Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

HJT Log Help Please

Started by Twista^ , Nov 29 2005 01:27 PM

  • This topic is locked This topic is locked
10 replies to this topic

#1 Twista^

Twista^

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 29 November 2005 - 01:27 PM

Been getting popups, I have ran ad-aware, microsoft anti-spyware, and spybot search and destroy and am still encountering problems.


Logfile of HijackThis v1.99.1
Scan saved at 2:26:09 PM, on 11/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\nfomon\nfomon.exe
C:\WINDOWS\System32\vidmon\vidmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\wrri\wrrim.exe
C:\Program Files\mIRC\mirc.exe
C:\PROGRA~1\COMMON~1\wrri\wrria.exe
C:\Program Files\AIM95\aim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Valve\Steam\Steam.exe
c:\program files\valve\steam\steamapps\goodyearpimp_2000@yahoo.com\counter-strike\hl.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Owner\Desktop\SpyWare\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O3 - Toolbar: (no name) - {C2AA70A2-D30A-DB2E-DBCA-81991A2C92DC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\System32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\System32\vidmon\vidmon.exe
O4 - HKLM\..\RunServices: [LSASS Authority] lshosts32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [wrri] C:\PROGRA~1\COMMON~1\wrri\wrrim.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildt...iveLauncher.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildt...lim/install.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28177.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab28177.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab28177.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwn...m/cab/crack.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.budd...llInstaller.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.reds...rsinstaller.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\n6p4lg7q16.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    Advertisements

Register to Remove

#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 02 December 2005 - 07:17 PM

Hello Twista^, welcome to the TC.


Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Empty Recycle Bin

Reboot and "copy/paste" a new HJT log as well as the Resullts from Spy Sweeper file into this thread.
Also please describe how your computer behaves at the moment.

Please use the Posted Image to reply. Thanks

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#3 Twista^

Twista^

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 02 December 2005 - 10:16 PM

HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 11:15:36 PM, on 12/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\mIRC\mirc.exe
c:\program files\valve\steam\steamapps\goodyearpimp_2000@yahoo.com\counter-strike\hl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\SpyWare\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O3 - Toolbar: (no name) - {C2AA70A2-D30A-DB2E-DBCA-81991A2C92DC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [LSASS Authority] lshosts32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZCfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildt...iveLauncher.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildt...lim/install.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28177.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab28177.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab28177.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwn...m/cab/crack.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



