WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Google Unexpected Results

Started by nickbasi , Dec 26 2005 05:24 AM

This topic is locked

22 replies to this topic

#1 nickbasi

New Member

Authentic Member
11 posts

Posted 26 December 2005 - 05:24 AM

Hi, I beleive my PC has been infected by unwanted software. When I click on a google search result, I get directed to another web site and not them one I want. Please Help its driving me mad!!

Logfile of HijackThis v1.99.1
Scan saved at 11:18:08, on 26/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\S4TSR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BLUEYONDER\PCGUARD\RPS.EXE
C:\PROGRAM FILES\AOL 9.0B\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\COMMAND SOFTWARE\DVPAPI9X.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyo...arch/search.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonde...onder/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
R3 - URLSearchHook: (no name) - {1095190F-9F6E-E872-ED6B-CD602BE08C60} - forces_elite.dll (file missing)
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\PROGRAM FILES\BLUEYONDER\PCGUARD\FBHR.DLL
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\PROGRAM FILES\BLUEYONDER\PCGUARD\PKR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\SYSTEM\MP_S3.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DisableEHCI] C:\WINDOWS\S4TSR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\RPS.exe"
O4 - HKLM\..\Run: [vmcleaner] gxlib.exe
O4 - HKLM\..\Run: [NukeSpan] TorontoMail.exe
O4 - HKLM\..\Run: [syspanel] WTFCTF.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [NSYSCPLSTR] 321102.exe
O4 - HKCU\..\Run: [atl_helper] progmen.exe
O4 - HKCU\..\Run: [vxdman] prcmon.exe
O4 - Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: &Search - http://ka.bar.need2f...earch.html?p=KA
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webi...Q/bin/WebIQ.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:oexist.mht!http://crdrcr.com/chm.chm::/a.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://cc.ad-ware.cc...Wv.chm::/on.exe
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.n...cabs/cssweb.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.114.55,85.255.112.126

Advertisements

Register to Remove

#2 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 29 December 2005 - 06:37 PM

Hello nickbasi, welcome to the forum. Sorry about the delay in responding

If you still need help, Scan again with HijackThis, and copy/paste" a new log file into this thread.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#3 nickbasi

New Member

Authentic Member
11 posts

Posted 31 December 2005 - 08:02 AM

Hi LD, Thanks for the response.

Here is the latest Log file:

Logfile of HijackThis v1.97.7
Scan saved at 14:21:05, on 31/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\S4TSR.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\BLUEYONDER\PCGUARD\RPS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AOL 9.0B\AOLTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\COMMAND SOFTWARE\DVPAPI9X.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\9RFJPX8E\HIJACKTHIS[1].EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyo...arch/search.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonde...onder/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {1095190F-9F6E-E872-ED6B-CD602BE08C60} - forces_elite.dll (file missing)
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\PROGRAM FILES\BLUEYONDER\PCGUARD\FBHR.DLL
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\PROGRAM FILES\BLUEYONDER\PCGUARD\PKR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\SYSTEM\MP_S3.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DisableEHCI] C:\WINDOWS\S4TSR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\RPS.exe"
O4 - HKLM\..\Run: [vmcleaner] gxlib.exe
O4 - HKLM\..\Run: [NukeSpan] TorontoMail.exe
O4 - HKLM\..\Run: [syspanel] WTFCTF.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [NSYSCPLSTR] 321102.exe
O4 - HKCU\..\Run: [atl_helper] progmen.exe
O4 - HKCU\..\Run: [vxdman] prcmon.exe
O4 - Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: &Search - http://ka.bar.need2f...earch.html?p=KA
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webi...Q/bin/WebIQ.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:oexist.mht!http://crdrcr.com/chm.chm::/a.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://cc.ad-ware.cc...Wv.chm::/on.exe
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.n...cabs/cssweb.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.114.55,85.255.112.126

#4 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 31 December 2005 - 08:23 AM

First post
Logfile of HijackThis v1.99.1
Scan saved at 11:18:08, on 26/12/2005

last post
Logfile of HijackThis v1.97.7
Scan saved at 14:21:05, on 31/12/2005

You have two versions of HijackThis. Please delete the old v1.97.7. I need a HJT log from the new version.
When you post back be sure the HJT is from the new version.

