Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

HJT Log File - Please Review!


  • This topic is locked This topic is locked
10 replies to this topic

#1 Cory Cunningham

Cory Cunningham

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 25 April 2006 - 06:32 PM

My computer was recently affected with the ubiqutous SpywareQuake system tray icon warning me my computer was plagued with spyware, and things went down the tubes very quickly. After following the instructions posted here and scanning my system with Ewido, Spybot, Ad-aware, Spysweeper, and nearly every other spyware program I could get my hands on, I think that I got rid of everything.

Could someone take a look at my HijackThis log to tell me if I'm truly clean? One thing that is bugging me is that in Internet Explorer, when I right click on the toolbar, along with Standard Buttons, Address Bar, etc., I have an option called "ICQ Toolbar." There are two spaces between ICQ and Toolbar, and I never downloaded it, so I know it's not the real thing. Also, it's listed in Add and Remove Programs, yet when I click to remove it, nothing happens. It's not affecting my computer in any way, so I'm not panicking, but I'd appreciate it if someone could tell me how to get rid of it.

Thanks in advance for your help - you guys are the best!

Cory

-------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:32:37 PM, on 4/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\SurfControl\CyberPatrol\cphq.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\SurfControl\CyberPatrol\cpserver.exe
C:\Program Files\SurfControl\CyberPatrol\cpACtrl.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\SurfControl\CyberPatrol\cpCCtrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\SurfControl\CyberPatrol\cpkbinst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Cory\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Documents and Settings\Cory\Desktop\icq\ICQToolbar\toolbaru.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,msc0nfig.bat,
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Documents and Settings\Cory\Desktop\icq\ICQToolbar\toolbaru.dll (file missing)
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [fbdirect] C:\PROGRA~1\VISION~1\PAPERP~1\fbdirect.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [hpinstantsupport] "C:\Program Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" "C:\Program Files\Hewlett-Packard\hpis\" -boot
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [ifacxqj] C:\WINDOWS\System32\oadsqh.exe
O4 - HKLM\..\Run: [COM Services] msc0nfig.bat
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [CyberPatrolNew] "C:\Program Files\SurfControl\CyberPatrol\cphq.exe" /m
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Documents and Settings\Cory\Desktop\icq\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: GO Messenger - {16E505F2-96ED-11D3-B986-00A0C99FB02A} - C:\Documents and Settings\Cory\Desktop\Sean's Folder\aim\dismsgr.exe (file missing)
O9 - Extra 'Tools' menuitem: GO Messenger - {16E505F2-96ED-11D3-B986-00A0C99FB02A} - C:\Documents and Settings\Cory\Desktop\Sean's Folder\aim\dismsgr.exe (file missing)
O9 - Extra button: @C:\Documents and Settings\Cory\Desktop\messenger\Messenger2\im2_ie_plugin.dll,-4 - {410C30C7-098A-4090-928E-F1D356D34C7F} - C:\Documents and Settings\Cory\Desktop\messenger\Messenger2\im2_ie_plugin.dll (file missing)
O9 - Extra 'Tools' menuitem: Run IM2 Messenger - {410C30C7-098A-4090-928E-F1D356D34C7F} - C:\Documents and Settings\Cory\Desktop\messenger\Messenger2\im2_ie_plugin.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5....m/c381/chat.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...lla/ext360.html
O16 - DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} (cre8tiv 3Di ATL Control (Internet)) - http://www.quick-ste...cre8tiv3dix.cab
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) - http://activex.liveu...ntrols/cres.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {140F03AE-0588-11D4-BD45-0050048A82BF} (eShare Web Collaboration Class) - https://chat.microso...ects/emagic.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {25064DE4-9CC0-11D5-BB86-0050DAC5EBD0} (printQuick Browser Add In) - http://www.pqvalet.c.../printQuick.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5....v43/yacscom.cab
O16 - DPF: {31150A86-0BBA-409F-BEB4-F3922D10BF34} (Gif89 Class) - http://www.absoluter...e.com/xplug.ocx
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildt...iveLauncher.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {53A1630A-DB38-4316-B18F-911719E1F66E} (MSN Money Ticker) - http://fdl.msn.com/p.../v10/ticker.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE6.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1123
O16 - DPF: {76D31A21-9402-11D6-97B6-0010DC2A6243} (SecureLogin.SecureControl) - https://secure2.comn...iveSecurity.CAB
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://download.shoc...otoy/OTOYAX.cab
O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} (Sandlot Loader Control) - http://www.shockwave...gwebinstall.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildt...uncherSetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave...eDownloader.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.co...FamilyTeleX.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.bright...bin/actxcab.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com...ior/Outside.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...c/bin/cabsa.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...5/Installer.exe
O16 - DPF: {C8A88E8D-9D33-4F01-80EC-E558545C0A9E} (Detector Class) - http://www.optimumon...s/xdetector.cab
O16 - DPF: {CAC335E0-9FFB-4A59-A3F5-03B7713E937B} - http://www.starwood....bar/install.cab
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D62B5127-8D03-4175-BA71-E0041595DA4B} (UDConnect Class) - http://01.sharedsour...D_1.0.0.3ie.cab?
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.sunterra....svh/svideo3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v5.cab
O16 - DPF: {ECF5F2BD-C78B-4C6F-91BB-2A311FCCA4C7} (WTApp Class) - http://www.shockwave...ic/CMonline.dll
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 29 April 2006 - 07:12 AM