SpySweeper Scan Log
10:07 PM: | Start of Session, Friday, December 02, 2005 |
10:07 PM: Spy Sweeper started
10:07 PM: Sweep initiated using definitions version 577
10:07 PM: Starting Memory Sweep
10:08 PM: Found Adware: icannnews
10:08 PM: Detected running threat: C:\WINDOWS\system32\gpr0l39m1.dll (ID = 83)
10:09 PM: Detected running threat: C:\WINDOWS\system32\azdiosrv.dll (ID = 83)
10:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:11 PM: Detected running threat: C:\WINDOWS\system32\guard.tmp (ID = 83)
10:13 PM: Memory Sweep Complete, Elapsed Time: 00:05:53
10:13 PM: Starting Registry Sweep
10:13 PM: Found Adware: adlogix
10:13 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/test.ocx\ (2 subtraces) (ID = 103108)
10:13 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\test.ocx (ID = 103141)
10:14 PM: Found Adware: blazefind
10:14 PM: HKCR\interface\{8c505a6b-124b-4768-8fd3-1a066c839848}\ (8 subtraces) (ID = 104460)
10:14 PM: HKLM\software\classes\interface\{8c505a6b-124b-4768-8fd3-1a066c839848}\ (8 subtraces) (ID = 104492)
10:14 PM: Found Adware: bookedspace
10:14 PM: HKLM\software\configuration manager\cfgmgr52\ (120 subtraces) (ID = 104873)
10:14 PM: Found Adware: buddylinks
10:14 PM: HKLM\software\microsoft\code store database\distribution units\{fddce9ff-1fc6-413c-80b1-37b101fda1d4}\ (14 subtraces) (ID = 105289)
10:14 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/shellinstaller.ocx\ (2 subtraces) (ID = 105290)
10:14 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\shellinstaller.ocx (ID = 105292)
10:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:15 PM: Found Adware: redswoosh
10:15 PM: HKLM\software\microsoft\code store database\distribution units\{ff0c042c-98e9-4c36-b2ec-e21fdfdcef75}\ (10 subtraces) (ID = 139308)
10:15 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/rsinstaller.dll\ (2 subtraces) (ID = 139310)
10:15 PM: Found Adware: websearch toolbar
10:15 PM: HKLM\software\microsoft\windows\currentversion\installer\userdata\aui\ (1 subtraces) (ID = 146479)
10:15 PM: Found Adware: whenu save
10:15 PM: HKCR\acm.acmfactory\ (5 subtraces) (ID = 773927)
10:15 PM: HKCR\acm.acmfactory.1\ (3 subtraces) (ID = 773933)
10:15 PM: HKCR\clsid\{a9aae1ab-9688-42c5-86f5-c12f6b9015ad}\ (12 subtraces) (ID = 773937)
10:15 PM: HKCR\typelib\{df901432-1b9f-4f5b-9e56-301c553f9095}\ (9 subtraces) (ID = 773950)
10:15 PM: HKCR\appid\acm.dll\ (1 subtraces) (ID = 773960)
10:15 PM: HKCR\appid\{127df9b4-d75d-44a6-af78-8c3a8ceb03db}\ (1 subtraces) (ID = 773962)
10:15 PM: HKLM\software\classes\acm.acmfactory\ (5 subtraces) (ID = 773964)
10:15 PM: HKLM\software\classes\acm.acmfactory.1\ (3 subtraces) (ID = 773970)
10:15 PM: HKLM\software\classes\appid\acm.dll\ (1 subtraces) (ID = 773974)
10:15 PM: HKLM\software\classes\appid\{127df9b4-d75d-44a6-af78-8c3a8ceb03db}\ (1 subtraces) (ID = 773976)
10:15 PM: HKLM\software\classes\clsid\{a9aae1ab-9688-42c5-86f5-c12f6b9015ad}\ (12 subtraces) (ID = 773979)
10:15 PM: HKLM\software\classes\typelib\{df901432-1b9f-4f5b-9e56-301c553f9095}\ (9 subtraces) (ID = 773992)
10:15 PM: Found Adware: delfin
10:15 PM: HKLM\software\vidmon\ (3 subtraces) (ID = 890155)
10:15 PM: Found Adware: dollarrevenue
10:15 PM: HKLM\software\microsoft\drsmartload\ (1 subtraces) (ID = 916795)
10:15 PM: Found Adware: command
10:15 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
10:15 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
10:15 PM: Found Adware: drsnsrch.com hijack
