12 replies to this topic

[BSJohnson]

I've scoured the topics on this forum and none of the solutions I've tried from here have worked. I don't know what it is, and I don't know how to fix it. All I DO know is that I'm continuously recieving Popup ads that all seem very similar as if the same company keeps sending them. Any help would be very appreciated. Thanks.

Here is my HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 10:11:10 PM, on 11/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\rundll32.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\Microsoft IntelliType Pro\type32.exe
F:\Program Files\Microsoft IntelliPoint\point32.exe
F:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Messenger\msmsgs.exe
F:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
F:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
F:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
F:\Program Files\LimeWire\LimeWire.exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\Program Files\Trillian\trillian.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\System32\cisvc.exe
F:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
f:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
F:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
F:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
f:\progra~1\mcafee.com\vso\mcvsftsn.exe
F:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
F:\WINDOWS\system32\hpoipm07.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Documents and Settings\Patrick\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] F:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "F:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "F:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [VirusScan Online] "f:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] F:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [uknqyl] f:\windows\system32\tcftfh.exe
O4 - HKLM\..\Run: [Ad-Aware] "F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" +c
O4 - HKLM\..\Run: [VSOCheckTask] "f:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MSKAGENTEXE] F:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - Startup: LimeWire On Startup.lnk = F:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Stardock ObjectDock.lnk = F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Trillian.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = F:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c46.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18....es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O20 - Winlogon Notify: SMDEn - F:\WINDOWS\system32\dnnu0159e.dll
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - f:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - F:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - F:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[BSJohnson]

still looking for help.

[pskelley]

Hello Patrick and welcome to TomCoyote forum. Sorry about the wait, the volunteers are extremely busy. If you still need help, please do this:

1) First move HJT from the: Desktop\HijackThis.exe...I prefer C:\HJT\HijackThis.exe. If you need additional instruction use these: http://russelltexas....tehjtfolder.htm

2) Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Restart your computer <<< very important

Spyware Doctor may stop the fix with HJT. Turn it off until you are done.

I see Ad-aware Pro, if you have Ad-Watch activated it must be turned off for HJT to work.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [uknqyl] f:\windows\system32\tcftfh.exe
O4 - Startup: LimeWire On Startup.lnk = F:\Program Files\LimeWire\LimeWire.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c46.cab
O20 - Winlogon Notify: SMDEn - F:\WINDOWS\system32\dnnu0159e.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.n...1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

f:\windows\system32\tcftfh.exe >>> file

F:\Program Files\LimeWire\ >>> folder

C:\Windows\Prefetch\ >>> delete everything in this folder (NOT THE FOLDER)
Prefetch info: http://www.windowsne...refetch-XP.html

Click on START > RUN and type "cleanmgr" without the quotes into the box then OK. Allow the program to run and remove anything Windows locates. Empty the recycle bin and restart the computer.

Then please copy and paste the SpySweeper log and a new HJT log into this thread. We may have more to do.

Thanks...pskelley
TomCoyote forum
Expert Member

Edited by pskelley, 22 November 2005 - 11:13 AM.

[BSJohnson]

Ok ... I've done everything there and here are the logs.