Please do not delete anything unless instructed to.

Even if you've already run these, make SURE they're up-to-date and run per instructions.

Make sure you have the up-to-date versions of Spybot V 1.4 and Ad-aware SE Build 1.06 . All are free and available below.

Download Spybot, install and update. Then download Ad-aware, install, and update.

Spybot:

Install the program and launch it.

Go to Start > Programs >Spybot > Search & Destroy and choose Spybot S&D

Close ALL windows except Spybot S&D
Click the button to "Search for Updates" and download and install the Updates.
Next click the button "Check for Problems"
When Spybot is complete, it will be showing "RED" (RED) entries "BLACK" entries and "GREEN" (GREEN) entries in the window
Put a check mark beside the RED (RED) entries ONLY.
Choose "Fix Selected Problems" and allow Spybot to fix the RED (RED) entries.

Ad-Aware FULL SCAN:

Install the program and launch it.

1. Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon > Click connect > Click OK > Click Finish.)
2. Set up the Configurations as follows:
-- Click the Gear wheel at the top of the Ad-Aware window
-- Click General > Safety & Settings: Check (Green) all three.
-- Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
3. Click "Proceed"
4. Click "Scan Now"
5. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6. Select "Search for low-risk threats"
7. Run the scanner using the Full Scan (Perform full system scan) mode.
8. When the scan has completed, select Next.
9. In the Scanning Results window, select the "Scan Summary" tab.
10. Check the box next to each "target family" you wish to remove.
11. Click next > Click OK.

Next:

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Then please run Ewido, click on the Scanner run a full scan and let it clean everything it finds. Save the logfile from the scan.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#5 nickbasi

New Member

Authentic Member
11 posts

Posted 31 December 2005 - 08:38 AM

Thanks LD, Old version deleted and new log is below,

Logfile of HijackThis v1.99.1
Scan saved at 14:52:38, on 31/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\S4TSR.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\BLUEYONDER\PCGUARD\RPS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AOL 9.0B\AOLTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\COMMAND SOFTWARE\DVPAPI9X.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyo...arch/search.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonde...onder/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
R3 - URLSearchHook: (no name) - {1095190F-9F6E-E872-ED6B-CD602BE08C60} - forces_elite.dll (file missing)
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\PROGRAM FILES\BLUEYONDER\PCGUARD\FBHR.DLL
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\PROGRAM FILES\BLUEYONDER\PCGUARD\PKR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\SYSTEM\MP_S3.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DisableEHCI] C:\WINDOWS\S4TSR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\RPS.exe"
O4 - HKLM\..\Run: [vmcleaner] gxlib.exe
O4 - HKLM\..\Run: [NukeSpan] TorontoMail.exe
O4 - HKLM\..\Run: [syspanel] WTFCTF.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [NSYSCPLSTR] 321102.exe
O4 - HKCU\..\Run: [atl_helper] progmen.exe
O4 - HKCU\..\Run: [vxdman] prcmon.exe
O4 - Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: &Search - http://ka.bar.need2f...earch.html?p=KA
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webi...Q/bin/WebIQ.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:oexist.mht!http://crdrcr.com/chm.chm::/a.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://cc.ad-ware.cc...Wv.chm::/on.exe
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.n...cabs/cssweb.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.114.55,85.255.112.126

#6 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 31 December 2005 - 08:39 AM

Run the above fix I posted, please.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#7 nickbasi

New Member

Authentic Member
11 posts

Posted 31 December 2005 - 11:47 AM

I have run Spybot and Awaware as recommended. Ewido however requires windows 2000 or XP, i am runing ME, is there another programme I can run?