10:15 PM: HKU\S-1-5-21-3974784280-1072855021-622102824-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
10:15 PM: Found Adware: ist sidefind
10:15 PM: HKU\S-1-5-21-3974784280-1072855021-622102824-1003\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
10:15 PM: HKU\S-1-5-21-3974784280-1072855021-622102824-1003\software\vidmon\ (1 subtraces) (ID = 890125)
10:16 PM: Registry Sweep Complete, Elapsed Time:00:02:30
10:16 PM: Starting Cookie Sweep
10:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:16 PM: Found Spy Cookie: 498 cookie
10:16 PM: owner@498[1].txt (ID = 1975)
10:16 PM: Found Spy Cookie: sandboxer cookie
10:16 PM: owner@66.33.0[1].txt (ID = 3281)
10:16 PM: Found Spy Cookie: 888 cookie
10:16 PM: owner@888[2].txt (ID = 2019)
10:16 PM: Found Spy Cookie: abetterinternet cookie
10:16 PM: owner@abetterinternet[1].txt (ID = 2035)
10:16 PM: Found Spy Cookie: adlegend cookie
10:16 PM: owner@adlegend[1].txt (ID = 2074)
10:16 PM: Found Spy Cookie: hbmediapro cookie
10:16 PM: owner@adopt.hbmediapro[2].txt (ID = 2768)
10:16 PM: Found Spy Cookie: advertising cookie
10:16 PM: owner@advertising[1].txt (ID = 2175)
10:16 PM: Found Spy Cookie: ask cookie
10:16 PM: owner@ask[1].txt (ID = 2245)
10:16 PM: Found Spy Cookie: atlas dmt cookie
10:16 PM: owner@atdmt[2].txt (ID = 2253)
10:16 PM: Found Spy Cookie: atwola cookie
10:16 PM: owner@atwola[1].txt (ID = 2255)
10:16 PM: Found Spy Cookie: azjmp cookie
10:16 PM: owner@azjmp[2].txt (ID = 2270)
10:16 PM: Found Spy Cookie: megago cookie
10:16 PM: owner@bullfighter.freeservers[1].txt (ID = 2983)
10:16 PM: Found Spy Cookie: callwave cookie
10:16 PM: owner@callwave[2].txt (ID = 2342)
10:16 PM: owner@clintdickes.freeservers[1].txt (ID = 2983)
10:16 PM: Found Spy Cookie: exitexchange cookie
10:16 PM: owner@exitexchange[1].txt (ID = 2633)
10:16 PM: Found Spy Cookie: gamespy cookie
10:16 PM: owner@gamespy[1].txt (ID = 2719)
10:16 PM: Found Spy Cookie: sb01 cookie
10:16 PM: owner@jp1.sb01[1].txt (ID = 3288)
10:16 PM: Found Spy Cookie: kmpads cookie
10:16 PM: owner@kmpads[2].txt (ID = 2909)
10:16 PM: owner@maninthecan.freeservers[1].txt (ID = 2983)
10:16 PM: Found Spy Cookie: nextag cookie
10:16 PM: owner@nextag[1].txt (ID = 5014)
10:16 PM: Found Spy Cookie: partypoker cookie
10:16 PM: owner@partypoker[2].txt (ID = 3111)
10:16 PM: Found Spy Cookie: servlet cookie
10:16 PM: owner@servlet[2].txt (ID = 3345)
10:16 PM: Found Spy Cookie: smni cookie
10:16 PM: owner@smni[2].txt (ID = 3389)
10:16 PM: Found Spy Cookie: reliablestats cookie
10:16 PM: owner@stats1.reliablestats[1].txt (ID = 3254)
10:16 PM: Found Spy Cookie: tradedoubler cookie
10:16 PM: owner@tradedoubler[1].txt (ID = 3575)
10:16 PM: Found Spy Cookie: trafficmp cookie
10:16 PM: owner@trafficmp[2].txt (ID = 3581)
10:16 PM: Found Spy Cookie: videodome cookie
10:16 PM: owner@videodome[1].txt (ID = 3638)
10:16 PM: owner@www.888[1].txt (ID = 2020)
10:16 PM: Found Spy Cookie: rednova cookie
10:16 PM: owner@www.rednova[1].txt (ID = 3246)
10:16 PM: owner@www.rodeoclown.freeservers[1].txt (ID = 2983)
10:16 PM: Found Spy Cookie: yieldmanager cookie
10:16 PM: owner@yieldmanager[2].txt (ID = 3749)
10:16 PM: Cookie Sweep Complete, Elapsed Time: 00:00:05
10:16 PM: Starting File Sweep
10:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:18 PM: c:\windows\cfgmgr52 (34 subtraces) (ID = -2147479590)
10:18 PM: Found Adware: bullguard popup ad
10:18 PM: c:\windows\temp\bullguard (1 subtraces) (ID = -2147476409)
10:18 PM: c:\documents and settings\all users\application data\vidmon (1 subtraces) (ID = -2147468685)
10:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:19 PM: Found Adware: targetsaver
10:19 PM: tsupdate2[2].ini (ID = 193498)
10:19 PM: Found Adware: euniverse
10:19 PM: cards.ico (ID = 60207)
10:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:24 PM: Found Adware: e2g
10:24 PM: prutbct.exe (ID = 59412)
10:24 PM: removewebdp.exe (ID = 166172)
10:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:27 PM: c3d01da4-9ccd-4636-86ee-d87d4a (ID = 51659)
10:28 PM: Found Adware: gsim
10:28 PM: gsim.inf (ID = 61964)
10:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:32 PM: Found Adware: look2me
10:32 PM: l60u0gd9e60.dll (ID = 159)
10:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:33 PM: test.inf (ID = 49247)
10:33 PM: guard.tmp (ID = 159)
10:34 PM: bulldownload.exe (ID = 52017)
10:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:34 PM: tsuninst.exe (ID = 193501)
10:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:43 PM: azdiosrv.dll (ID = 159)
10:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:43 PM: gpr0l39m1.dll (ID = 159)
10:44 PM: gpjol3131.dll (ID = 159)
10:44 PM: ktnml7511.dll (ID = 159)
10:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:45 PM: Found Adware: apropos
10:45 PM: wingenerics.dll (ID = 50187)
10:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:50 PM: tsupdate2[1].ini (ID = 193498)
10:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:56 PM: default.inf (ID = 73670)
10:56 PM: drsmartload.dat (ID = 198788)
10:56 PM: naxrtrk.vbs (ID = 185675)
10:56 PM: Found Adware: directrevenue-abetterinternet
10:56 PM: poltt.inf (ID = 83432)
10:56 PM: polall1r.inf (ID = 83425)
10:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:57 PM: Found System Monitor: potentially rootkit-masked files
10:57 PM: wanrtcls.sys (ID = 0)
10:57 PM: hhntf32.exe (ID = 0)
10:57 PM: ace.dll (ID = 0)
10:57 PM: data.bin (ID = 0)
10:57 PM: toorslvr.exe (ID = 0)
10:57 PM: t2eprdim.exe (ID = 0)
10:57 PM: ai_02-12-2005.log (ID = 0)
10:57 PM: ai_28-11-2005.log (ID = 0)
10:57 PM: ai_01-12-2005.log (ID = 0)
10:57 PM: ai_30-11-2005.log (ID = 0)
10:57 PM: ai_27-11-2005.log (ID = 0)
10:57 PM: ai_29-11-2005.log (ID = 0)
10:57 PM: ai_26-11-2005.log (ID = 0)
10:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:02 PM: File Sweep Complete, Elapsed Time: 00:46:10
11:02 PM: Full Sweep has completed. Elapsed time 00:54:56
11:02 PM: Traces Found: 386
11:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:03 PM: Removal process initiated
11:03 PM: Quarantining All Traces: adlogix
11:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:03 PM: Quarantining All Traces: directrevenue-abetterinternet
11:03 PM: Quarantining All Traces: icannnews
11:03 PM: icannnews is in use. It will be removed on reboot.
11:03 PM: C:\WINDOWS\system32\gpr0l39m1.dll is in use. It will be removed on reboot.
11:03 PM: C:\WINDOWS\system32\azdiosrv.dll is in use. It will be removed on reboot.
11:03 PM: C:\WINDOWS\system32\guard.tmp is in use. It will be removed on reboot.
11:03 PM: Quarantining All Traces: look2me
11:04 PM: look2me is in use. It will be removed on reboot.
11:04 PM: guard.tmp is in use. It will be removed on reboot.
11:04 PM: azdiosrv.dll is in use. It will be removed on reboot.
11:04 PM: gpr0l39m1.dll is in use. It will be removed on reboot.
11:04 PM: gpjol3131.dll is in use. It will be removed on reboot.
11:04 PM: Quarantining All Traces: potentially rootkit-masked files
11:04 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