********
11:43 AM: | Start of Session, Tuesday, November 22, 2005 |
11:43 AM: Spy Sweeper started
11:43 AM: Sweep initiated using definitions version 574
11:43 AM: Starting Memory Sweep
11:43 AM: Found Adware: icannnews
11:43 AM: Detected running threat: F:\WINDOWS\system32\mhiole32.dll (ID = 83)
11:43 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:43 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:43 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:43 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:44 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:44 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:44 AM: Detected running threat: F:\WINDOWS\system32\lvr4099qe.dll (ID = 83)
11:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:46 AM: Memory Sweep Complete, Elapsed Time: 00:02:53
11:46 AM: Starting Registry Sweep
11:46 AM: Found Trojan Horse: spamrelayer_alpiok
11:46 AM: HKCR\clsid\{7368d5fc-6f5c-4f5b-b964-e67214f67852}\ (3 subtraces) (ID = 913291)
11:46 AM: HKLM\software\classes\clsid\{7368d5fc-6f5c-4f5b-b964-e67214f67852}\ (3 subtraces) (ID = 913513)
11:46 AM: Found Adware: dollarrevenue
11:46 AM: HKLM\software\microsoft\drsmartload\ (1 subtraces) (ID = 916795)
11:46 AM: Found Adware: websearch.com hijacker
11:46 AM: HKU\S-1-5-21-1229272821-515967899-682003330-1004\software\microsoft\internet explorer\main\ || search bar (ID = 146561)
11:46 AM: Found Adware: wildmedia
11:46 AM: HKU\S-1-5-21-1229272821-515967899-682003330-1004\software\microsoft\internet explorer\main\ || updater2 (ID = 146720)
11:46 AM: HKU\S-1-5-21-1229272821-515967899-682003330-1004\software\microsoft\internet explorer\main\ || updater (ID = 146721)
11:46 AM: Registry Sweep Complete, Elapsed Time:00:00:12
11:46 AM: Starting Cookie Sweep
11:46 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:46 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:46 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:46 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:46 AM: Found Spy Cookie: about cookie
11:46 AM: patrick@about[2].txt (ID = 2037)
11:46 AM: Found Spy Cookie: yieldmanager cookie
11:46 AM: patrick@ad.yieldmanager[1].txt (ID = 3751)
11:46 AM: Found Spy Cookie: adultfriendfinder cookie
11:46 AM: patrick@adultfriendfinder[1].txt (ID = 2165)
11:46 AM: Found Spy Cookie: ask cookie
11:46 AM: patrick@ask[1].txt (ID = 2245)
11:46 AM: Found Spy Cookie: dl cookie
11:46 AM: patrick@dl[1].txt (ID = 2529)
11:46 AM: Found Spy Cookie: kinghost cookie
11:46 AM: patrick@kinghost[1].txt (ID = 2903)
11:46 AM: Found Spy Cookie: nextag cookie
11:46 AM: patrick@nextag[1].txt (ID = 5014)
11:46 AM: patrick@nintendo.about[1].txt (ID = 2038)
11:46 AM: Found Spy Cookie: promaxtraffic cookie
11:46 AM: patrick@tds.promaxtraffic[1].txt (ID = 3200)
11:46 AM: patrick@yieldmanager[1].txt (ID = 3749)
11:46 AM: Cookie Sweep Complete, Elapsed Time: 00:00:03
11:46 AM: Starting File Sweep
11:47 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:47 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:47 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:47 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:47 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:47 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:47 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:47 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:48 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:48 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:48 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:48 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:48 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:48 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:48 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:48 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:49 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:49 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:49 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:49 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:49 AM: Found Adware: look2me
11:49 AM: gplsl3371.dll (ID = 159)
11:49 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:49 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:49 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:49 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:50 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:50 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:50 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:50 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:50 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:50 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:50 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:50 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:52 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:52 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:52 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:52 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:52 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:52 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:52 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:52 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:53 AM: lacmgr10.dll (ID = 159)
11:53 AM: n8l80i3ue8.dll (ID = 159)
11:53 AM: Found Adware: apropos
11:53 AM: contextplus[1].exe (ID = 185940)
11:53 AM: dlvclnt.dll (ID = 159)
11:54 AM: lvrm0991e.dll (ID = 159)
11:54 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:54 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:54 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:54 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:54 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:54 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:54 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:54 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:55 AM: Found Adware: targetsaver
11:55 AM: stub_113_4_0_4_0[1].exe (ID = 193995)
11:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:56 AM: lvr4099qe.dll (ID = 159)
11:56 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:56 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:56 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:56 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:56 AM: Found Adware: purityscan
11:56 AM: w?wexec.exe (ID = 72918)
11:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:58 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:58 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:58 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:58 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:58 AM: o084lalq1dqe.dll (ID = 159)
11:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:00 PM: Warning: Failed to open file "f:\documents and settings\all users\application data\mcafee\spamkiller\logs\filtering.log". The process cannot access the file because it is being used by another process
12:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:01 PM: Warning: Failed to read file "f:\documents and settings\patrick\my documents\journal.rtf". Data error (cyclic redundancy check)
12:01 PM: l4l60e3seh.dll (ID = 159)
12:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:02 PM: timessquare[1].exe (ID = 194150)
12:02 PM: lrdis12n.dll (ID = 159)
12:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:05 PM: Warning: Failed to open file "f:\documents and settings\patrick\local settings\temp\temporary internet files\content.ie5\6j6vet2n\1_0%26idx%3d0%26yy%3d95029%26inc%3d25%26order%3ddown%26sort%3ddate%26pos%3d0%26view%3da%26head%3db%26box%3dinbox&u_h=768&u_w=1024&u_ah=768&u_aw=1024&u_cd=32&u_tz=-360&u_java=true". The system cannot find the path specified
12:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:06 PM: i024lafq1d2e.dll (ID = 159)
12:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:07 PM: Found Adware: command
12:07 PM: mte3ndi6odoxng[1].exe (ID = 185985)
12:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:08 PM: lxavi80n.dll (ID = 159)
12:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:09 PM: mhiole32.dll (ID = 159)
12:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:10 PM: Found Trojan Horse: trojan-backdoor-us15info
12:10 PM: tool5[1].txt (ID = 183857)
12:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:14 PM: Warning: Failed to open file "f:\videos\blah\". The system cannot find the path specified
12:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:19 PM: Found Adware: spysheriff
12:19 PM: secure32.html (ID = 184319)
12:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:20 PM: Warning: Failed to open file "f:\windows\softwaredistribution\eventcache\{66297667-d81b-473d-b7be-95dbc8c807a6}.bin". The process cannot access the file because it is being used by another process
12:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:21 PM: n (ID = 88414)
12:21 PM: nwq (ID = 88019)
12:21 PM: File Sweep Complete, Elapsed Time: 00:35:18
12:21 PM: Full Sweep has completed. Elapsed time 00:38:35
12:21 PM: Traces Found: 46
12:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:28 PM: Removal process initiated
12:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:28 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:28 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:28 PM: Quarantining All Traces: icannnews
12:28 PM: icannnews is in use. It will be removed on reboot.
12:28 PM: F:\WINDOWS\system32\mhiole32.dll is in use. It will be removed on reboot.
12:28 PM: F:\WINDOWS\system32\lvr4099qe.dll is in use. It will be removed on reboot.
12:28 PM: Quarantining All Traces: look2me
12:28 PM: look2me is in use. It will be removed on reboot.
12:28 PM: lvr4099qe.dll is in use. It will be removed on reboot.
12:28 PM: i024lafq1d2e.dll is in use. It will be removed on reboot.
12:28 PM: mhiole32.dll is in use. It will be removed on reboot.
12:28 PM: Quarantining All Traces: purityscan
12:28 PM: Quarantining All Traces: spamrelayer_alpiok
12:28 PM: Quarantining All Traces: spysheriff
12:28 PM: Quarantining All Traces: trojan-backdoor-us15info
12:28 PM: Quarantining All Traces: wildmedia
12:28 PM: Quarantining All Traces: apropos
12:28 PM: Quarantining All Traces: command
12:28 PM: Quarantining All Traces: dollarrevenue
12:28 PM: Quarantining All Traces: targetsaver
12:28 PM: Quarantining All Traces: websearch.com hijacker
12:28 PM: Quarantining All Traces: about cookie
12:28 PM: Quarantining All Traces: adultfriendfinder cookie
12:28 PM: Quarantining All Traces: ask cookie
12:28 PM: Quarantining All Traces: dl cookie
12:28 PM: Quarantining All Traces: kinghost cookie
12:28 PM: Quarantining All Traces: nextag cookie
12:28 PM: Quarantining All Traces: promaxtraffic cookie
12:28 PM: Quarantining All Traces: yieldmanager cookie
12:28 PM: Warning: Could not read current IE Hijack Setting value: HKCU\S-1-5-21-1229272821-515967899-682003330-1004\Software\Microsoft\Internet Explorer\Main\Search Bar\
12:28 PM: Warning: Could not store new IE Hijack Setting value: HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar\http://ie.search.msn...st/srchasst.htm
12:29 PM: Preparing to restart your computer. Please wait...
12:29 PM: Removal process completed. Elapsed time 00:01:26
12:32 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:32 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:32 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:32 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:32 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:32 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:32 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:32 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:39 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:39 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:39 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:39 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:40 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:40 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:40 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:40 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:40 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:40 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:40 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:40 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:41 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:41 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:41 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:41 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:41 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:41 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:41 PM: The Spy Communication shield has blocked access to: fullbizzone.com
12:41 PM: The Spy Communication shield has blocked access to: fullbizzone.com
********
11:40 AM: | Start of Session, Tuesday, November 22, 2005 |
11:40 AM: Spy Sweeper started
11:41 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:41 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:41 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:41 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:41 AM: Your spyware definitions have been updated.
11:42 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:42 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:42 AM: Updating spyware definitions
11:42 AM: Your definitions are up to date.
11:42 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:42 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:42 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:42 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:43 AM: Processing Hosts File Alerts
11:43 AM: Fixed Hosts File entry: www.kazaagold.com
11:43 AM: Fixed Hosts File entry: kazaagold.com
11:43 AM: Fixed Hosts File entry: www.k-lite.com
11:43 AM: Fixed Hosts File entry: www.kazaa-download.de
11:43 AM: Fixed Hosts File entry: www.mp3downloadhq.com
11:43 AM: Fixed Hosts File entry: www.easymusicdownload.com
11:43 AM: Fixed Hosts File entry: easymusicdownload.com
11:43 AM: Fixed Hosts File entry: www.mp3madeeasy.com
11:43 AM: Fixed Hosts File entry: www.monstershare.com
11:43 AM: Fixed Hosts File entry: www.kazaa-plus.net
11:43 AM: Fixed Hosts File entry: kazaa-plus.net
11:43 AM: Fixed Hosts File entry: www.kazaa-plus.com
11:43 AM: Fixed Hosts File entry: www.edonkey.com
11:43 AM: Fixed Hosts File entry: www.kazaa-file-sharing-downloads.com
11:43 AM: Fixed Hosts File entry: www.kazaaplatinum.com
11:43 AM: Fixed Hosts File entry: www.madeformusic.com
11:43 AM: Fixed Hosts File entry: ikazaa.net
11:43 AM: Fixed Hosts File entry: www.mp3specialty.com
11:43 AM: Fixed Hosts File entry: music-download-world.com
11:43 AM: Fixed Hosts File entry: song-download-world.com
11:43 AM: Fixed Hosts File entry: www.flixs.net
11:43 AM: Fixed Hosts File entry: www.ishareit.net
11:43 AM: Fixed Hosts File entry: www.ishareit.com
11:43 AM: Fixed Hosts File entry: www.download-doctor.com
11:43 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:43 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:43 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:43 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:43 AM: | End of Session, Tuesday, November 22, 2005 |



