Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91911 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

someone please help me, this is my hijackthis log


  • This topic is locked This topic is locked
6 replies to this topic

#1 diniba69

diniba69

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 02 November 2005 - 07:13 PM

heres my log. I tried using adaware, spyware doctor, zone alarm, I tried system restore They did not help. I used to be able to remove this stuff manually, but I can not figure this one out.
thanks to anyone who can help me I really appreciate it as my computer is basically unusable right now due to the constant popups, and I do not want to have to reload XP.



Logfile of HijackThis v1.99.1
Scan saved at 7:46:34 PM, on 11/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\Q29tcGFxX093bmVy\command.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Compaq_Owner\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...ario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ario&pf=desktop
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://interface.net...opcuploader.cab
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\hr0005dme.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q29tcGFxX093bmVy\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    Advertisements

Register to Remove


#2 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 06 November 2005 - 03:28 PM

Hello and welcome to TomCoyote forum. If you still need help and are not receiving it elsewhere, I will see what I can do. First, let me tell you that this stuff is getting harder and harder to keep up with. Volunteers are swamped and it does not look like it is going to get easier. You have a couple problems, but they very well may have originated with the one trojan. Spysweeper recently updated their software to remove this trojan and were nice enough to offer a trial. Please follow the instructions carefully.

1) Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Restart your computer <<< very important.


2) Open Task Manager then the Processes tab. Locate and end process on this item: C:\WINDOWS\Q29tcGFxX093bmVy\command.exe

3) Disable the offending Service
Click Start < Run and type services.msc.
Scroll down to Command Service and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

Delete the offending Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type cmdService and press OK.
OK any prompts, close HijackThis, and restart your computer.

Turn off Spyware Doctor, it may block the fix, remember to turn it back on!

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

These R0/R1 are optional lines and clutter, if you don't use them, remove them.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...ario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ario&pf=desktop
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\hr0005dme.dll <<< may be gone just do not miss it
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q29tcGFxX093bmVy\command.exe <<< may be gone

Close all programs but HJT and all browser windows, then click on "Fix Checked"

SHOW HIDDEN FILES: Follow the instructions in the link to enable hidden files for your operating system.
You may wish to reverse this process if you have any concern about anyone getting into these hidden system files.
http://www.xtra.co.n...1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\hr0005dme.dll >>> file (may be gone, just do not miss it)

C:\WINDOWS\Q29tcGFxX093bmVy\ >>> folder (may be gone)

C:\Windows\Prefetch: Locate this folder and delete all of the contents (NOT THE FOLDER) This information will tell you more about Prefetch:
http://www.windowsne...refetch-XP.html

Click on START
, RUN then type "cleanmgr" and OK. Allow windows to remove anything it locates. Restart the computer and post the Spysweeper log and a new HJT log in this same thread. Let me know how the computer is running now.

Thanks...pskelley
TomCoyote forum
Expert Member

Edited by pskelley, 06 November 2005 - 03:31 PM.

MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#3 diniba69

diniba69

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 09 November 2005 - 04:55 PM

Thanks for the help, I ran Spy Sweeper last week and it seemed to cure the problem, but I followed what you wrote just in case. heres post of my recent logs

Logfile of HijackThis v1.99.1
Scan saved at 5:33:53 PM, on 11/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat

4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Compaq_Owner\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -

C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot

Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat

4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software

Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop

Weather\DesktopWeather.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Add To Compaq Organize... -

C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Backward Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} -

C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\suppor

t.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} -

C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\suppor

t.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} -

C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\suppor

t.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} -

C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\suppor

t.htm (HKCU)
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) -

http://interface.net...opcuploader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://friendster.ob...aploader_v5.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. -