#8 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 31 December 2005 - 11:49 AM

Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Empty Recycle Bin

Reboot and "copy/paste" a new HJT log as well as the Resullts from Spy Sweeper file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#9 nickbasi

New Member

Authentic Member
11 posts

Posted 01 January 2006 - 05:09 AM

Thnaks LD below are the new HJT Log and Spy Sweeper results

Logfile of HijackThis v1.99.1
Scan saved at 11:24:10, on 01/01/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\S4TSR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\BLUEYONDER\PCGUARD\RPS.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\AOL 9.0B\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\PROGRAM FILES\COMMON FILES\COMMAND SOFTWARE\DVPAPI9X.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyo...arch/search.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonde...onder/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
R3 - URLSearchHook: (no name) - {1095190F-9F6E-E872-ED6B-CD602BE08C60} - forces_elite.dll (file missing)
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\PROGRAM FILES\BLUEYONDER\PCGUARD\FBHR.DLL
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\PROGRAM FILES\BLUEYONDER\PCGUARD\PKR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\SYSTEM\MP_S3.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DisableEHCI] C:\WINDOWS\S4TSR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\RPS.exe"
O4 - HKLM\..\Run: [NukeSpan] TorontoMail.exe
O4 - HKLM\..\Run: [syspanel] WTFCTF.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [atl_helper] progmen.exe
O4 - HKCU\..\Run: [vxdman] prcmon.exe
O4 - Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: &Search - http://ka.bar.need2f...earch.html?p=KA
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webi...Q/bin/WebIQ.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.n...cabs/cssweb.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://download.ewid...oOnlineScan.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.114.55,85.255.112.126