And the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:54:30 PM, on 11/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\Microsoft IntelliType Pro\type32.exe
F:\Program Files\Microsoft IntelliPoint\point32.exe
F:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\Program Files\Messenger\msmsgs.exe
F:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
F:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
F:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
F:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\System32\cisvc.exe
f:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
F:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
F:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
F:\WINDOWS\system32\hpoipm07.exe
f:\progra~1\mcafee.com\vso\mcvsftsn.exe
F:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
F:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
F:\Program Files\Spyware Doctor\sdhelp.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\cidaemon.exe
F:\WINDOWS\explorer.exe
F:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] F:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "F:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "F:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [VirusScan Online] f:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] F:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VSOCheckTask] "f:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] F:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - Startup: Stardock ObjectDock.lnk = F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Trillian.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = F:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18....es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O20 - Winlogon Notify: WRNotifier - F:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - f:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - F:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - F:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - F:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[pskelley]

I need some feedback from you? Are the issues resolved? Look at the list of quarantined items in the SS log. There is some nasty stuff there and I can't tell if SS got it all without you letting me know.

Your HJT has no folder, return there and right click a blank spot. Make a folder called HJT. Move HJT, the logs and the backups into that folder!!

There is still some stuff that HJT either did not remove or was missed. Use these instructions to start your computer in safe mode:
http://www.bleepingc...tutorial61.html

Once in safe mode do this:

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

then click on "Fix Checked"

Empty the recycle bin and restart the computer. Post a new HJT log and this time tell me as much as you can about how it is running...thanks.

[BSJohnson]

Oh, sorry! Yeah. So far it's much better. There are no more pop-ups. Although half the time nearly 100% of my system's CPU resource is being used for no apparant reason (according to Task Manger).


Spy Sweeper now only reports that it's blocking access to "www.fullbizzone.com" I can't seem to find where I can copy and paste a Quarantine Log, but here's what's in the Quarantine:

***
about cookie
adultfriendfinder cookie
apropos
ask cookie
command
dl cookie
dollarrevenue
icannews
kinghost cookie
look2me
nextag cookie
promaxtraffic
purityscan
spamrelayer_alpiok
spysheriff
targetsaver
trojan-backdoor-us15info
websearch.com hijacker
wildmedia
yieldmanager cookie
***

Should I go ahead and delete these from the Spyware sweeper quarantine page?