11:04 PM: wanrtcls.sys is in use. It will be removed on reboot.
11:04 PM: hhntf32.exe is in use. It will be removed on reboot.
11:04 PM: ace.dll is in use. It will be removed on reboot.
11:04 PM: data.bin is in use. It will be removed on reboot.
11:04 PM: toorslvr.exe is in use. It will be removed on reboot.
11:04 PM: t2eprdim.exe is in use. It will be removed on reboot.
11:04 PM: ai_02-12-2005.log is in use. It will be removed on reboot.
11:04 PM: ai_28-11-2005.log is in use. It will be removed on reboot.
11:04 PM: ai_01-12-2005.log is in use. It will be removed on reboot.
11:04 PM: ai_30-11-2005.log is in use. It will be removed on reboot.
11:04 PM: ai_27-11-2005.log is in use. It will be removed on reboot.
11:04 PM: ai_29-11-2005.log is in use. It will be removed on reboot.
11:04 PM: ai_26-11-2005.log is in use. It will be removed on reboot.
11:04 PM: Quarantining All Traces: websearch toolbar
11:04 PM: Quarantining All Traces: apropos
11:04 PM: apropos is in use. It will be removed on reboot.
11:04 PM: wingenerics.dll is in use. It will be removed on reboot.
11:04 PM: Quarantining All Traces: blazefind
11:04 PM: Quarantining All Traces: bookedspace
11:04 PM: Quarantining All Traces: buddylinks
11:04 PM: Quarantining All Traces: bullguard popup ad
11:04 PM: Quarantining All Traces: command
11:04 PM: Quarantining All Traces: delfin
11:04 PM: Quarantining All Traces: dollarrevenue
11:04 PM: Quarantining All Traces: drsnsrch.com hijack
11:04 PM: Quarantining All Traces: e2g
11:04 PM: Quarantining All Traces: euniverse
11:04 PM: Quarantining All Traces: gsim
11:04 PM: Quarantining All Traces: ist sidefind
11:04 PM: Quarantining All Traces: redswoosh
11:04 PM: Quarantining All Traces: targetsaver
11:04 PM: Quarantining All Traces: whenu save
11:04 PM: Quarantining All Traces: 498 cookie
11:04 PM: Quarantining All Traces: 888 cookie
11:04 PM: Quarantining All Traces: abetterinternet cookie
11:04 PM: Quarantining All Traces: adlegend cookie
11:04 PM: Quarantining All Traces: advertising cookie
11:04 PM: Quarantining All Traces: ask cookie
11:04 PM: Quarantining All Traces: atlas dmt cookie
11:04 PM: Quarantining All Traces: atwola cookie
11:04 PM: Quarantining All Traces: azjmp cookie
11:04 PM: Quarantining All Traces: callwave cookie
11:04 PM: Quarantining All Traces: exitexchange cookie
11:04 PM: Quarantining All Traces: gamespy cookie
11:04 PM: Quarantining All Traces: hbmediapro cookie
11:04 PM: Quarantining All Traces: kmpads cookie
11:04 PM: Quarantining All Traces: megago cookie
11:04 PM: Quarantining All Traces: nextag cookie
11:04 PM: Quarantining All Traces: partypoker cookie
11:04 PM: Quarantining All Traces: rednova cookie
11:04 PM: Quarantining All Traces: reliablestats cookie
11:04 PM: Quarantining All Traces: sandboxer cookie
11:04 PM: Quarantining All Traces: sb01 cookie
11:04 PM: Quarantining All Traces: servlet cookie
11:04 PM: Quarantining All Traces: smni cookie
11:04 PM: Quarantining All Traces: tradedoubler cookie
11:04 PM: Quarantining All Traces: trafficmp cookie
11:04 PM: Quarantining All Traces: videodome cookie
11:04 PM: Quarantining All Traces: yieldmanager cookie
11:04 PM: Preparing to restart your computer. Please wait...
11:04 PM: Removal process completed. Elapsed time 00:01:35
11:09 PM: BHO Shield: found: -- BHO installation allowed at user request
********
10:05 PM: | Start of Session, Friday, December 02, 2005 |
10:05 PM: Spy Sweeper started
10:06 PM: Your spyware definitions have been updated.
10:07 PM: | End of Session, Friday, December 02, 2005 |


