backup C:\WINDOWS\system32\umqltg4cl.ini -> Adware.SAHA : Cleaned with backup D:\Programs\Warez P2P Client\apwarz0.exe -> Adware.Lop : Cleaned with backup ::Report End ******** 1:09 PM: | Start of Session, Sunday, December 18, 2005 | 1:09 PM: Spy Sweeper started 1:09 PM: Sweep initiated using definitions version 586 1:09 PM: Starting Memory Sweep 1:13 PM: Memory Sweep Complete, Elapsed Time: 00:03:48 1:13 PM: Starting Registry Sweep 1:13 PM: Found Adware: bookedspace 1:13 PM: HKCR\appid\{5cd19420-b328-47d5-a55f-1c07638efdf8}\ (1 subtraces) (ID = 104856) 1:13 PM: HKLM\software\classes\appid\{5cd19420-b328-47d5-a55f-1c07638efdf8}\ (1 subtraces) (ID = 104866) 1:13 PM: Found Adware: clipgenie 1:13 PM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\clipgenie\ (2 subtraces) (ID = 105921) 1:13 PM: Found Adware: comet cursor 1:13 PM: HKCR\appid\dmserver.exe\ (1 subtraces) (ID = 106303) 1:13 PM: HKCR\appid\{bac984c9-78c8-4105-9e97-1675a4052686}\ (1 subtraces) (ID = 106304) 1:13 PM: HKLM\software\classes\appid\dmserver.exe\ (1 subtraces) (ID = 106525) 1:13 PM: HKLM\software\classes\appid\{bac984c9-78c8-4105-9e97-1675a4052686}\ (1 subtraces) (ID = 106526) 1:13 PM: Found Adware: instant access 1:13 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/nethv32.dll\ (2 subtraces) (ID = 128805) 1:13 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\nethv32.dll (ID = 128826) 1:13 PM: Found Adware: limeshop 1:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\limeshop.xml\ (3 subtraces) (ID = 129725) 1:13 PM: Found Adware: opensite 1:13 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/ucsearch.ocx\ (2 subtraces) (ID = 136452) 1:13 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\ucsearch.ocx (ID = 136455) 1:13 PM: Found Trojan Horse: rbot 1:13 PM: HKLM\software\krypton\ (6 subtraces) (ID = 139241) 1:13 PM: Found Adware: scbar 1:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\batch assistant\ (2 subtraces) (ID = 140508) 1:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\data compiler\ (2 subtraces) (ID = 140509) 1:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\indexing function\ (2 subtraces) (ID = 140510) 1:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\search os\ (2 subtraces) (ID = 140512) 1:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tp http\ (2 subtraces) (ID = 140514) 1:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\url.ie app\ (2 subtraces) (ID = 140515) 1:13 PM: Found Adware: shopathomeselect 1:13 PM: HKLM\software\ || test (ID = 141678) 1:13 PM: Found Adware: winad 1:13 PM: HKLM\software\windows adstatus\ (8 subtraces) (ID = 147240) 1:13 PM: Found Adware: wurldmedia 1:13 PM: HKCR\appid\sostatatl.exe\ (1 subtraces) (ID = 147535) 1:13 PM: HKCR\appid\{dee5d795-a276-43b5-a04a-511149a354f0}\ (1 subtraces) (ID = 147536) 1:13 PM: Found Adware: ist yoursitebar 1:13 PM: HKCR\clsid\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658}\ (8 subtraces) (ID = 147829) 1:13 PM: Found Adware: ist software 1:13 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/ysbactivex.dll\ (2 subtraces) (ID = 147854) 1:13 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\ysbactivex.dll (ID = 147857) 1:13 PM: Found Adware: surf accuracy 1:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\sacc\ (2 subtraces) (ID = 203070) 1:13 PM: Found Adware: accoona toolbar 1:13 PM: HKCR\abar.abarband\ (5 subtraces) (ID = 520479) 1:13 PM: HKCR\asearchassist.adefaultsearch\ (5 subtraces) (ID = 520489) 1:13 PM: HKCR\clsid\{364b6276-c6c1-40b6-a6d7-6c48871fd707}\ (10 subtraces) (ID = 520499) 1:13 PM: HKCR\clsid\{944864a5-3916-46e2-96a9-a2e84f3f1208}\ (11 subtraces) (ID = 520510) 1:13 PM: HKCR\typelib\{21f022c8-c045-4555-8a90-651e6a3dc6c6}\ (9 subtraces) (ID = 520528) 1:13 PM: HKCR\typelib\{ea3956d2-ec38-41ab-b601-47aa281e4952}\ (9 subtraces) (ID = 520538) 1:13 PM: HKLM\software\accoona\ (3 subtraces) (ID = 520615) 1:13 PM: HKLM\software\classes\abar.abarband\ (5 subtraces) (ID = 520739) 1:13 PM: HKLM\software\classes\asearchassist.adefaultsearch\ (5 subtraces) (ID = 520749) 1:13 PM: HKLM\software\classes\asearchassist.adefaultsearch.1\ (3 subtraces) (ID = 520755) 1:13 PM: HKLM\software\classes\clsid\{364b6276-c6c1-40b6-a6d7-6c48871fd707}\ (10 subtraces) (ID = 520759) 1:13 PM: Found Adware: winantispyware 2005 1:13 PM: HKCR\pcheck.pcheck\ (5 subtraces) (ID = 812703) 1:13 PM: HKCR\pcheck.pcheck.1\ (3 subtraces) (ID = 812709) 1:13 PM: HKCR\clsid\{fd1a9e6b-05da-4ca2-830d-654da1ddbd9e}\ (14 subtraces) (ID = 812934) 1:13 PM: HKCR\typelib\{3bff2ef1-25ba-4342-a1e8-ec1e2cb9f22b}\ (9 subtraces) (ID = 812960) 1:13 PM: HKLM\software\classes\pcheck.pcheck\ (5 subtraces) (ID = 813205) 1:13 PM: HKLM\software\classes\pcheck.pcheck.1\ (3 subtraces) (ID = 813211) 1:13 PM: HKLM\software\classes\clsid\{fd1a9e6b-05da-4ca2-830d-654da1ddbd9e}\ (14 subtraces) (ID = 813436) 1:13 PM: HKLM\software\classes\typelib\{3bff2ef1-25ba-4342-a1e8-ec1e2cb9f22b}\ (9 subtraces) (ID = 813462) 1:13 PM: Found Adware: systemprocess 1:13 PM: HKLM\software\microsoft\windows\currentversion\uninstall\startup\ (2 subtraces) (ID = 860412) 1:13 PM: HKLM\software\classes\clsid\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658}\ (8 subtraces) (ID = 920458) 1:13 PM: HKCR\abar.abarband.1\ (3 subtraces) (ID = 954980) 1:13 PM: HKLM\software\classes\clsid\{944864a5-3916-46e2-96a9-a2e84f3f1208}\ (11 subtraces) (ID = 955049) 1:13 PM: Found Adware: one2one viewer 1:13 PM: HKU\S-1-5-21-1417001333-1060284298-839522115-1006\software\livesvc\ (ID = 136368) 1:13 PM: HKU\S-1-5-21-1417001333-1060284298-839522115-1006\software\system process\ (1 subtraces) (ID = 860389) 1:13 PM: HKU\S-1-5-21-1417001333-1060284298-839522115-1006\software\system process\ || lastptime (ID = 860390) 1:13 PM: HKU\S-1-5-21-1417001333-1060284298-839522115-1006\software\microsoft\internet explorer\urlsearchhooks\{944864a5-3916-46e2-96a9-a2e84f3f1208}\ (ID = 955003) 1:13 PM: Registry Sweep Complete, Elapsed Time:00:00:23 1:13 PM: Starting Cookie Sweep 1:13 PM: Found Spy Cookie: 888 cookie 1:13 PM: michael@888[2].txt (ID = 2019) 1:13 PM: Found Spy Cookie: adultfriendfinder cookie 1:13 PM: michael@adultfriendfinder[1].txt (ID = 2165) 1:13 PM: Found Spy Cookie: atlas dmt cookie 1:13 PM: michael@atdmt[2].txt (ID = 2253) 1:13 PM: Found Spy Cookie: adserver cookie 1:13 PM: michael@z1.adserver[2].txt (ID = 2142) 1:13 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00 1:13 PM: Starting File Sweep 1:13 PM: c:\program files\accoona (2 subtraces) (ID = -2147476360) 1:13 PM: Found Adware: lopdotcom 1:13 PM: c:\program files\c2media (ID = -2147480676) 1:13 PM: Found Trojan Horse: magiccontrol 1:13 PM: c:\windows\mslagent (ID = -2147480615) 1:13 PM: c:\program files\common files\winsoftware (2 subtraces) (ID = -2147476682) 1:13 PM: Found Adware: bullguard popup ad 1:13 PM: c:\windows\temp\bullguard (1 subtraces) (ID = -2147476409) 1:13 PM: c:\program files\yoursitebar (ID = -2147479984) 1:15 PM: bulldownload.exe (ID = 52017) 1:18 PM: dm.inf (ID = 53552) 1:18 PM: Found Adware: addestroyer 1:18 PM: inneradinstall.log (ID = 49035) 1:18 PM: Found Adware: virtualbouncer 1:18 PM: innervbinstall.log (ID = 82805) 1:27 PM: idolbrowsereal.exe (ID = 90) 1:27 PM: ustart.exe (ID = 161346) 1:29 PM: Found Adware: tvmedia 1:29 PM: tvmknwrd.dll (ID = 81726) 1:29 PM: Found Adware: netpal 1:29 PM: big fish games.url (ID = 70885) 1:29 PM: flyordie games.url (ID = 70890) 1:29 PM: Found Adware: directrevenue-abetterinternet 1:29 PM: biini.inf (ID = 83199) 1:29 PM: hqrhil7kg.ini (ID = 75789) 1:29 PM: alchem.inf (ID = 83109) 1:33 PM: backup-20051207-132932-119.inf (ID = 63678) 1:33 PM: backup-20051207-132932-155.inf (ID = 63879) 1:33 PM: backup-20051207-132933-601.inf (ID = 63873) 1:33 PM: backup-20051207-132933-385.inf (ID = 63886) 1:33 PM: Warning: Invalid Stream 1:33 PM: Warning: Invalid Stream 1:33 PM: Warning: Invalid Stream 1:33 PM: Warning: Invalid Stream 1:33 PM: Warning: Invalid Stream 1:33 PM: Warning: Invalid Stream 1:33 PM: Warning: Invalid Stream 1:34 PM: File Sweep Complete, Elapsed Time: 00:20:45 1:34 PM: Full Sweep has completed. Elapsed time 00:25:01 1:34 PM: Traces Found: 302 1:39 PM: Removal process initiated 1:39 PM: Quarantining All Traces: directrevenue-abetterinternet 1:39 PM: Quarantining All Traces: lopdotcom 1:39 PM: Quarantining All Traces: magiccontrol 1:39 PM: Quarantining All Traces: rbot 1:39 PM: Quarantining All Traces: comet cursor 1:39 PM: Quarantining All Traces: scbar 1:39 PM: Quarantining All Traces: winad 1:39 PM: Quarantining All Traces: accoona toolbar 1:39 PM: Quarantining All Traces: addestroyer 1:39 PM: Quarantining All Traces: bookedspace 1:39 PM: Quarantining All Traces: bullguard popup ad 1:39 PM: Quarantining All Traces: clipgenie 1:39 PM: Quarantining All Traces: instant access 1:40 PM: Quarantining All Traces: ist software 1:40 PM: Quarantining All Traces: ist yoursitebar 1:40 PM: Quarantining All Traces: limeshop 1:40 PM: Quarantining All Traces: netpal 1:40 PM: Quarantining All Traces: one2one viewer 1:40 PM: Quarantining All Traces: opensite 1:40 PM: Quarantining All Traces: shopathomeselect 1:40 PM: Quarantining All Traces: surf accuracy 1:40 PM: Quarantining All Traces: systemprocess 1:40 PM: Quarantining All Traces: tvmedia 1:40 PM: Quarantining All Traces: virtualbouncer 1:40 PM: Quarantining All Traces: winantispyware 2005 1:40 PM: Quarantining All Traces: wurldmedia 1:40 PM: Quarantining All Traces: 888 cookie 1:40 PM: Quarantining All Traces: adserver cookie 1:40 PM: Quarantining All Traces: adultfriendfinder cookie 1:40 PM: Quarantining All Traces: atlas dmt cookie 1:40 PM: Removal process completed. Elapsed time 00:01:09 ******** 1:07 PM: | Start of Session, Sunday, December 18, 2005 | 1:07 PM: Spy Sweeper started 1:08 PM: Your spyware definitions have been updated. 1:09 PM: | End of Session, Sunday, December 18, 2005 |