***
I ran HJT in Safe mode and fixed the things you told me, but two of them remain no matter how many time I fix them. Here's the log from within safe mode:

Logfile of HijackThis v1.99.1
Scan saved at 9:17:36 PM, on 11/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\NOTEPAD.EXE
F:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] F:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "F:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "F:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [VirusScan Online] f:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] f:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VSOCheckTask] "f:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = F:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18....es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O20 - Winlogon Notify: WRNotifier - F:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - f:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - f:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - F:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - F:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - F:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

***

Sory about not being clear last time. If you need any more infor from me let me know.

[pskelley]

OK BS, Thanks for the information Yes, clean out the quarantine area of SS if it will let you. As you can see SS removed or quarantined a lot of stuff not showing in the log. Apropos is a rootkit infection and we may need to use another tool on it. It is very important that you watch the performance the next day or so and let me know about anything that does not seem normal. Use your Task Manager to see if you can spot what program is causing the spikes in useage. Post that information for me.

I ran HJT in Safe mode and fixed the things you told me, but two of them remain no matter how many time I fix them. Here's the log from within safe mode:

First, those items are clutter and not a problem even though I want them gone. We will keep an eye on them as we proceed. Second, only show me a log in Safe Mode if I ask for it, all logs in Normal Mode so I can see everything. I feel good about what we have accomplised so far, but the CPU spikes indicate something else may be at work, and because of the nasty stuff SS found, I wish to run additional tools to see what we can kill. Do this in the posted order:

1) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

2) Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp and please do not run it until I ask you to.

3) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

4) Ewido scan:
Please download Ewido Security Suite it is a trial version of the program.

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Then click on Start Update

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with ewido it is finding cases of false positives.**
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop.

Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

It is very important that you save that ewido scan report to post. It is also important that you restart your computer as soon as you have safely stored that report and that NOTHING else is open during the ewido scan, please refrain from using the computer from the time the scan starts until you restart after the scan is complete with the exception of requests from ewido. Delete anything it locates unless you are sure it is not bad. Thanks.

5) Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do. Then restart the computer and post a new HJT log and the Ewido scan results and the Add\Remove programs list in this same thread along with any feedback you have, plus any information I asked for above.

Thanks...Phil

Edited by pskelley, 23 November 2005 - 06:41 AM.

[BSJohnson]

Ok .... I cleaned out the SS quarantine, everything seems fine there. It appears that the CPU spikes are caused iexplorer.exe. There haven't been any spikes yet since I ran all the scans from your latest instructions. SS is still blocking access to "www.fullbizzone.com" But otherwise my system appears to be functioning normally now. I've posted my latest HJT and Ewido logs. I don't THINK you asked for any others in your last post. Other than the Add/Remove programs list, but I don't know where to obtain that log from. I mean, I know where Add/Remove programs is in control panel, but I don't know how to make a log of it. Please let me know if I've stupidly left anything out. I tried to follow your instructions to a T this time.

Here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:11:29 PM, on 11/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\savedump.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
F:\Program Files\Microsoft IntelliType Pro\type32.exe
F:\Program Files\Microsoft IntelliPoint\point32.exe
F:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\Program Files\Messenger\msmsgs.exe
F:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\System32\cisvc.exe
F:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
f:\program files\mcafee.com\agent\mcdetect.exe
f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
f:\progra~1\mcafee.com\vso\mcvsftsn.exe
f:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
F:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
F:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
F:\Program Files\Spyware Doctor\sdhelp.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\explorer.exe
F:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] F:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "F:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "F:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [VirusScan Online] "f:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] F:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VSOCheckTask] "f:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] F:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - Startup: Stardock ObjectDock.lnk = F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Trillian.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = F:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18....es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O20 - Winlogon Notify: WRNotifier - F:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - f:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - f:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - F:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - F:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - F:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

***

And here's the Ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:46:43 PM, 11/23/2005
+ Report-Checksum: 55C96AA3