Is everything good now?

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 03 December 2005 - 08:25 AM

Is everything good now?

NO.

O4 - HKLM\..\RunServices: [LSASS Authority] lshosts32.exe

This is a very serious infection. If you use your PC for any banking or other financial use, PayPal, credit card, etc., I'd suggest you contact everyone of them and ask to have your password and account numbers changed.

Troj/Sdbot-UY is a backdoor Trojan which runs in the background as a service process and allows unauthorised remote access to the infected computer via IRC channels.
Troj/Sdbot-UY can be instructed by a remote

Side effects Allows others to access the computer
Steals information
Downloads code from the internet
Installs itself in the Registry






Backup your Registry...
- Press "CTRL - ALT - DEL" keys all at the same time to start "Task Manager"
- In the Task Manager window click on "File", then from the drop-down menu select "New Task (Run...)"
- In the "Create New Task" window enter\type "regedit" (without quotes)
- Once Regedit opens click on the FILE menu and select Export
- Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL



click Start>Run and type regedit tap enter key.


Regedit will open. Make sure My Computer is highlighted. At the top of the window click edit> Find> then copy and paste the following into the window.

lshosts32.exe

Then click find now.
When you find the entry right click on it and select delete, answer ok at the prompt.
Next, press "F3" to continue searching, if another instance is found, repeat the above steps, until you see the "completed searching" message.


Restart your PC and post a new HijackThis log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#5 Twista^

Twista^

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 03 December 2005 - 02:40 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:39:59 PM, on 12/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\SpyWare\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O3 - Toolbar: (no name) - {C2AA70A2-D30A-DB2E-DBCA-81991A2C92DC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [LSASS Authority] lshosts32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZCfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildt...iveLauncher.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildt...lim/install.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28177.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab28177.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab28177.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwn...m/cab/crack.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 03 December 2005 - 02:51 PM

Close all windows and browsers.
Open HijackThis

Click on Open Misc Tools
Click on Delete a File On Reboot
Click once on the file below to select it:
lshosts32.exe



Click on the Back button to exit Process Manager

Now, back at the main screen of HijackThis, proceed to Scan and put a check by these.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O3 - Toolbar: (no name) - {C2AA70A2-D30A-DB2E-DBCA-81991A2C92DC} - (no file)

O4 - HKLM\..\RunServices: [LSASS Authority] lshosts32.exe

O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZCfox000

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing

O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildt...iveLauncher.cab

O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildt...lim/install.cab

O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwn...m/cab/crack.CAB

Close ALL windows and browsers except HijackThis and click "Fix checked"





1. Open My Computer
2. Right click on your hard drive that you wish to clean (C drive, for example)
3. In the context menu that opens, select properties
4. Under the general tab you should select Disk Cleanup
5. Windows will scan your drive which will take a few seconds/minutes
6. A box will display the various files you can remove.
Check all boxes except compress old files (If listed)
7. Click OK and windows will comply.

Restart your computer.

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#7 Twista^

Twista^

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 03 December 2005 - 03:34 PM

Computer runs okay, the original popups seem to have disappeared...when I searched for that lshosts32.exe to delete on reboot it wasn't anywhere on my computer so I had to skip that step. Here is my new log.

Logfile of HijackThis v1.99.1
Scan saved at 4:32:06 PM, on 12/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Owner\Desktop\SpyWare\HijackThis.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28177.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab28177.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab28177.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 03 December 2005 - 03:43 PM

We need To disable SpySweeper: It's stopping the fix.

Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck 'automaticly restore default without notifiction".


I suggest you do this:

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

Note: These aren't from Yahoo.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

Close ALL windows and browsers except HijackThis and click "Fix checked"



Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#9 Twista^

Twista^

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 03 December 2005 - 03:55 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:55:24 PM, on 12/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\SpyWare\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28177.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab28177.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab28177.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 03 December 2005 - 04:10 PM

Those aren't hurting anything.

Good Job :thumbup:


Log looks good :D :thumbup: How is it running any issues?

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Click Start> My Computer, select the Tools menu and then Folder Options, after the new window appears select the View tab…]
This time select the: Restore Defaults
Select: Apply, and click OK




If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing. :D

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein
http://www.forums.se...hread.php?t=321

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#11 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 December 2005 - 06:28 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·