********
11:03: | Start of Session, 01 January 2006 |
11:03: Spy Sweeper started
11:03: Sweep initiated using definitions version 594
11:03: Starting Memory Sweep
11:05: Memory Sweep Complete, Elapsed Time: 00:01:53
11:05: Starting Registry Sweep
11:06: Found Adware: altnet
11:06: HKLM\altnet\ (2 subtraces) (ID = 103447)
11:06: Found Adware: coolwebsearch (cws)
11:06: HKLM\software\microsoft\code store database\distribution units\{10003000-1000-0000-1000-000000000000}\ (7 subtraces) (ID = 109815)
11:06: Found Adware: cws-aboutblank
11:06: HKLM\software\microsoft\code store database\distribution units\{10003000-1000-0000-1000-000000000000}\ (7 subtraces) (ID = 109815)
11:11: Found Trojan Horse: trojan-downloader-ruin
11:11: HKLM\software\microsoft\windows\currentversion\urls\ (10 subtraces) (ID = 605127)
11:11: Found Adware: trojan-downloader-linkschain
11:11: HKLM\software\microsoft\windows\currentversion\run\ || vmcleaner (ID = 712882)
11:11: Found Adware: 180search assistant/zango
11:11: HKLM\software\microsoft\code store database\distribution units\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (7 subtraces) (ID = 832871)
11:12: HKU\.DEFAULT\software\microsoft\windows\currentversion\run\ || nsyscplstr (ID = 605131)
11:12: Found Adware: unspypc
11:12: HKU\.DEFAULT\software\unspypc\ (6 subtraces) (ID = 1059779)
11:12: Registry Sweep Complete, Elapsed Time:00:06:08
11:12: Starting Cookie Sweep
11:12: Found Spy Cookie: firstchoice cookie
11:12: anyuser@firstchoice[1].txt (ID = 2678)
11:12: Found Spy Cookie: a cookie
11:12: anyuser@a[1].txt (ID = 2027)
11:12: Found Spy Cookie: touchclarity cookie
11:12: anyuser@easyjet.touchclarity[2].txt (ID = 3566)
11:12: Found Spy Cookie: banners cookie
11:12: 72-underwood@banners[1].txt (ID = 2282)
11:12: 72-underwood@easyjet.touchclarity[1].txt (ID = 3566)
11:12: Found Spy Cookie: 2o7.net cookie
11:12: 72-underwood@112.2o7[2].txt (ID = 1958)
11:12: Found Spy Cookie: tracking cookie
11:12: 72-underwood@tracking[2].txt (ID = 3571)
11:12: 72-underwood@tracking[3].txt (ID = 3571)
11:12: Found Spy Cookie: ic-live cookie
11:12: anyuser@ic-live[1].txt (ID = 2821)
11:12: Found Spy Cookie: aa cookie
11:12: 72-underwood@aa[1].txt (ID = 2029)
11:12: Found Spy Cookie: ask cookie
11:12: anyuser@ask[1].txt (ID = 2245)
11:12: 72-underwood@a[1].txt (ID = 2027)
11:12: Found Spy Cookie: myaffiliateprogram.com cookie
11:12: anyuser@www.myaffiliateprogram[1].txt (ID = 3032)
11:12: anyuser@propertyfinderltd.122.2o7[2].txt (ID = 1958)
11:12: Found Spy Cookie: yieldmanager cookie
11:12: 72-underwood@ad.yieldmanager[1].txt (ID = 3751)
11:12: anyuser@a[2].txt (ID = 2027)
11:12: 72-underwood@marksandspencer.122.2o7[1].txt (ID = 1958)
11:12: anyuser@firstchoice[2].txt (ID = 2678)
11:12: Found Spy Cookie: yadro cookie
11:12: 72-undepavanrwood@yadro[2].txt (ID = 3743)
11:12: Found Spy Cookie: co cookie
11:12: anyuser@www.firstchoice.co[3].txt (ID = 2428)
11:12: 72-undepavanrwood@112.2o7[1].txt (ID = 1958)
11:12: anyuser@www.firstchoice.co[2].txt (ID = 2428)
11:12: anyuser@firstchoice[5].txt (ID = 2678)
11:12: anyuser@firstchoice[6].txt (ID = 2678)
11:12: Found Spy Cookie: xiti cookie
11:12: 72-undepavanrwood@xiti[1].txt (ID = 3717)
11:12: anyuser@thomascook.122.2o7[2].txt (ID = 1958)
11:12: Found Spy Cookie: associated new media cookie
11:12: anyuser@anm.co[2].txt (ID = 2223)
11:12: Found Spy Cookie: server.iad.liveperson cookie
11:12: anyuser@server.iad.liveperson[2].txt (ID = 3341)
11:12: anyuser@a[3].txt (ID = 2027)
11:12: 72-undepavanrwood@rs0.co[2].txt (ID = 2430)
11:12: 72-undepavanrwood@112.2o7[2].txt (ID = 1958)
11:12: anyuser@112.2o7[1].txt (ID = 1958)
11:12: anyuser@ad.yieldmanager[1].txt (ID = 3751)
11:12: anyuser@firstchoice[3].txt (ID = 2678)
11:12: anyuser@firstchoice[4].txt (ID = 2678)
11:12: anyuser@www.firstchoice.co[1].txt (ID = 2428)
11:12: anyuser@rs0.co[2].txt (ID = 2430)
11:12: Found Spy Cookie: abcsearch cookie
11:12: anyuser@www.abcsearch[2].txt (ID = 2034)
11:12: anyuser@marksandspencer.122.2o7[1].txt (ID = 1958)
11:12: 72-undepavanrwood@www.firstchoice.co[1].txt (ID = 2428)
11:12: 72-undepavanrwood@firstchoice[1].txt (ID = 2678)
11:12: 72-undepavanrwood@firstchoice[2].txt (ID = 2678)
11:12: 72-undepavanrwood@thomascook.122.2o7[1].txt (ID = 1958)
11:12: 72-undepavanrwood@a[1].txt (ID = 2027)
11:12: Found Spy Cookie: goclick cookie
11:12: anyuser@c.goclick[1].txt (ID = 2733)
11:12: anyuser@112.2o7[3].txt (ID = 1958)
11:12: Cookie Sweep Complete, Elapsed Time: 00:00:02
11:12: Starting File Sweep
11:12: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because it is being used by another process
11:13: Found Adware: idesk
11:13: idemlog.exe (ID = 205677)
11:13: filesafer23.exe (ID = 209443)
11:13: Found Adware: bullguard popup ad
11:13: c:\windows\temp\bullguard (1 subtraces) (ID = -2147476409)
11:13: bulldownload.exe (ID = 52017)