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/System32/mfc42.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/System32/msvcrt.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/System32/olepro32.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKU\S-1-5-21-1229272821-515967899-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{640B39C1-D713-464F-92C3-75BD972B95EE} -> Spyware.SideStep : Cleaned with backup
HKU\S-1-5-21-1229272821-515967899-682003330-1004\Software\Classes\CLSID\\ -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1229272821-515967899-682003330-1004_Classes\CLSID\\ -> Spyware.AproposMedia : Error during cleaning
F:\Documents and Settings\Patrick\Cookies\patrick@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
F:\Documents and Settings\Patrick\Cookies\patrick@e-2dj6wfl4coazkcp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\Documents and Settings\Patrick\Cookies\patrick@e-2dj6wflyghd5geo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\Documents and Settings\Patrick\Cookies\patrick@e-2dj6wgkoqndzccp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\Documents and Settings\Patrick\Cookies\patrick@e-2dj6wjl4coczocp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\Documents and Settings\Patrick\Cookies\patrick@e-2dj6wjmiuld5mdp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\Documents and Settings\Patrick\Cookies\patrick@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
F:\Documents and Settings\Patrick\Local Settings\Temp\bb.exe -> TrojanDropper.Agent.abo : Cleaned with backup
F:\Documents and Settings\Patrick\Local Settings\Temp\Cookies\patrick@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
F:\Documents and Settings\Patrick\Local Settings\Temp\Cookies\patrick@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
F:\Documents and Settings\Patrick\Local Settings\Temp\Cookies\patrick@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
F:\Documents and Settings\Patrick\Local Settings\Temp\Cookies\patrick@e-2dj6wjkokpazwao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\Documents and Settings\Patrick\Local Settings\Temp\Cookies\patrick@e-2dj6wjnyepd5gfp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\Documents and Settings\Patrick\Local Settings\Temp\Cookies\patrick@ilclick.epilot[2].txt -> Spyware.Cookie.Epilot : Cleaned with backup
F:\Documents and Settings\Patrick\Local Settings\Temp\Cookies\patrick@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
F:\Documents and Settings\Patrick\Local Settings\Temp\~386054.tmp -> Spyware.Wintools : Cleaned with backup
F:\Documents and Settings\Patrick\Local Settings\Temp\~422216.tmp -> Spyware.Wintools : Cleaned with backup
F:\WINDOWS\kl.exe -> TrojanDownloader.Small.bww : Cleaned with backup
F:\WINDOWS\system32\cmmqlepe.exe -> TrojanProxy.Wopla.m : Cleaned with backup
F:\WINDOWS\Temp\Cookies\patrick@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
F:\WINDOWS\Temp\Cookies\patrick@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
F:\WINDOWS\Temp\Cookies\patrick@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
F:\WINDOWS\weird.exe -> Trojan.Imiserv.c : Cleaned with backup


::Report End

[color=#3333FF]

[pskelley]

OK, let me give you some feedback, Spysweeper recently updated to remove Look2me and other programs that use the Winlogon area in a stealth effort not to be identified, like all of the pops ups don't tell us it is there. The other junk it cleaned is also great. I use the ewido scan for a general cleaning but it does not at this time remove the 020 items. Keep in mind you have both programs onboard and I am sure you will see some resource useage and slowdown. Once the trial is over unless you purchase something, I suggest uninstalling Spysweeper (bad news is you can't use the trial again for that infection) turning ewido off in services and elsewhere if it is running and keep the scanner (not running) in it's default location. You can create a shortcut to the Desktop and you have a good spyware scanner you can update and use for as long as you like. I do not like to install them both but this case I felt we needed ewido also.

Now before I look at the ewido and HJT logs, I wish to say the both programs will do a better job if they are run in Safe Mode any bad stuff hanging on will not be running so the programs can kill it, so I am suggesting you take the time to run both SS and ewido in Safe Mode, make sure you restart the computer between them, and please post those logs so I can see what is removed in this way.

SS is still blocking access to "www.fullbizzone.com" But otherwise my system appears to be functioning normally now.

That link goes nowhere: www.fullbizzone.com I was going to suggest you email them and thank them for messing up your computer, but they are hiding under rocks like the cockroaches they are. They only come out to get the $$ from their mailbox. Make sure you have that address blocked in IE and Spyware Doctor may also allow you to block individual sites? I will suggest programs that will block it more before we finish. You should review the logs to see the garbage they removed and be careful of what you allow on your computer in the future.

Return to #1 of the last set of instuctions I posted Yesterday, 07:38 AM, those are the instructions for making the uninstall list, then just post to this thread the same way as any log. I may spot something in that list that may help you?

Please let me know if I've stupidly left anything out. I tried to follow your instructions to a T this time.

Do not consider yourself stupid, these are complex instructions and doing a remote repair is not easy on either end, communication is the key.

ewido security suite - Scan report Created on: 8:46:43 PM, 11/23/2005HKU\S-1-5-21-1229272821-515967899-682003330-1004_Classes\CLSID\\ -> Spyware.AproposMedia : Error during cleaningThis indicates we should run the tool for the Rootkit infection, I was hoping we would not have to.