C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation -

C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation -

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton

AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware

Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program

Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common

Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

********
5:37 PM: | Start of Session, Wednesday, November 09, 2005 |
5:37 PM: Spy Sweeper started
5:37 PM: Sweep initiated using definitions version 564
5:37 PM: Starting Memory Sweep
5:40 PM: Memory Sweep Complete, Elapsed Time: 00:02:21
5:40 PM: Starting Registry Sweep
5:40 PM: Registry Sweep Complete, Elapsed Time:00:00:15
5:40 PM: Starting Cookie Sweep
5:40 PM: Found Spy Cookie: pointroll cookie
5:40 PM: compaq_owner@ads.pointroll[1].txt (ID = 3148)
5:40 PM: Found Spy Cookie: advertising cookie
5:40 PM: compaq_owner@advertising[2].txt (ID = 2175)
5:40 PM: Found Spy Cookie: falkag cookie
5:40 PM: compaq_owner@as-us.falkag[2].txt (ID = 2650)
5:40 PM: Found Spy Cookie: ask cookie
5:40 PM: compaq_owner@ask[1].txt (ID = 2245)
5:40 PM: Found Spy Cookie: atlas dmt cookie
5:40 PM: compaq_owner@atdmt[1].txt (ID = 2253)
5:40 PM: Found Spy Cookie: casalemedia cookie
5:40 PM: compaq_owner@casalemedia[2].txt (ID = 2354)
5:40 PM: Found Spy Cookie: centrport net cookie
5:40 PM: compaq_owner@centrport[1].txt (ID = 2374)
5:40 PM: Found Spy Cookie: fastclick cookie
5:40 PM: compaq_owner@fastclick[1].txt (ID = 2651)
5:40 PM: Found Spy Cookie: questionmarket cookie
5:40 PM: compaq_owner@questionmarket[1].txt (ID = 3217)
5:40 PM: Found Spy Cookie: servedby advertising cookie
5:40 PM: compaq_owner@servedby.advertising[2].txt (ID = 3335)
5:40 PM: Found Spy Cookie: serving-sys cookie
5:40 PM: compaq_owner@serving-sys[2].txt (ID = 3343)
5:40 PM: Found Spy Cookie: statcounter cookie
5:40 PM: compaq_owner@statcounter[1].txt (ID = 3447)
5:40 PM: Found Spy Cookie: tradedoubler cookie
5:40 PM: compaq_owner@tradedoubler[1].txt (ID = 3575)
5:40 PM: Found Spy Cookie: tribalfusion cookie
5:40 PM: compaq_owner@tribalfusion[1].txt (ID = 3589)
5:40 PM: Found Spy Cookie: adserver cookie
5:40 PM: compaq_owner@z1.adserver[1].txt (ID = 2142)
5:40 PM: Found Spy Cookie: zedo cookie
5:40 PM: compaq_owner@zedo[1].txt (ID = 3762)
5:40 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:40 PM: Starting File Sweep
5:51 PM: File Sweep Complete, Elapsed Time: 00:10:27
5:51 PM: Full Sweep has completed. Elapsed time 00:13:07
5:51 PM: Traces Found: 16
5:54 PM: Removal process initiated
5:54 PM: Quarantining All Traces: adserver cookie
5:54 PM: Quarantining All Traces: advertising cookie
5:54 PM: Quarantining All Traces: ask cookie
5:54 PM: Quarantining All Traces: atlas dmt cookie
5:54 PM: Quarantining All Traces: casalemedia cookie
5:54 PM: Quarantining All Traces: centrport net cookie
5:54 PM: Quarantining All Traces: falkag cookie
5:54 PM: Quarantining All Traces: fastclick cookie
5:54 PM: Quarantining All Traces: pointroll cookie
5:54 PM: Quarantining All Traces: questionmarket cookie
5:54 PM: Quarantining All Traces: servedby advertising cookie
5:54 PM: Quarantining All Traces: serving-sys cookie
5:54 PM: Quarantining All Traces: statcounter cookie
5:54 PM: Quarantining All Traces: tradedoubler cookie
5:54 PM: Quarantining All Traces: tribalfusion cookie
5:54 PM: Quarantining All Traces: zedo cookie
5:54 PM: Removal process completed. Elapsed time 00:00:03