11:13: Warning: Failed to open file "c:\windows\application data\blueyonder\pcguard\logs\safetyconsolelog01-01-2006--10-56-47.log". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs4a7ac064-aac7-457a-9d90-830e56615202.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs5cdc17aa-4855-4bb3-a0a7-a4f32a5a8044.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs3576d3c8-d840-4d85-aa12-abeb0199043f.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs0e021c7f-f851-4e45-b46b-18bcd04ce94d.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsdbcda2ce-2da3-4162-97d4-63985426929d.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs6badcef1-4aa9-47b9-9b54-9be82d6841a4.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs251a91e8-b19d-4fbf-b589-2c3b510e7097.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs2169404a-4ddb-47bb-9742-e3ce5e83c4ae.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsf580f350-8023-46b8-b4e5-b485dd35a8b3.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs152a3709-11e6-4da2-b6f6-c303463f9ea5.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsfe3b6644-4543-476a-96df-59f9921d1082.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsbf75df81-0a0b-4245-a34a-39d0600d2071.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsd7e9aa52-bdfe-4a12-9382-85b77e0f0da5.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsadfc37de-f71f-45a6-a49b-ab2e16d8a4b3.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs3479d9fa-c886-4e58-9592-3a5f225986fa.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs88e9a0a3-53ac-4af9-affb-de5273b06aea.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs53558f3e-5529-420c-b477-27e1eae1c285.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsde96d76b-3676-43ba-9b46-67ba5e658e38.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs449b77e6-4c41-4b2f-b409-8fa50bcb3adc.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs66560ddf-7de4-4122-9f23-66d81b008063.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsb6e4d799-d667-4312-9674-36a338040851.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs56da62f3-3b41-4bcf-b60e-4cc0dfc98664.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsa49f9d7b-c8ea-4ea1-b78d-c87a0abe0ba1.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc63bcd07-a188-4fb4-bee1-a34fc14044d6.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscse580bbd2-572e-47f7-b985-bb5afc001b52.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs951ba704-16c7-45a6-a0e5-b257642f78f2.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs0200f01e-31d0-4f7a-b77e-ac0ab5058195.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs65465789-1fa5-41ec-bb58-fd7b90a5eea8.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc3980b39-351b-4621-b736-d7c9857afd60.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscse1c72ea5-50ed-4697-bbc0-2a1c408fc8fc.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs30457fbe-3192-4ac4-a987-cda3c40020bf.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs70e75c75-ef8a-4db5-98be-be921b0e3b39.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsf5cf87bc-6b50-4305-9089-0f16e75604b1.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsad39c376-130b-4fbc-9182-3f7b65e7c4c5.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscse575bc28-0caf-4991-b932-7e5f39e7598b.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsf1ab6428-17f9-4989-94aa-883bfb379f19.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs440e42fa-f292-4375-b2b5-ba261c73256b.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs03815f20-77ea-42bb-afba-a842cd5680b8.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsb1579ede-9914-42af-9a58-83b46f5cf336.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsfb3f706c-aaf5-4793-9743-463b60b643c9.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs6ae134b4-40ff-4777-ae3c-b715b3154759.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsb57a3877-33f9-4e68-8071-0edf3289f622.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs5283ac70-db70-4b43-913b-0264969767bb.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs25b263a7-9442-40cf-88ff-4d70b995d189.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs3ce5b861-9586-44ea-987b-5e78951cc8a1.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs130ce737-c52d-47e9-8113-9ac04e72030b.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs2fdb5cdb-f4fc-4b33-8d99-195872d5e925.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsd7e63a48-ccc8-4b8b-bf16-57ee7b2e7b37.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs709de6f2-74d1-4a52-aff9-198efbf1820b.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs2e3f99fe-4354-4243-b9bc-93bdfe1d8458.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs46eeef0e-f38e-4d91-85a7-52fe3f1dc8c6.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsf4f092a5-c443-44a1-8e9f-614535e4e953.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsf71b5ff2-4d32-48f8-978a-73cbb5e9f9c8.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscse63c86a9-e6b6-4180-ae00-078d466c78a4.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs9c8fc6c3-1c69-4bc1-80c2-4ac46f206fdc.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs4553f57a-ff7f-4a3a-923e-25f846ec0eba.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsb8cc1c1f-51ab-4d1a-b2e3-3e0729caaa49.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsa07a2857-e4ac-48c2-959a-c2b3114a95a5.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs0abe3b1e-390d-46df-b39a-a628828c5a8d.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs9a894edb-138e-49e4-8603-3fe9a8ba7c10.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsef5ae6c7-2a78-4d92-93ce-75e1b00d847e.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscseddf411e-f796-4551-8643-e92bc762c0d3.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsf38475f1-d7a5-463e-8b3b-f5c4ec4639c1.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs79b31223-6e88-4023-b0d1-aa0f6020a4a7.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs35c62aa5-1923-45a2-b1d9-28678139a74d.