#10 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 17 December 2005 - 10:46 PM

mickey, Post a new HJT log, it looks like the one you just posted was before you ran Ewido and Spysweeper. Both those programs look like that got rid of a bunch of garbage. How are the pop ups now that you ran both those two programs? Just for future reference, always post a new HJT log after we run any programs or fixes so I can see what it fixed or not fixed. Ken :D

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

    Advertisements

Register to Remove


#11 Mikey_D

Mikey_D

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 18 December 2005 - 12:04 AM

Okay, here's another HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:58:29 PM, on 12/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Programs\Avast!\aswUpdSv.exe
D:\Programs\Avast!\ashserv.exe
C:\WINDOWS\system32\RunDll32.exe
D:\Programs\Avast!\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\intern~1\iexplore.exe
D:\Programs\SpywareGuard\sgmain.exe
D:\Programs\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
D:\Programs\Avast!\ashMaiSv.exe
D:\Programs\Avast!\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Programs\HiJackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\programs\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Programs\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] D:\Programs\Avast!\ashDisp.exe
O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINDOWS\BQTray.exe
O4 - HKLM\..\Run: [STOPzilla] "D:\Programs\STOPzilla\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [CloneCDTray] d:\programs\clone cd\CloneCDTray.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "d:\programs\clone cd\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\programs\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [SeekUser] C:\DOCUME~1\michael\APPLIC~1\THATSK~1\DELETE LOGO BLUE.exe
O4 - Startup: SpywareGuard.lnk = D:\Programs\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.co...pside_web18.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C0DAA4E-35A3-4970-822E-F5F405E54798}: Domain = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Programs\Avast!\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Programs\Avast!\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Programs\Avast!\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Programs\Avast!\ashWebSv.exe" /service (file missing)
O23 - Service: STOPzilla Local Service - Unknown owner - D:\Programs\STOPzilla\szntsvc.exe (file missing)

Yeah, I think I'm pretty much pop-up free now, but now there's another problem. Windows Media Player seems to be glitching, not displaying the title of the song and the artist and also the Plug-in for displaying MP3's in MSN Messenger seems to have gone missing. I wonder if you know how to reinstall it. Plus the fields in the program Warez P2P appear black. I remember something similar happening when I had Kazaa on the computer and once I deleted it, solved the problem. It's definately spyware related whatever it is, but I thought you should know about it.

Thanks,
Mikey

#12 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 18 December 2005 - 12:45 PM

Mickey,

Your log is looking much better, here is info on MessegerPlus3, as you can see, it comes bundled with the Lop Infection which is some of the garbage that Spysweeper and Ewido removed.
http://www.auditmypc...ess/msgplus.asp

I would suggest removeing both these lines with HJT

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart


This line I am not sure of, do you use a program called SeekUser?? If not than remove this line also.
O4 - HKCU\..\Run: [SeekUser] C:\DOCUME~1\michael\APPLIC~1\THATSK~1\DELETE LOGO BLUE.exe

Is this your ISP?
vic.bigpond.net.au
telstrabigpond


This program will clean you up real well
Download and Install http://www.ccleaner.com/
* Click on Run Cleaner

You can download and install Windows Media Player 10 HERE

As far as Warez P2P, you might try downloading and installing it again. I am not a big fan of File Sharing, this is what got you into trouble in the first place.


Post back with one more HJT log and let me know how your doing.

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#13 Mikey_D

Mikey_D

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 18 December 2005 - 11:14 PM

Okay, I've deleted those 04 entries for MSNPlus and Delete Logo Blue and done a clean with CCleaner, and it seems that its fixed the glitching problem with Windows Media Player. The Plug-in's back in there and the song title is displaying itself again, so I'm really pleased about that. I've decided to remove Warez P2P completely just in case that was one of the causes. Yes, my IP is with Telstra Bigbond Broadband. Unfortunately, I'm still getting the occasional pop-up here and there, but everything else seems much better.