********
5:29 PM: | Start of Session, Thursday, November 03, 2005 |
5:29 PM: Spy Sweeper started
5:29 PM: Sweep initiated using definitions version 564
5:29 PM: Starting Memory Sweep
5:32 PM: Memory Sweep Complete, Elapsed Time: 00:02:15
5:32 PM: Starting Registry Sweep
5:32 PM: Registry Sweep Complete, Elapsed Time:00:00:18
5:32 PM: Starting Cookie Sweep
5:32 PM: Found Spy Cookie: centrport net cookie
5:32 PM: compaq_owner@centrport[1].txt (ID = 2374)
5:32 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:32 PM: Starting File Sweep
5:40 PM: File Sweep Complete, Elapsed Time: 00:08:28
5:40 PM: Full Sweep has completed. Elapsed time 00:11:09
5:40 PM: Traces Found: 1
5:45 PM: Removal process initiated
5:45 PM: Quarantining All Traces: centrport net cookie
5:45 PM: Removal process completed. Elapsed time 00:00:05
5:37 PM: Processing Internet Explorer Favorites Alerts
5:37 PM: Allowed IE Favorite: Crystal Castles (version 4) ROM Download for MAME - ROM World
5:37 PM: | End of Session, Wednesday, November 09, 2005 |
********
5:07 PM: | Start of Session, Thursday, November 03, 2005 |
5:07 PM: Spy Sweeper started
5:07 PM: Sweep initiated using definitions version 564
5:07 PM: Starting Memory Sweep
5:08 PM: Found Adware: icannnews
5:08 PM: Detected running threat: C:\WINDOWS\system32\kt46l7hs1.dll (ID = 83)
5:08 PM: Detected running threat: C:\WINDOWS\system32\Mavcrtd.dll (ID = 83)
5:09 PM: Found Adware: isearch desktop search
5:09 PM: Detected running threat: C:\WINDOWS\Q29tcGFxX093bmVy\command.exe (ID = 144946)
5:09 PM: Detected running threat: C:\WINDOWS\system32\guard.tmp (ID = 83)
5:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:11 PM: Memory Sweep Complete, Elapsed Time: 00:03:13
5:11 PM: Starting Registry Sweep
5:11 PM: Found Adware: targetsaver
5:11 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tsa\ (2 subtraces) (ID = 143607)
5:11 PM: Found Adware: targetsoft
5:11 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 143608)
5:11 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 143608)
5:11 PM: HKU\S-1-5-21-714673819-3878579106-4099862545-1009\software\tsl2\ (1 subtraces) (ID = 143616)
5:11 PM: Found Adware: findthewebsiteyouneed hijacker
5:11 PM: HKU\S-1-5-21-714673819-3878579106-4099862545-1009\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
5:11 PM: Registry Sweep Complete, Elapsed Time:00:00:19
5:11 PM: Starting Cookie Sweep
5:11 PM: Found Spy Cookie: 64.62.232 cookie
5:11 PM: compaq_owner@64.62.232[2].txt (ID = 1987)
5:11 PM: compaq_owner@64.62.232[3].txt (ID = 1987)
5:11 PM: compaq_owner@64.62.232[4].txt (ID = 1987)
5:11 PM: compaq_owner@64.62.232[5].txt (ID = 1987)
5:11 PM: Found Spy Cookie: go.com cookie
5:11 PM: compaq_owner@abclocal.go[1].txt (ID = 2729)
5:11 PM: Found Spy Cookie: yieldmanager cookie
5:11 PM: compaq_owner@ad.yieldmanager[2].txt (ID = 3751)
5:11 PM: Found Spy Cookie: adknowledge cookie
5:11 PM: compaq_owner@adknowledge[2].txt (ID = 2072)
5:11 PM: Found Spy Cookie: specificclick.com cookie
5:11 PM: compaq_owner@adopt.specificclick[2].txt (ID = 3400)
5:11 PM: Found Spy Cookie: cc214142 cookie
5:11 PM: compaq_owner@ads.cc214142[1].txt (ID = 2367)
5:11 PM: Found Spy Cookie: adultfriendfinder cookie
5:11 PM: compaq_owner@adultfriendfinder[2].txt (ID = 2165)
5:11 PM: Found Spy Cookie: askmen cookie
5:11 PM: compaq_owner@askmen[2].txt (ID = 2247)
5:11 PM: Found Spy Cookie: ask cookie
5:11 PM: compaq_owner@ask[1].txt (ID = 2245)