Logfile of HijackThis v1.99.1 Scan saved at 9:11:29 PM, on 11/23/2005
These items: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
Are of course still there. Something is stopping HJT from making the fix, The only program I see that should is Spyware Doctor. Turn it off and try again, are you receiving any messages from a program when you try to remove them? I am open to any thoughts from you. I run McAfee myself but just basic VSO. Does any of your McAfee programs block changes?

Here is how I would like to proceed, I am sorry about the hard work, but these infections are rarely as easy to get off as they are to get on a computer.

1)

Sometimes there will be an uninstall entry in Add/Remove Programs for ContextPlus. If you see this then you know the rootkit is present.

Look for the item in red, if there uninstall it, then proceed with the fix for it. You will continue to use Safe Mode.

Thanks to Swandog46 and any others who helped with this fix.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix © Swandog46 from here:
http://swandog46.gee.../aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder. <<< hold this and all logs until we are finished.

Please grab a beer or a bite to eat while the scans are running, even though you are in Safe Mode do not try to use any other programs when the scans are running, thanks.

2) Run SpySweeper in safe mode, remember to save the log and restart the computer back to safe mode.

3) Run the Ewido scan in safe mode, remember to save that scan report. When finished, restart the computer right away, back to normal mode.

4) Post the log from the aproposfix, Spysweeper and the ewido scan report. I would also still like the uninstall list discussed earlier in this post. Let me know how the computer is running, any threats you are receiving.

I also want to wish you a Happy Thanksgiving and I fully understand you may not get to those instructions until after the holiday.

Thanks...Phil

Edited by pskelley, 24 November 2005 - 06:49 AM.

[pskelley]

No response in over 10 days? Closing this topic in 48 hours. Thanks...pskelley

[BSJohnson]

Phil,
I'm SOOOO sorry for not getting back to this sooner! I've been swamped with work, finals, a play and multiple concerts and to be honest it had slipped my mind. I've been working with my laptop instead of my desktop for a while, so I had forgotten about the desktop's problems.

ANYWAY, as far as I can tell it's running alright now. No popups, no CPU spikes (which were all caused by Internet Explorer, and I've since switched to Mozilla FireFox). Everything appears to be normal.

Here's the aproposfix log from Safe Mode:

Log of AproposFix v1

************

Running from directory:
F:\Documents and Settings\Patrick\Desktop\aproposfix

************

Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!

Here's the Spysweeper log from Safe mode:

********
2:08 PM: | Start of Session, Monday, December 05, 2005 |
2:08 PM: Spy Sweeper started
2:08 PM: Sweep initiated using definitions version 577
2:08 PM: Starting Memory Sweep
2:09 PM: Memory Sweep Complete, Elapsed Time: 00:00:47
2:09 PM: Starting Registry Sweep
2:09 PM: Found Adware: websearch.com hijacker
2:09 PM: HKU\S-1-5-21-1229272821-515967899-682003330-1004\software\microsoft\internet explorer\main\ || search bar (ID = 146561)
2:09 PM: Found Adware: wildmedia
2:09 PM: HKU\S-1-5-21-1229272821-515967899-682003330-1004\software\microsoft\internet explorer\main\ || updater2 (ID = 146720)
2:09 PM: HKU\S-1-5-21-1229272821-515967899-682003330-1004\software\microsoft\internet explorer\main\ || updater (ID = 146721)
2:09 PM: Registry Sweep Complete, Elapsed Time:00:00:10
2:09 PM: Starting Cookie Sweep
2:09 PM: Found Spy Cookie: 2o7.net cookie
2:09 PM: patrick@msnportal.112.2o7[1].txt (ID = 1958)
2:09 PM: Cookie Sweep Complete, Elapsed Time: 00:00:03
2:09 PM: Starting File Sweep
2:18 PM: Warning: Failed to read file "f:\documents and settings\patrick\my documents\journal.rtf". Data error (cyclic redundancy check)
2:24 PM: Warning: Failed to open file "f:\videos\blah\". The system cannot find the path specified
2:29 PM: File Sweep Complete, Elapsed Time: 00:19:30
2:29 PM: Full Sweep has completed. Elapsed time 00:20:39
2:29 PM: Traces Found: 4
2:30 PM: Removal process initiated
2:30 PM: Quarantining All Traces: websearch.com hijacker
2:30 PM: Warning: Could not read current IE Hijack Setting value: HKCU\S-1-5-21-1229272821-515967899-682003330-1004\Software\Microsoft\Internet Explorer\Main\Search Bar\
2:30 PM: Warning: Could not store new IE Hijack Setting value: HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar\http://ie.search.msn...st/srchasst.htm
2:30 PM: Quarantining All Traces: wildmedia
2:30 PM: Quarantining All Traces: 2o7.net cookie
2:30 PM: Removal process completed. Elapsed time 00:00:07
********