Here's the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:07:26 PM, on 12/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Programs\Avast!\aswUpdSv.exe
D:\Programs\Avast!\ashserv.exe
C:\WINDOWS\system32\RunDll32.exe
D:\Programs\Avast!\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\intern~1\iexplore.exe
D:\Programs\SpywareGuard\sgmain.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Programs\SpywareGuard\sgbhp.exe
D:\Programs\Avast!\ashMaiSv.exe
D:\Programs\Avast!\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Programs\HiJackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\programs\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Programs\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] D:\Programs\Avast!\ashDisp.exe
O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINDOWS\BQTray.exe
O4 - HKLM\..\Run: [STOPzilla] "D:\Programs\STOPzilla\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [CloneCDTray] d:\programs\clone cd\CloneCDTray.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "d:\programs\clone cd\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\programs\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - Startup: SpywareGuard.lnk = D:\Programs\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.co...pside_web18.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C0DAA4E-35A3-4970-822E-F5F405E54798}: Domain = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Programs\Avast!\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Programs\Avast!\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Programs\Avast!\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Programs\Avast!\ashWebSv.exe" /service (file missing)
O23 - Service: STOPzilla Local Service - Unknown owner - D:\Programs\STOPzilla\szntsvc.exe (file missing)

Thanks,
Mikey

#14 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 19 December 2005 - 10:31 AM

Mikey,

Go to the Add-Remove Programs in the Control Panel and remove this program, it may be the source of the pop ups. If you decide that you want to use it, redownload it and be very choosy about what you install with it during the installation.

C:\Program Files\Messenger Plus! 3



Your JAVA is out of date and it is leaving your system vunerable. Download the lastest update from Sun Microsystems HERE Scroll to the middle of the page and download JRE 5.0 Update 6 After the installation, you can go HERE to verify the installation.

Post back with a new log and let me know if removing Messenger Plus3 has helped.

Ken :D

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#15 Mikey_D

Mikey_D

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 19 December 2005 - 11:39 PM

I couldn't find Messenger Plus 3 in the Add/Remove Programs list, but I did manage to find the folder messenger in C:/Program Files and deleted that, as it was the closest I could find to the program. That version was 4.7 and I currently have the most recent version of 7.5, so no harm done there. I've also installed that Java program you said to and ran the test...it works fine. I haven't noticed anymore pop-ups as a result, so its looking very promising :)

Here's another HJT log, just in case there's anything else that needs removing:

Logfile of HijackThis v1.99.1
Scan saved at 4:36:21 PM, on 12/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\Avast!\aswUpdSv.exe
C:\WINDOWS\system32\RunDll32.exe
D:\Programs\Avast!\ashserv.exe
D:\Programs\Avast!\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
c:\progra~1\intern~1\iexplore.exe
D:\Programs\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\svchost.exe
D:\Programs\Avast!\ashMaiSv.exe
D:\Programs\Avast!\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
D:\Programs\SpywareGuard\sgbhp.exe
D:\Programs\HiJackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\programs\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Programs\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] D:\Programs\Avast!\ashDisp.exe
O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINDOWS\BQTray.exe
O4 - HKLM\..\Run: [STOPzilla] "D:\Programs\STOPzilla\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [CloneCDTray] d:\programs\clone cd\CloneCDTray.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "d:\programs\clone cd\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\programs\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [SeekUser] C:\DOCUME~1\michael\APPLIC~1\THATSK~1\DELETE LOGO BLUE.exe
O4 - Startup: SpywareGuard.lnk = D:\Programs\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.co...pside_web18.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C0DAA4E-35A3-4970-822E-F5F405E54798}: Domain = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Programs\Avast!\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Programs\Avast!\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Programs\Avast!\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Programs\Avast!\ashWebSv.exe" /service (file missing)
O23 - Service: STOPzilla Local Service - Unknown owner - D:\Programs\STOPzilla\szntsvc.exe (file missing)

I've noticed a couple of Messenger related entries in there, plus DELETE LOGO BLUE doesn't seem to want to go away, I've removed it twice. Anyway, I just thought you should know about those.
Ohh, by the way, a Pop-up blocker has installed itself in Internet Explorer. From the FAQ I read on it, it seems to just be an IE Pop-up blocker and it might be responsible for the pop-up's I've been getting. However, I can't seem to find the folder to remove it.

Thanks so much,
Mikey

Edited by Mikey_D, 19 December 2005 - 11:58 PM.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users