5:11 PM: Found Spy Cookie: belnk cookie
5:11 PM: compaq_owner@ath.belnk[1].txt (ID = 2293)
5:11 PM: Found Spy Cookie: banner cookie
5:11 PM: compaq_owner@banner[2].txt (ID = 2276)
5:11 PM: compaq_owner@belnk[1].txt (ID = 2292)
5:11 PM: Found Spy Cookie: 2o7.net cookie
5:11 PM: compaq_owner@buycom.122.2o7[1].txt (ID = 1958)
5:11 PM: Found Spy Cookie: coolsavings cookie
5:11 PM: compaq_owner@coolsavings[2].txt (ID = 2465)
5:11 PM: compaq_owner@dist.belnk[2].txt (ID = 2293)
5:11 PM: Found Spy Cookie: about cookie
5:11 PM: compaq_owner@dogs.about[1].txt (ID = 2038)
5:11 PM: compaq_owner@go[1].txt (ID = 2728)
5:11 PM: Found Spy Cookie: homestore cookie
5:11 PM: compaq_owner@homestore[1].txt (ID = 2793)
5:11 PM: compaq_owner@longisland.about[1].txt (ID = 2038)
5:11 PM: Found Spy Cookie: nextag cookie
5:11 PM: compaq_owner@nextag[2].txt (ID = 5014)
5:11 PM: Found Spy Cookie: pricegrabber cookie
5:11 PM: compaq_owner@pricegrabber[2].txt (ID = 3185)
5:11 PM: Found Spy Cookie: rn11 cookie
5:11 PM: compaq_owner@rn11[2].txt (ID = 3261)
5:11 PM: Found Spy Cookie: adjuggler cookie
5:11 PM: compaq_owner@rotator.adjuggler[1].txt (ID = 2071)
5:11 PM: Found Spy Cookie: dealtime cookie
5:11 PM: compaq_owner@stat.dealtime[1].txt (ID = 2506)
5:11 PM: compaq_owner@vetmedicine.about[1].txt (ID = 2038)
5:11 PM: Found Spy Cookie: videodome cookie
5:11 PM: compaq_owner@videodome[1].txt (ID = 3638)
5:11 PM: Found Spy Cookie: clickzs cookie
5:11 PM: compaq_owner@vip.clickzs[1].txt (ID = 2413)
5:11 PM: Found Spy Cookie: burstbeacon cookie
5:11 PM: compaq_owner@www.burstbeacon[2].txt (ID = 2335)
5:11 PM: Found Spy Cookie: burstnet cookie
5:11 PM: compaq_owner@www.burstnet[2].txt (ID = 2337)
5:11 PM: Found Spy Cookie: web-stat cookie
5:11 PM: compaq_owner@www.web-stat[1].txt (ID = 3649)
5:11 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
5:11 PM: Starting File Sweep
5:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:12 PM: Found Adware: look2me
5:12 PM: irrol5931.dll (ID = 163672)
5:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:14 PM: Found Adware: effective-i toolbar
5:14 PM: ucmoreiex[1].exe (ID = 59853)
5:14 PM: dc1.exe (ID = 59853)
5:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:17 PM: Found Adware: apropos
5:17 PM: atmtd.dll (ID = 166754)
5:17 PM: atmtd.dll._ (ID = 166754)
5:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:17 PM: Found Adware: isearch toolbar
5:17 PM: installer[1].exe (ID = 154747)
5:18 PM: command.exe (ID = 144946)
5:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:18 PM: rwqwc.dll (ID = 78253)
5:18 PM: vocabulary (ID = 78283)
5:18 PM: class-barrel (ID = 78229)
5:18 PM: tsupdate[1].ini (ID = 112322)
5:18 PM: dc8.exe (ID = 78276)
5:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:20 PM: File Sweep Complete, Elapsed Time: 00:09:24
5:20 PM: Full Sweep has completed. Elapsed time 00:13:03
5:20 PM: Traces Found: 59
5:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:22 PM: Removal process initiated
5:23 PM: Quarantining All Traces: look2me
5:23 PM: look2me is in use. It will be removed on reboot.
5:23 PM: irrol5931.dll is in use. It will be removed on reboot.
5:23 PM: Quarantining All Traces: apropos
5:23 PM: Quarantining All Traces: effective-i toolbar
5:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:23 PM: Quarantining All Traces: findthewebsiteyouneed hijacker
5:23 PM: Quarantining All Traces: icannnews
5:23 PM: icannnews is in use. It will be removed on reboot.
