WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

My Hijack this log

Started by Tengo51 , Mar 11 2006 06:04 PM

This topic is locked

14 replies to this topic

#1 Tengo51

New Member

New Member
7 posts

Posted 11 March 2006 - 06:04 PM

I have ran norton, ad-ware remover, and Bazooka none of witch say I have anything but I stupid message keeps poping up that I have a virus. There is a program called spyfalcon that instaled itself and everytime I delete it, it just comes back. Well any way here is my HJT this log. Thankes in advance.

Logfile of HijackThis v1.99.1
Scan saved at 6:29:56 PM, on 3/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\DOCUME~1\James\LOCALS~1\Temp\Rar$EX00.031\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp7BB7.tmp
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cuhxqiy] C:\Documents and Settings\James\My Documents\a?sembly\w?auboot.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.....cab?refid=1123
O20 - Winlogon Notify: winypt32 - C:\WINDOWS\SYSTEM32\winypt32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Advertisements

Register to Remove

#2 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 15 March 2006 - 06:12 PM

Hello Tengo51, welcome to the forum. Sorry about the delay in responding

If you still need help, Scan again with HijackThis, and copy/paste" a new log file into this thread.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#3 Tengo51

New Member

New Member
7 posts

Posted 18 March 2006 - 05:13 PM

I got rid of spyfalcon but I keep getting pop-ups so I disabled Active-X on my computer, since I use the firefox browser. I keep getting The message that active-x can not properly display the page, so it would lead me to believe that I am not out of the woods yet since it keeps trying to spring pop-ups on me. So here is the log, and I don't mind the delay I know you have your hands full.

Logfile of HijackThis v1.99.1
Scan saved at 6:04:09 PM, on 3/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\TEMP\win6C4.tmp.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\James\LOCALS~1\Temp\Rar$EX00.047\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cuhxqiy] C:\Documents and Settings\James\My Documents\a?sembly\w?auboot.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.....cab?refid=1123
O20 - Winlogon Notify: winypt32 - C:\WINDOWS\SYSTEM32\winypt32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 18 March 2006 - 05:15 PM

Download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

The ewido security suite is now known as ewido anti-malware. If additional information is needed, click A Quick Guide.

Please download and install ewido anti-malware v3.5. If ewido finds something that you KNOW is legitimate (watch for alerts that have the word "Heuristic" in them - these may actually be false positives) select "none" as the action. DO NOT check "Perform action with all infections." If you are unsure of an entry, select "none" for the time being.
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido by double-clicking the "e" icon on your desktop.
The program will now go to the main screen.
You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click "Update".
- Then click on "Start Update".
- The update will begin and a progress bar will show the updates being installed. If you are having problems with the updater, click Update ewido.
- After the update finishes, the status bar at the bottom will display "Update successful".
After the updates are installed, click on Scanner and select "Settings".
- Under the bottom section "What to Scan?" select "Scan every file".
- Select "OK" and you will return to scanning options.
Click on "Complete System Scan". This can take a while to complete so please be patient.
While the scan is in progress, you will be prompted to clean the first infected file it finds. Choose "clean", then CHECK or UNCHECK "Perform action on all infections" and click "OK". Note: You will have to watch the scan all the way through and delete items manually.
After the scan has completed, ewido will create a report.
There will be a button located on the bottom of the screen named "Save report". Click "Save report" [to your desktop].
Exit ewido anti-malware when done.
Note: ewido is a free trial product for 14 days. Since ewido is a trial version, the realtime guard and automatic update will stop functioning after 14 days (which is the reason we uncheck them during installation). You can use ewido as an on-demand scanner (recommended) but you will have to manually update the definition file each time you scan by clicking on “Update” and “Start Update”.