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs12d31123-ccca-45b5-9c46-d28dafbc1c72.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs5ef96c87-ab13-4449-8696-87dcad1c4b07.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsd46121bf-933b-434b-879f-677f5840d1dc.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs1c5fd742-870d-4d76-8564-7d1464490d37.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscse9ff5b7b-161c-46f2-b6a8-0d3a6cbdd6bb.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs803b4a31-e693-4500-816b-1ccc9cc626fc.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs1e16c262-4ee5-4126-ae7d-7ba862c1413f.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs2b505632-268c-4d88-9d19-e326143b32cc.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsb1ed9e77-bc1d-46b5-a4be-34a63a2c1f37.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs2062ad8b-ea3e-4247-8c67-953661c1f970.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs49c0a6e8-0068-4b2a-98ee-e65c9f2ae4a4.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs79123bdf-9631-4929-bdcb-4d920bca2756.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs9fa69853-de9f-4d20-b4ec-d470893fd587.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs1c420ad7-db0a-4bfa-9f81-fecf80cbcd7f.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs9fd312d7-bda7-4a7b-8a80-815e263d79c7.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsed2e19e1-0992-4288-b6fa-17c45441777b.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs2cfc36fe-393d-48f1-95c5-b0f6d4b301c0.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs723d929d-6508-4eb6-9b7a-4fea721a6a5f.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs71edfcb0-da9a-40c8-84a2-2715044a8667.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs0369f891-6c12-4e8c-a8f5-796a63a12c64.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs5a107156-18fc-4ea4-baaa-6cc6854bccc3.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsb807a027-cd3e-4cc8-8893-065ed96dda23.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsd50b317f-65a2-4af1-8d8e-1cffe88877b2.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs361d7321-98bc-479d-adc2-7c9e5c07125e.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs970be41f-7452-4935-a81d-75b9b12ef8df.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs141eb043-e399-472b-93e4-232c3bd2ed12.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs78cb8900-6efc-4168-82aa-fe8e668a3fba.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8fb634f6-f067-4988-a92f-270eeee82616.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsca22fe26-8dc7-4f5f-b494-ba0c37382a07.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscse0698785-864a-4b04-9635-12ffe930ca3f.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs1850e5b4-80ad-4678-82a8-f4d9db4052cf.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsddc2d843-2a25-4136-a89c-bf7b9ab7c01b.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs99d3f529-3143-4fa3-beba-3d01db4ee88c.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscscd11d99f-9c18-4abf-b52e-1ba6e22257ee.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs55f686f1-4cc9-4ff2-8a8b-3663ff0dcd91.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs69849371-2348-4b58-bbc6-cb8211938590.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs2b6d9c7a-00f7-4fe6-87e0-4e68933e3d0e.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs33478462-96da-4052-9632-821f912f1da4.tmp". The process cannot access the file because it is being used by another process
11:13: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs54720abc-dd96-4dcc-867c-9a6a011dba34.tmp". The process cannot access the file because it is being used by another process
11:16: File Sweep Complete, Elapsed Time: 00:04:32
11:16: Full Sweep has completed. Elapsed time 00:12:36
11:16: Traces Found: 98
11:17: Removal process initiated
11:17: Quarantining All Traces: 180search assistant/zango
11:17: Quarantining All Traces: cws-aboutblank
11:17: Quarantining All Traces: trojan-downloader-ruin
11:17: Quarantining All Traces: coolwebsearch (cws)
11:17: Quarantining All Traces: altnet
11:17: Quarantining All Traces: bullguard popup ad
11:17: Quarantining All Traces: idesk
11:17: Quarantining All Traces: trojan-downloader-linkschain
11:17: Quarantining All Traces: unspypc
11:17: Quarantining All Traces: 2o7.net cookie
11:17: Quarantining All Traces: a cookie
11:17: Quarantining All Traces: aa cookie
11:17: Quarantining All Traces: abcsearch cookie
11:17: Quarantining All Traces: ask cookie
11:17: Quarantining All Traces: associated new media cookie
11:17: Quarantining All Traces: banners cookie
11:17: Quarantining All Traces: co cookie
11:17: Quarantining All Traces: firstchoice cookie
11:18: Quarantining All Traces: goclick cookie
11:18: Quarantining All Traces: ic-live cookie
11:18: Quarantining All Traces: myaffiliateprogram.com cookie
11:18: Quarantining All Traces: server.iad.liveperson cookie
11:18: Quarantining All Traces: touchclarity cookie
11:18: Quarantining All Traces: tracking cookie
11:18: Quarantining All Traces: xiti cookie
11:18: Quarantining All Traces: yadro cookie
11:18: Quarantining All Traces: yieldmanager cookie
11:19: Removal process completed. Elapsed time 00:01:56
********
11:01: | Start of Session, 01 January 2006 |
11:01: Spy Sweeper started
11:02: Your spyware definitions have been updated.
11:03: | End of Session, 01 January 2006 |