Hello Cory Cunningham, Welcome to the forum. Did you save the 'Results' from the Spy Sweeper scan? If so, can you post it?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 Cory Cunningham

Cory Cunningham

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 29 April 2006 - 03:45 PM

Thanks for replying - I appreciate your help. Yes, I do have a copy of the Spy Sweeper log. I ran it a few times since I had gotten the virus, so I'll post all of them over two posts. 7:29 PM: | Start of Session, Monday, April 24, 2006 | 7:29 PM: Spy Sweeper started 7:29 PM: Sweep initiated using definitions version 663 7:29 PM: Found Adware: security2k hijacker 7:29 PM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || nvctrl.exe (ID = 1052559) 7:29 PM: nvctrl.exe (ID = 1052559) 7:29 PM: Found Trojan Horse: trojan-downloader-zlob 7:29 PM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || kernel32.dll (ID = 1052560) 7:29 PM: mssearchnet.exe (ID = 1052560) 7:29 PM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || wininet.dll (ID = 1052561) 7:29 PM: dfrgsrv.exe (ID = 1052561) 7:29 PM: Starting Memory Sweep 7:29 PM: Sweep Canceled 7:29 PM: Memory Sweep Complete, Elapsed Time: 00:00:05 7:29 PM: Traces Found: 6 7:29 PM: Removal process initiated 7:29 PM: Quarantining All Traces: security2k hijacker 7:29 PM: Quarantining All Traces: trojan-downloader-zlob 7:29 PM: trojan-downloader-zlob is in use. It will be removed on reboot. 7:29 PM: mssearchnet.exe is in use. It will be removed on reboot. 7:29 PM: Removal process completed. Elapsed time 00:00:03 7:29 PM: | End of Session, Monday, April 24, 2006 | ******** 2:00 AM: | Start of Session, Monday, April 24, 2006 | 2:00 AM: Spy Sweeper started 2:00 AM: Sweep initiated using definitions version 663 2:00 AM: Starting Memory Sweep 2:03 AM: Found Adware: purityscan 2:03 AM: Detected running threat: C:\Documents and Settings\Cory\My Documents\??stem32\msdtc.exe (ID = 230) 2:04 AM: Memory Sweep Complete, Elapsed Time: 00:03:58 2:04 AM: Starting Registry Sweep 2:04 AM: Found Adware: coolwebsearch (cws) 2:04 AM: HKCR\clsid\{2d38a51a-23c9-48a1-a33c-48675aa2b494}\ (10 subtraces) (ID = 107171) 2:04 AM: HKLM\software\classes\clsid\{2d38a51a-23c9-48a1-a33c-48675aa2b494}\ (10 subtraces) (ID = 108560) 2:04 AM: HKLM\software\classes\winres.windowsresources.1\ (3 subtraces) (ID = 109808) 2:04 AM: HKLM\software\classes\winres.windowsresources\ (5 subtraces) (ID = 109809) 2:04 AM: HKCR\winres.windowsresources.1\ (3 subtraces) (ID = 112518) 2:04 AM: HKCR\winres.windowsresources\ (5 subtraces) (ID = 112519) 2:04 AM: HKLM\software\clickspring\ (2 subtraces) (ID = 137699) 2:04 AM: Found Trojan Horse: trojan agent winlogonhook 2:04 AM: HKLM\software\microsoft\mssmgr\ (13 subtraces) (ID = 937101) 2:04 AM: Found Adware: lopdotcom 2:04 AM: HKU\S-1-5-21-2703944788-4168273537-3479383672-1007\software\microsoft\windows\currentversion\run\ || aida (ID = 130496) 2:04 AM: Registry Sweep Complete, Elapsed Time:00:00:24 2:04 AM: Starting Cookie Sweep 2:04 AM: Found Spy Cookie: 2o7.net cookie 2:04 AM: cory@2o7[1].txt (ID = 1957) 2:04 AM: Found Spy Cookie: 80503492 cookie 2:04 AM: cory@80503492[1].txt (ID = 2013) 2:04 AM: Found Spy Cookie: yieldmanager cookie 2:04 AM: cory@ad.yieldmanager[2].txt (ID = 3751) 2:04 AM: Found Spy Cookie: adknowledge cookie 2:04 AM: cory@adknowledge[2].txt (ID = 2072) 2:04 AM: Found Spy Cookie: specificclick.com cookie 2:04 AM: cory@adopt.specificclick[2].txt (ID = 3400) 2:04 AM: Found Spy Cookie: adrevolver cookie 2:04 AM: cory@adrevolver[1].txt (ID = 2088) 2:04 AM: cory@adrevolver[2].txt (ID = 2088) 2:04 AM: Found Spy Cookie: advertising cookie 2:04 AM: cory@advertising[1].txt (ID = 2175) 2:04 AM: Found Spy Cookie: atlas dmt cookie 2:04 AM: cory@atdmt[2].txt (ID = 2253) 2:04 AM: Found Spy Cookie: go.com cookie 2:04 AM: cory@broadband.espn.go[1].txt (ID = 2729) 2:04 AM: Found Spy Cookie: burstnet cookie 2:04 AM: cory@burstnet[2].txt (ID = 2336) 2:04 AM: cory@cbs.112.2o7[1].txt (ID = 1958) 2:04 AM: Found Spy Cookie: clickbank cookie 2:04 AM: cory@clickbank[2].txt (ID = 2398) 2:04 AM: Found Spy Cookie: hitslink cookie 2:04 AM: cory@counter2.hitslink[2].txt (ID = 2790) 2:04 AM: Found Spy Cookie: 360i cookie 2:04 AM: cory@ct.360i[1].txt (ID = 1962) 2:04 AM: cory@dealnews.122.2o7[1].txt (ID = 1958) 2:04 AM: cory@espn.go[1].txt (ID = 2729) 2:04 AM: Found Spy Cookie: excite cookie 2:04 AM: cory@excite[1].txt (ID = 2631) 2:04 AM: cory@go[2].txt (ID = 2728) 2:04 AM: Found Spy Cookie: maxserving cookie 2:04 AM: cory@maxserving[1].txt (ID = 2966) 2:04 AM: Found Spy Cookie: mediaplex cookie 2:04 AM: cory@mediaplex[2].txt (ID = 6442) 2:04 AM: cory@msnportal.112.2o7[1].txt (ID = 1958) 2:04 AM: Found Spy Cookie: nextag cookie 2:04 AM: cory@nextag[1].txt (ID = 5014) 2:04 AM: Found Spy Cookie: overture cookie 2:04 AM: cory@overture[1].txt (ID = 3105) 2:04 AM: cory@rsi.espn.go[1].txt (ID = 2729) 2:04 AM: Found Spy Cookie: server.iad.liveperson cookie 2:04 AM: cory@server.iad.liveperson[2].txt (ID = 3341) 2:04 AM: cory@sports.espn.go[2].txt (ID = 2729) 2:04 AM: Found Spy Cookie: trafficmp cookie 2:04 AM: cory@trafficmp[2].txt (ID = 3581) 2:04 AM: Found Spy Cookie: stopzilla cookie 2:04 AM: cory@www.stopzilla[1].txt (ID = 3466) 2:04 AM: Cookie Sweep Complete, Elapsed Time: 00:00:19 2:04 AM: Starting File Sweep 2:07 AM: winres.dll (ID = 282896) 2:45 AM: File Sweep Complete, Elapsed Time: 00:40:52 2:45 AM: Full Sweep has completed. Elapsed time 00:45:39 2:45 AM: Traces Found: 91 2:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 2:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 3:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 3:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 4:23 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 4:23 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 4:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 4:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 5:23 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 5:23 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 5:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 5:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 6:23 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 6:23 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 6:39 AM: Removal process initiated 6:39 AM: Quarantining All Traces: lopdotcom 6:39 AM: Quarantining All Traces: purityscan 6:39 AM: Quarantining All Traces: trojan agent winlogonhook 6:39 AM: Quarantining All Traces: 2o7.net cookie 6:39 AM: Quarantining All Traces: 360i cookie 6:39 AM: Quarantining All Traces: 80503492 cookie 6:39 AM: Quarantining All Traces: adknowledge cookie 6:39 AM: Quarantining All Traces: adrevolver cookie 6:39 AM: Quarantining All Traces: advertising cookie 6:39 AM: Quarantining All Traces: atlas dmt cookie 6:39 AM: Quarantining All Traces: burstnet cookie 6:39 AM: Quarantining All Traces: clickbank cookie 6:39 AM: Quarantining All Traces: excite cookie 6:39 AM: Quarantining All Traces: go.com cookie 6:39 AM: Quarantining All Traces: hitslink cookie 6:39 AM: Quarantining All Traces: maxserving cookie 6:39 AM: Quarantining All Traces: mediaplex cookie 6:39 AM: Quarantining All Traces: nextag cookie 6:39 AM: Quarantining All Traces: overture cookie 6:39 AM: Quarantining All Traces: server.iad.liveperson cookie 6:39 AM: Quarantining All Traces: specificclick.com cookie 6:39 AM: Quarantining All Traces: stopzilla cookie 6:39 AM: Quarantining All Traces: trafficmp cookie 6:39 AM: Quarantining All Traces: yieldmanager cookie 6:39 AM: Quarantining All Traces: coolwebsearch (cws) 6:40 AM: Removal process completed. Elapsed time 00:00:20 6:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 6:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 7:23 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 7:23 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 7:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 7:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 8:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 8:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 9:23 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 9:23 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 9:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 9:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 10:23 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 10:23 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 10:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 10:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 11:23 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 11:23 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 11:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 11:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 12:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 12:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 1:23 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 1:23 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 1:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 1:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 2:23 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 2:23 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 2:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 2:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 3:23 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 3:23 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 3:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 3:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 3:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 3:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 4:23 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 4:23 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 4:23 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 4:23 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 4:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 4:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 4:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 4:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 5:23 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 5:23 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 5:23 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 5:23 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 5:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 5:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 5:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 5:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 6:23 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 6:23 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 6:23 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 6:23 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 6:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 6:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 6:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 6:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 7:13 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 7:13 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 7:13 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 7:13 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 7:17 PM: ActiveX Shield: found: Adware: coolwebsearch (cws), version 1.0.0.0 -- Installation denied 7:17 PM: Spy Installation Shield: found: Adware: purityscan, version 1.0.0.0 -- Execution allowed at user request 7:17 PM: The Spy Communication shield has blocked access to: www.mt-download.com 7:17 PM: The Spy Communication shield has blocked access to: www.mt-download.com 7:18 PM: The Spy Communication shield has blocked access to: boostservice.com 7:18 PM: The Spy Communication shield has blocked access to: boostservice.com 7:21 PM: IE Security Shield: found: C:\WINDOWS\SYSTEM32\1024\LD8F20.TMP -- IE Security modification allowed at user request 7:21 PM: BHO Shield: found: hp9C5E.tmp-- BHO installation allowed at user request 7:23 PM: Memory Shield: Found: Memory-resident threat trojan-downloader-aux, version 1.0.0.0 7:23 PM: Ignored memory-resident threat: trojan-downloader-aux 7:28 PM: Spy Installation Shield: found: Adware: purityscan, version 1.0.0.0 -- Execution Denied 7:28 PM: Processing Startup Alerts 7:28 PM: Removed Startup entry: Aida 7:28 PM: Removed Startup entry: Rqpmerjt 7:28 PM: Processing Internet Explorer Favorites Alerts 7:28 PM: Removed IE Favorite: Antivirus Test Online 7:29 PM: Updating spyware definitions 7:29 PM: Your definitions are up to date. 7:29 PM: | End of Session, Monday, April 24, 2006 | ******** 4:24 PM: | Start of Session, Sunday, April 23, 2006 | 4:24 PM: Spy Sweeper started 4:24 PM: Sweep initiated using definitions version 663 4:24 PM: Starting Memory Sweep 4:31 PM: Memory Sweep Complete, Elapsed Time: 00:07:07 4:31 PM: Starting Registry Sweep 4:31 PM: Found Adware: coolwebsearch (cws) 4:31 PM: HKCR\clsid\{2d38a51a-23c9-48a1-a33c-48675aa2b494}\ (10 subtraces) (ID = 107171) 4:31 PM: HKLM\software\classes\clsid\{2d38a51a-23c9-48a1-a33c-48675aa2b494}\ (10 subtraces) (ID = 108560) 4:31 PM: HKLM\software\classes\winres.windowsresources.1\ (3 subtraces) (ID = 109808) 4:31 PM: HKLM\software\classes\winres.windowsresources\ (5 subtraces) (ID = 109809) 4:31 PM: HKCR\winres.windowsresources.1\ (3 subtraces) (ID = 112518) 4:31 PM: HKCR\winres.windowsresources\ (5 subtraces) (ID = 112519) 4:31 PM: Found Trojan Horse: trojan agent winlogonhook 4:31 PM: HKLM\software\microsoft\mssmgr\ (13 subtraces) (ID = 937101) 4:32 PM: Registry Sweep Complete, Elapsed Time:00:01:03 4:32 PM: Starting Cookie Sweep 4:33 PM: Found Spy Cookie: specificclick.com cookie 4:33 PM: cory@adopt.specificclick[2].txt (ID = 3400) 4:33 PM: Found Spy Cookie: advertising cookie 4:33 PM: cory@advertising[1].txt (ID = 2175) 4:33 PM: Found Spy Cookie: atlas dmt cookie 4:33 PM: cory@atdmt[2].txt (ID = 2253) 4:33 PM: Found Spy Cookie: casalemedia cookie 4:33 PM: cory@casalemedia[1].txt (ID = 2354) 4:33 PM: Found Spy Cookie: excite cookie 4:33 PM: cory@excite[1].txt (ID = 2631) 4:33 PM: Found Spy Cookie: webtrends cookie 4:33 PM: cory@m.webtrends[1].txt (ID = 3669) 4:33 PM: Found Spy Cookie: maxserving cookie 4:33 PM: cory@maxserving[1].txt (ID = 2966) 4:33 PM: Found Spy Cookie: nextag cookie 4:33 PM: cory@nextag[1].txt (ID = 5014) 4:33 PM: Found Spy Cookie: questionmarket cookie 4:33 PM: cory@questionmarket[1].txt (ID = 3217) 4:33 PM: Found Spy Cookie: tradedoubler cookie 4:33 PM: cory@tradedoubler[1].txt (ID = 3575) 4:33 PM: Found Spy Cookie: trafficmp cookie 4:33 PM: cory@trafficmp[2].txt (ID = 3581) 4:33 PM: Found Spy Cookie: tribalfusion cookie 4:33 PM: cory@tribalfusion[1].txt (ID = 3589) 4:33 PM: Cookie Sweep Complete, Elapsed Time: 00:01:10 4:33 PM: Starting File Sweep 6:48 PM: File Sweep Complete, Elapsed Time: 02:15:03 6:48 PM: Full Sweep has completed. Elapsed time 02:24:48 6:48 PM: Traces Found: 68 6:49 PM: Removal process initiated 6:49 PM: Quarantining All Traces: coolwebsearch (cws) 6:49 PM: Quarantining All Traces: trojan agent winlogonhook 6:49 PM: Quarantining All Traces: specificclick.com cookie 6:49 PM: Quarantining All Traces: advertising cookie 6:49 PM: Quarantining All Traces: atlas dmt cookie 6:49 PM: Quarantining All Traces: casalemedia cookie 6:49 PM: Quarantining All