Please post the contents of C:\vundofix.txt, the ewido anti-malware log and a new HijackThis log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#5 Tengo51

New Member

New Member
7 posts

Posted 19 March 2006 - 03:57 PM

First here is the Ewido report

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:49:43 PM, 3/19/2006
+ Report-Checksum: 55FA6654

+ Scan result:

HKLM\SOFTWARE\Classes\SWRT01.RT -> Adware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\SWRT01.RT\Clsid -> Adware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSave -> Adware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Adware.WebSearch : Cleaned with backup
HKU\S-1-5-21-1078081533-630328440-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Cleaned with backup
:mozilla.27:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.29:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.33:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.34:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.35:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.36:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.37:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.38:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.39:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.40:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.41:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.42:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.43:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.44:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.45:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.46:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.47:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.48:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.49:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.50:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.51:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.52:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.55:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.56:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.57:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.58:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.59:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.60:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.61:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.62:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.63:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.64:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.65:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.66:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.67:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.68:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.69:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.71:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.72:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.73:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.74:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.75:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.76:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.90:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.91:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.92:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.93:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.94:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.95:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.96:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.97:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.98:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.99:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.100:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.101:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.102:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.103:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.104:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.105:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.106:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.108:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.112:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.113:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.114:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.115:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\y2ec5dq7.James\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\James\Cookies\james@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\James\Cookies\james@ads.com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\James\Cookies\james@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\James\Cookies\james@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\James\Cookies\james@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\James\Cookies\james@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gsda.dll -> Not-A-Virus.Downloader.Win32.SpyGame : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\YazzleActiveX.ocx -> Adware.MediaTickets : Cleaned with backup
C:\WINDOWS\emsw.exe -> Adware.HelpExpress : Cleaned with backup
C:\WINDOWS\system32\BO2809040510.exe -> Adware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\system32\dfrgsrv.exe -> Downloader.Zlob.in : Cleaned with backup
C:\WINDOWS\system32\in9bjs.dll -> Dropper.Small.abe : Cleaned with backup
C:\WINDOWS\system32\oins.exe -> Downloader.PurityScan.bt : Cleaned with backup
C:\WINDOWS\system32\SplWbr.dll -> Adware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\system32\SWRT01.dll -> Adware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\temp\win1BB.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\temp\win1C3.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\temp\win1DD.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\temp\win201.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\temp\win5C8.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\temp\win675.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\temp\win67C.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\temp\win691.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\temp\win6C4.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\temp\win6DE.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\YAXUninst.exe -> Adware.MediaTickets : Cleaned with backup

::Report End

Now the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 4:52:47 PM, on 3/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\James\LOCALS~1\Temp\Rar$EX00.047\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cuhxqiy] C:\Documents and Settings\James\My Documents\a?sembly\w?auboot.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.....cab?refid=1123
O20 - Winlogon Notify: winypt32 - C:\WINDOWS\SYSTEM32\winypt32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#6 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 19 March 2006 - 04:00 PM

Please post the contents of C:\vundofix.txt,

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#7 Tengo51

New Member

New Member
7 posts

Posted 20 March 2006 - 02:20 PM

Right sorry here it is, I didn't think it was relevent since it didn't find anything VundoFix V4.2.35 Checking Java version... Java version is 1.5.0.4 Java version is 1.5.0.6 Scan started at 4:12:05 PM 3/19/2006 Listing files found while scanning.... No infected files were found. VundoFix V4.2.35 Checking Java version... Java version is 1.5.0.4 Java version is 1.5.0.6 Scan started at 3:08:40 PM 3/20/2006 Listing files found while scanning.... No infected files were found.

#8 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 20 March 2006 - 03:35 PM

Important: Do this before any fix.

Please put your HijackThis in it's own folder, (I create a new folder in C:\ named HJT).
You can do a Right Click on any open area on the desktop, New> Folder, then rename the folder HJT.

Go to where your HijackThis is and Right Click on HijackThis.exe, select Cut, then open the new folder you just created (HJT) Right Click in the folder and select paste.

The reason we do this is Hijackthis creates backup files just in case you'd need to restore one and we'll be cleaning out the temp files.

After the above:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Please do not delete anything unless instructed to.

You have some trojans/viruses and I would not doubt that your files have become infected because of a P2P program.