#10 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 01 January 2006 - 09:43 AM

I suggest you do this:

use Add/Remove Programs and remove if listed:
UnSpyPC

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R3 - URLSearchHook: (no name) - {1095190F-9F6E-E872-ED6B-CD602BE08C60} - forces_elite.dll (file missing)

O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NukeSpan] TorontoMail.exe

O4 - HKLM\..\Run: [syspanel] WTFCTF.exe

O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"

O4 - HKCU\..\Run: [atl_helper] progmen.exe

O4 - HKCU\..\Run: [vxdman] prcmon.exe

O8 - Extra context menu item: &Search - http://ka.bar.need2f...earch.html?p=KA

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.114.55,85.255.112.126

Close ALL windows and browsers except HijackThis and click "Fix checked"

Delete this Folder if listed:
C:\Program Files\UnSpyPC

Delete these Files if listed:
TorontoMail.exe
WTFCTF.exe
progmen.exe
prcmon.exe

1. Open My Computer
2. Right click on your hard drive that you wish to clean (C drive, for example)
3. In the context menu that opens, select properties
4. Under the general tab you should select Disk Cleanup
5. Windows will scan your drive which will take a few seconds/minutes
6. A box will display the various files you can remove.
Check all boxes except compress old files (If listed)
7. Click OK and windows will comply.

Restart your computer.