5:23 PM: C:\WINDOWS\system32\kt46l7hs1.dll is in use. It will be removed on reboot.
5:23 PM: C:\WINDOWS\system32\Mavcrtd.dll is in use. It will be removed on reboot.
5:23 PM: C:\WINDOWS\system32\guard.tmp is in use. It will be removed on reboot.
5:23 PM: Quarantining All Traces: isearch desktop search
5:23 PM: isearch desktop search is in use. It will be removed on reboot.
5:23 PM: command.exe is in use. It will be removed on reboot.
5:23 PM: Quarantining All Traces: isearch toolbar
5:23 PM: Quarantining All Traces: targetsaver
5:23 PM: Quarantining All Traces: targetsoft
5:23 PM: Quarantining All Traces: 2o7.net cookie
5:23 PM: Quarantining All Traces: 64.62.232 cookie
5:23 PM: Quarantining All Traces: about cookie
5:23 PM: Quarantining All Traces: adjuggler cookie
5:23 PM: Quarantining All Traces: adknowledge cookie
5:23 PM: Quarantining All Traces: adultfriendfinder cookie
5:23 PM: Quarantining All Traces: ask cookie
5:23 PM: Quarantining All Traces: askmen cookie
5:23 PM: Quarantining All Traces: banner cookie
5:23 PM: Quarantining All Traces: belnk cookie
5:23 PM: Quarantining All Traces: burstbeacon cookie
5:23 PM: Quarantining All Traces: burstnet cookie
5:23 PM: Quarantining All Traces: cc214142 cookie
5:23 PM: Quarantining All Traces: clickzs cookie
5:23 PM: Quarantining All Traces: coolsavings cookie
5:23 PM: Quarantining All Traces: dealtime cookie
5:23 PM: Quarantining All Traces: go.com cookie
5:23 PM: Quarantining All Traces: homestore cookie
5:23 PM: Quarantining All Traces: nextag cookie
5:23 PM: Quarantining All Traces: pricegrabber cookie
5:23 PM: Quarantining All Traces: rn11 cookie
5:23 PM: Quarantining All Traces: specificclick.com cookie
5:23 PM: Quarantining All Traces: videodome cookie
5:23 PM: Quarantining All Traces: web-stat cookie
5:23 PM: Quarantining All Traces: yieldmanager cookie
5:23 PM: Preparing to restart your computer. Please wait...
5:23 PM: Removal process completed. Elapsed time 00:01:51
********
5:07 PM: | Start of Session, Thursday, November 03, 2005 |
5:07 PM: Spy Sweeper started
5:07 PM: Your spyware definitions have been updated.
5:07 PM: | End of Session, Thursday, November 03, 2005 |

#4 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 09 November 2005 - 06:47 PM

Hi, that is good to hear, I need you to post another HJT log and do not double space, post it like the first one. If you turned word wrap on in notepad, turn it of.

Thanks...Phil
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#5 diniba69

diniba69

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 13 November 2005 - 09:04 AM

Logfile of HijackThis v1.99.1
Scan saved at 10:03:37 AM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWUCli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://interface.net...opcuploader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://friendster.ob...aploader_v5.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 13 November 2005 - 09:18 AM

Thanks for the new log, my scanner liked it and it looks great. Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.o...topic.php?t=957
http://russelltexas....re/allclear.htm
http://forum.malware...wtopic.php?t=14
http://www.bleepingc...topict2520.html

Safe surfing...Phil :wavey:

Thanks...pskelley
TomCoyote forum
Expert Member
If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#7 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 14 November 2005 - 06:59 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users