Please uninstall Bearshare via Add/Remove Programs. Unless it's the paid for version.
Here is the list on 'good and bad':
http://www.spywarein...m/articles/p2p/

1.Click Start > Settings > Control Panel.
2.Next, open Add/Remove Programs and remove if listed:
Viewpoint Toolbar

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll (file missing)

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [Cuhxqiy] C:\Documents and Settings\James\My Documents\a?sembly\w?auboot.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.....cab?refid=1123

O20 - Winlogon Notify: winypt32 - C:\WINDOWS\SYSTEM32\winypt32.dll

Close ALL windows and browsers except HijackThis and click "Fix checked"

delete these files if listed:
C:\WINDOWS\SYSTEM32\winypt32.dll

Open C:\Windows\Prefetch\ Delete ALL files in this folder.

Do this also if these Temp Folders are part of your OS.

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\(EVERY LISTED PROFILE USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#9 Tengo51

New Member

New Member
7 posts

Posted 21 March 2006 - 03:36 PM

I am still getting the annoying active x can't display this page.

Logfile of HijackThis v1.99.1
Scan saved at 4:24:46 PM, on 3/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\TEMP\win26.tmp.exe
C:\Documents and Settings\James\Desktop\HJT\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O20 - Winlogon Notify: winypt32 - C:\WINDOWS\SYSTEM32\winypt32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#10 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 21 March 2006 - 04:24 PM

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Please do not delete anything unless instructed to.

Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Empty Recycle Bin

Reboot and "copy/paste" a new HJT log as well as the Resullts from Spy Sweeper file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#11 Tengo51

New Member

New Member
7 posts

Posted 21 March 2006 - 10:19 PM

Still getting the message, I hope I am not becomeing annoying, I am not ready to give up yet. I really appreciate all you have done so far.

Logfile of HijackThis v1.99.1
Scan saved at 11:12:53 PM, on 3/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\James\Desktop\HJT\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

And now the spy sweeper:

********
9:30 PM: | Start of Session, Tuesday, March 21, 2006 |
9:30 PM: Spy Sweeper started
9:30 PM: Sweep initiated using definitions version 638
9:30 PM: Starting Memory Sweep
9:34 PM: Memory Sweep Complete, Elapsed Time: 00:03:26
9:34 PM: Starting Registry Sweep
9:34 PM: Found Trojan Horse: 2nd-thought
9:34 PM: HKCR\clsid\{8940e505-72c6-44de-be85-1d746780efbf}\ (13 subtraces) (ID = 101977)
9:34 PM: HKCR\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101978)
9:34 PM: HKCR\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101979)
9:34 PM: HKCR\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101980)
9:34 PM: HKCR\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101981)
9:34 PM: HKCR\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101982)
9:34 PM: HKCR\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101983)
9:34 PM: HKCR\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101984)
9:34 PM: HKCR\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 101985)
9:34 PM: HKCR\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 101986)
9:34 PM: HKLM\software\classes\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101993)
9:34 PM: HKLM\software\classes\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101994)
9:34 PM: HKLM\software\classes\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101995)
9:34 PM: HKLM\software\classes\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101996)
9:34 PM: HKLM\software\classes\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101997)
9:34 PM: HKLM\software\classes\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101998)
9:34 PM: HKLM\software\classes\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101999)
9:34 PM: HKLM\software\classes\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 102000)
9:34 PM: HKLM\software\classes\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 102001)
9:34 PM: Found Adware: tibs dialer
9:34 PM: HKCR\interface\{db767162-0d30-4181-9ed6-8019f6452fff}\ (8 subtraces) (ID = 143694)
9:34 PM: HKLM\software\classes\interface\{db767162-0d30-4181-9ed6-8019f6452fff}\ (8 subtraces) (ID = 143720)
9:34 PM: Found Adware: virtualbouncer
9:34 PM: HKLM\software\classes\clsid\{8940e505-72c6-44de-be85-1d746780efbf}\ (13 subtraces) (ID = 145549)
9:34 PM: HKLM\software\classes\typelib\{5e594162-60a9-487d-84b8-dbdd716cb862}\ (9 subtraces) (ID = 145551)
9:34 PM: HKCR\typelib\{5e594162-60a9-487d-84b8-dbdd716cb862}\ (9 subtraces) (ID = 145565)
9:34 PM: Found Adware: websearch toolbar
9:34 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/qdow.dll\ (2 subtraces) (ID = 146481)
9:34 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\qdow.dll (ID = 146496)
9:34 PM: HKCR\clsid\{8551311d-f3bf-4718-ad66-96e302500735}\ (11 subtraces) (ID = 392235)
9:34 PM: HKLM\software\classes\clsid\{8551311d-f3bf-4718-ad66-96e302500735}\ (11 subtraces) (ID = 476604)
9:34 PM: Found Trojan Horse: trojan agent winlogonhook
9:34 PM: HKLM\software\microsoft\mssmgr\ (12 subtraces) (ID = 937101)
9:34 PM: Found Adware: isearch toolbar
9:34 PM: HKU\S-1-5-21-1078081533-630328440-725345543-1004\software\microsoft\internet explorer\extensions\cmdmapping\ || {1a00c40b-da85-4aa3-a67f-582d9347eecd} (ID = 129028)
9:34 PM: Registry Sweep Complete, Elapsed Time:00:00:16
9:34 PM: Starting Cookie Sweep
9:34 PM: Found Spy Cookie: 2o7.net cookie
9:34 PM: james@msnportal.112.2o7[1].txt (ID = 1958)
9:34 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
9:34 PM: Starting File Sweep
9:34 PM: c:\program files\common files\btlink (ID = -2147480047)
10:00 PM: innervbinstall.log (ID = 82805)
10:04 PM: Found Adware: spyfalcon fakealert
10:04 PM: ginuerep.dll (ID = 264454)
10:06 PM: Found Trojan Horse: hellz little spy
10:06 PM: hellzlittlespy.zip (ID = 62102)
10:19 PM: Found Adware: twain-tech
10:19 PM: twaintec.inf (ID = 81889)
10:19 PM: Found Adware: mindset interactive - favoriteman
10:19 PM: atpartners.inf (ID = 69817)
10:19 PM: Found Adware: directrevenue-abetterinternet
10:19 PM: alchem.inf (ID = 83109)
10:19 PM: polmx.inf (ID = 81856)
10:19 PM: Warning: Failed to access drive D:
10:19 PM: Warning: Failed to access drive E:
10:20 PM: Warning: Invalid Stream
10:20 PM: File Sweep Complete, Elapsed Time: 00:45:40
10:20 PM: Full Sweep has completed. Elapsed time 00:49:34
10:20 PM: Traces Found: 263
10:21 PM: Removal process initiated
10:22 PM: Quarantining All Traces: 2nd-thought
10:22 PM: Quarantining All Traces: directrevenue-abetterinternet
10:22 PM: Quarantining All Traces: websearch toolbar
10:22 PM: Quarantining All Traces: hellz little spy
10:22 PM: Quarantining All Traces: isearch toolbar
10:22 PM: Quarantining All Traces: mindset interactive - favoriteman
10:22 PM: Quarantining All Traces: tibs dialer
10:22 PM: Quarantining All Traces: trojan agent winlogonhook
10:22 PM: Quarantining All Traces: spyfalcon fakealert
10:22 PM: Quarantining All Traces: twain-tech
10:22 PM: Quarantining All Traces: virtualbouncer
10:22 PM: Quarantining All Traces: 2o7.net cookie
10:22 PM: Removal process completed. Elapsed time 00:00:34
********
9:28 PM: | Start of Session, Tuesday, March 21, 2006 |
9:28 PM: Spy Sweeper started
9:29 PM: Your spyware definitions have been updated.
9:30 PM: | End of Session, Tuesday, March 21, 2006 |

Edited by Tengo51, 21 March 2006 - 10:19 PM.

#12 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 22 March 2006 - 06:51 AM

Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here: With IE open: Click Tools> Internet Optioms> Securty> Custom Level ActiveX controls and plug-ins * Download signed ActiveX controls (Prompt) * Download unsigned ActiveX controls (Disable) * Initialize and script ActiveX controls not marked as safe (Disable) * Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX) * Script ActiveX controls marked safe for scripting (Prompt)

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#13 Tengo51

New Member

New Member
7 posts

Posted 23 March 2006 - 09:21 PM

I think that did it, so far I haven't gotten the annoying message. Thankes for the help. If I have any other problems. I'll let you know.

#14 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 23 March 2006 - 09:24 PM

Good Job

Log looks good

How is it running any issues?

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.

If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#15 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 24 March 2006 - 04:25 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Body Background

skin color theme