Here's the Ewido log from Safe Mode:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:34:42 PM, 12/5/2005
+ Report-Checksum: 5DF67AE3

+ Scan result:

:mozilla.17:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.18:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.19:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.20:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.21:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.22:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.23:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.24:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.25:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.26:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.######-access : Cleaned with backup
:mozilla.32:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.33:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.34:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.35:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.36:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.56:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.57:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.58:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.59:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.66:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.77:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.78:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.79:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.80:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.81:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.125:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.130:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.148:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.151:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.152:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.153:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.154:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.188:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Paycounter : Cleaned with backup
:mozilla.190:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.239:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.248:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.249:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.279:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.297:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.298:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.299:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.301:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.302:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.303:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.312:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.325:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.326:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.341:F:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\5l4o2tcw.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\Documents and Settings\Patrick\Cookies\patrick@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
F:\Documents and Settings\Patrick\Cookies\patrick@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
F:\Documents and Settings\Patrick\Cookies\patrick@e-2dj6wfloeodzmlp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\Documents and Settings\Patrick\Cookies\patrick@e-2dj6wjkoagdpcao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\Documents and Settings\Patrick\Cookies\patrick@e-2dj6wjl4coczocp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\Documents and Settings\Patrick\Cookies\patrick@e-2dj6wjl4skdzcap.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\Documents and Settings\Patrick\Cookies\patrick@e-2dj6wjny-1mazkc.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup


::Report End

And finally the Unistall List from HJT (in normal mode):

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Photoshop 7.0
ATI Control Panel
ATI Display Driver
CCleaner (remove only)
DivX Player
DivX Pro Codec Adware
ewido security suite
Google Toolbar for Internet Explorer
HijackThis 1.99.1
HP Photo Printing Software
hp psc 700 series
HP Share-to-Web
Image Transfer
ImageMixer for Sony
iolo technologies' Search and Recover 3
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 4
LiveUpdate 1.90 (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
McAfee Personal Firewall Plus
McAfee SecurityCenter
McAfee SpamKiller
McAfee VirusScan
MediaFACE II
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
MicroStaff WINASPI
Mozilla Firefox (1.5)
MSN Messenger 7.0
Nero - Burning Rom
QuickTime
RealPlayer
RTLSetup for Realtek RTL8139/810x Family NIC 3.00
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Sony USB Driver
Spy Sweeper
Spybot - Search & Destroy 1.4
Spyware Doctor 3.2
SpywareBlaster v3.4
Symantec KB-DocID:2003093015493306
Trillian
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
VIA Audio Driver Setup Program
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip
XoftSpy

Again I appologize if I've wasted your time time by not responding sooner. The end of November and all of December is always such a busy time for me. I just want you to know that I DO appreciate your help so far and will continue to do so.

Please let me know if I've left anything out or if you need more info. Thanks again!

[pskelley]

Since this much time has gone by may I look at a last HJT log? Thanks...Phil

Edited in this information:

Hey, I understand, all of life is not computers. I allowed extra time, but because I am involved in 25 to 50 logs at any one time, I had to be sure the ones I was working were resolved in some manner before trying to take on others. Let see how we did and thanks for the feedback.
Seems like the scans were able to clean what they needed to. Here is some information to help you contol those cookies in Firefox: http://www.mozilla.o..._priv_help.html

The uninstall list: I am looking for problems, you have an opportunity to see what's there. If you see anything that you no longer use or don't know, this is a great time to clean.

Adobe Acrobat 5.0: If you use Adobe version 7 has been released for a while. I see nothing else that should be a problem.

Assuming the last HJT log is going to be clean, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.o...topic.php?t=957
http://russelltexas....re/allclear.htm
http://forum.malware...wtopic.php?t=14
http://www.bleepingc...topict2520.html

Because this junk can get backed up in System Restore, the following information will show you how to get clean SR files:
http://service1.syma...src=sec_doc_nam

Thanks...pskelley
TomCoyote forum
Expert Member
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Edited by pskelley, 05 December 2005 - 04:21 PM.

[pskelley]

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php