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Advertisements

Register to Remove

#11 nickbasi

New Member

Authentic Member
11 posts

Posted 01 January 2006 - 01:09 PM

LD, none of the exx files were listed. New log attached

Logfile of HijackThis v1.99.1
Scan saved at 19:28:01, on 01/01/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\S4TSR.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\BLUEYONDER\PCGUARD\RPS.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AOL 9.0B\AOLTRAY.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\PROGRAM FILES\COMMON FILES\COMMAND SOFTWARE\DVPAPI9X.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyo...arch/search.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonde...onder/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\PROGRAM FILES\BLUEYONDER\PCGUARD\FBHR.DLL
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\PROGRAM FILES\BLUEYONDER\PCGUARD\PKR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\SYSTEM\MP_S3.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DisableEHCI] C:\WINDOWS\S4TSR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\RPS.exe"
O4 - HKLM\..\Run: [NukeSpan] TorontoMail.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webi...Q/bin/WebIQ.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.n...cabs/cssweb.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://download.ewid...oOnlineScan.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

#12 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 01 January 2006 - 01:20 PM

Download Pocket Killbox version 2.0.0.175
http://www.atribune....ads/KillBox.exe
If you already have Killbox first ensure it is this version !.

Then double-click on the killbox.exe program.

Start Killbox and click on Tools->Delete Temp Files.
Then select the option labeled Delete on reboot.

Do not close killbox, and open notepad, by clicking on Start, then Run, and typing notepad.exe and pressing the OK button.

When notepad is open, copy and paste the following bolded text into the notepad screen. You do this by highlighting each of the below bolded filenames and then pressing Control-C on your keyboard. Then click on the open notepad windows and press Control-V to paste the contents into the notepad.

TorontoMail.exe

Return to Killbox, go to the File menu and select Paste from Clipboard.

Still in Killbox, click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click No at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#13 nickbasi

New Member

Authentic Member
11 posts

Posted 02 January 2006 - 04:07 AM

Completed recommended procedure, but I'm still being redirected. Latest HJT log attached.

Logfile of HijackThis v1.99.1
Scan saved at 10:28:52, on 02/01/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\S4TSR.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\BLUEYONDER\PCGUARD\RPS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\AOL 9.0B\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\PROGRAM FILES\COMMON FILES\COMMAND SOFTWARE\DVPAPI9X.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyo...arch/search.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonde...onder/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\PROGRAM FILES\BLUEYONDER\PCGUARD\FBHR.DLL
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\PROGRAM FILES\BLUEYONDER\PCGUARD\PKR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\SYSTEM\MP_S3.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DisableEHCI] C:\WINDOWS\S4TSR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\RPS.exe"
O4 - HKLM\..\Run: [NukeSpan] TorontoMail.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webi...Q/bin/WebIQ.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.n...cabs/cssweb.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://download.ewid...oOnlineScan.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

#14 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 02 January 2006 - 03:25 PM

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://swandog46.gee.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, Hijack This will launch. Close Hijack This, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new Hijack This log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#15 nickbasi

New Member

Authentic Member
11 posts

Posted 03 January 2006 - 01:15 PM

LD, latest HJT and fixwarenet logs attached. Thanks for you continued help

Logfile of HijackThis v1.99.1
Scan saved at 19:31:29, on 03/01/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\S4TSR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\BLUEYONDER\PCGUARD\RPS.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\AOL 9.0B\AOLTRAY.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\PROGRAM FILES\COMMON FILES\COMMAND SOFTWARE\DVPAPI9X.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyo...arch/search.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonde...onder/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\PROGRAM FILES\BLUEYONDER\PCGUARD\FBHR.DLL
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\PROGRAM FILES\BLUEYONDER\PCGUARD\PKR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\SYSTEM\MP_S3.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DisableEHCI] C:\WINDOWS\S4TSR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\RPS.exe"
O4 - HKLM\..\Run: [NukeSpan] TorontoMail.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webi...Q/bin/WebIQ.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.n...cabs/cssweb.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://download.ewid...oOnlineScan.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

Fixwareout ver 1.003
Last edited 12/5/2005
Post this report in the forums please

Reg Entries that were deleted

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...

»»»»» Misc files

Body Background

skin color theme