Traces: excite cookie 6:49 PM: Quarantining All Traces: webtrends cookie 6:49 PM: Quarantining All Traces: maxserving cookie 6:49 PM: Quarantining All Traces: nextag cookie 6:49 PM: Quarantining All Traces: questionmarket cookie 6:49 PM: Quarantining All Traces: tradedoubler cookie 6:49 PM: Quarantining All Traces: trafficmp cookie 6:49 PM: Quarantining All Traces: tribalfusion cookie 6:49 PM: Removal process completed. Elapsed time 00:00:25 7:05 PM: Deletion from quarantine initiated 7:05 PM: Processing: 247realmedia cookie 7:05 PM: Processing: 2o7.net cookie 7:05 PM: Processing: 360i cookie 7:05 PM: Processing: a cookie 7:05 PM: Processing: about cookie 7:05 PM: Processing: addynamix cookie 7:05 PM: Processing: adjuggler cookie 7:05 PM: Processing: adknowledge cookie 7:05 PM: Processing: adrevolver cookie 7:05 PM: Processing: adserver cookie 7:05 PM: Processing: adtech cookie 7:05 PM: Processing: advertising cookie 7:05 PM: Processing: adviva cookie 7:05 PM: Processing: apmebf cookie 7:05 PM: Processing: ask cookie 7:05 PM: Processing: atlas dmt cookie 7:05 PM: Processing: atwola cookie 7:05 PM: Processing: azjmp cookie 7:05 PM: Processing: banner cookie 7:05 PM: Processing: bannerspace cookie 7:05 PM: Processing: bizrate cookie 7:05 PM: Processing: bluestreak cookie 7:05 PM: Processing: bravenet cookie 7:05 PM: Processing: burstbeacon cookie 7:05 PM: Processing: burstnet cookie 7:05 PM: Processing: casalemedia cookie 7:05 PM: Processing: centrport net cookie 7:05 PM: Processing: clickzs cookie 7:05 PM: Processing: coolwebsearch (cws) 7:05 PM: Processing: coremetrics cookie 7:05 PM: Processing: dealtime cookie 7:05 PM: Processing: did-it cookie 7:05 PM: Processing: domainsponsor cookie 7:05 PM: Processing: excite cookie 7:05 PM: Processing: falkag cookie 7:05 PM: Processing: fastclick cookie 7:05 PM: Processing: fortunecity cookie 7:05 PM: Processing: go.com cookie 7:05 PM: Processing: hbmediapro cookie 7:05 PM: Processing: hitslink cookie 7:05 PM: Processing: hotbar cookie 7:05 PM: Processing: hotlog cookie 7:05 PM: Processing: ic-live cookie 7:05 PM: Processing: infospace cookie 7:05 PM: Processing: l2m.net cookie 7:05 PM: Processing: linksynergy cookie 7:05 PM: Processing: maxserving cookie 7:05 PM: Processing: mediaplex cookie 7:05 PM: Processing: military cookie 7:05 PM: Processing: monstermarketplace cookie 7:05 PM: Processing: myaffiliateprogram.com cookie 7:05 PM: Processing: nextag cookie 7:05 PM: Processing: offeroptimizer cookie 7:05 PM: Processing: onestat.com cookie 7:05 PM: Processing: overture cookie 7:05 PM: Processing: partypoker cookie 7:05 PM: Processing: paycounter cookie 7:05 PM: Processing: pointroll cookie 7:05 PM: Processing: pricegrabber cookie 7:06 PM: Processing: pro-market cookie 7:06 PM: Processing: pub cookie 7:06 PM: Processing: qksrv cookie 7:06 PM: Processing: qsrch cookie 7:06 PM: Processing: questionmarket cookie 7:06 PM: Processing: realmedia cookie 7:06 PM: Processing: realtracker cookie 7:06 PM: Processing: revenue.net cookie 7:06 PM: Processing: ru4 cookie 7:06 PM: Processing: security2k hijacker 7:06 PM: Processing: servedby advertising cookie 7:06 PM: Processing: server.iad.liveperson cookie 7:06 PM: Processing: serving-sys cookie 7:06 PM: Processing: servlet cookie 7:06 PM: Processing: sextracker cookie 7:06 PM: Processing: specificclick.com cookie 7:06 PM: Processing: spygraphica 7:06 PM: Processing: spylog cookie 7:06 PM: Processing: starware.com cookie 7:06 PM: Processing: statcounter cookie 7:06 PM: Processing: tacoda cookie 7:06 PM: Processing: toplist cookie 7:06 PM: Processing: tradedoubler cookie 7:06 PM: Processing: trafficmp cookie 7:06 PM: Processing: tribalfusion cookie 7:06 PM: Processing: tripod cookie 7:06 PM: Processing: trojan agent winlogonhook 7:06 PM: Processing: trojan-downloader-errlook 7:06 PM: Processing: trojan-downloader-zlob 7:06 PM: Processing: webhancer 7:06 PM: Processing: websponsors cookie 7:06 PM: Processing: web-stat cookie 7:06 PM: Processing: webtrends cookie 7:06 PM: Processing: webtrendslive cookie 7:06 PM: Processing: x10 cookie 7:06 PM: Processing: xiti cookie 7:06 PM: Processing: yadro cookie 7:06 PM: Processing: yieldmanager cookie 7:06 PM: Processing: zedo cookie 7:06 PM: Deletion from quarantine completed. Elapsed time 00:00:37 7:19 PM: Memory Shield: Found: Memory-resident threat trojan-downloader-aux, version 1.0.0.0 7:19 PM: Ignored memory-resident threat: trojan-downloader-aux 8:51 PM: The Spy Communication shield has blocked access to: www.mt-download.com 8:51 PM: The Spy Communication shield has blocked access to: www.mt-download.com 8:52 PM: ActiveX Shield: found: Adware: coolwebsearch (cws), version 1.0.0.0 -- Installation denied 8:52 PM: Spy Installation Shield: found: Adware: purityscan, version 1.0.0.0 -- Execution allowed at user request 8:52 PM: BHO Shield: found: -- BHO installation denied at user request 8:52 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 8:52 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 8:52 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 8:52 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 8:53 PM: The Spy Communication shield has blocked access to: boostservice.com 8:53 PM: The Spy Communication shield has blocked access to: boostservice.com 9:22 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 9:22 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 9:22 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 9:22 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 9:31 PM: Memory Shield: Found: Memory-resident threat trojan-downloader-aux, version 1.0.0.0 9:31 PM: Ignored memory-resident threat: trojan-downloader-aux 9:44 PM: BHO Shield: found: -- BHO installation allowed at user request 9:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 9:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 10:23 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 10:23 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 10:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 10:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 11:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 11:53 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 12:23 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 12:23 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 12:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 12:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 1:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 1:53 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 2:00 AM: A scheduled sweep will now start. 2:00 AM: | End of Session, Monday, April 24, 2006 | ******** 12:40 PM: | Start of Session, Sunday, April 23, 2006 | 12:40 PM: Spy Sweeper started 12:40 PM: Sweep initiated using definitions version 663 12:40 PM: Found Trojan Horse: trojan-downloader-zlob 12:40 PM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || wininet.dll (ID = 1052561) 12:40 PM: dfrgsrv.exe (ID = 1052561) 12:40 PM: Starting Memory Sweep 12:41 PM: The Spy Communication shield has blocked access to: boostservice.com 12:41 PM: The Spy Communication shield has blocked access to: boostservice.com 12:41 PM: Sweep Canceled 12:41 PM: Memory Sweep Complete, Elapsed Time: 00:01:27 12:41 PM: Traces Found: 2 12:41 PM: Removal process initiated 12:41 PM: Quarantining All Traces: trojan-downloader-zlob 12:41 PM: Removal process completed. Elapsed time 00:00:00 12:42 PM: Spy Installation Shield: found: Adware: purityscan, version 1.0.0.0 -- Execution Denied 12:48 PM: Memory Shield: Found: Memory-resident threat trojan-downloader-aux, version 1.0.0.0 12:48 PM: Ignored memory-resident threat: trojan-downloader-aux 1:05 PM: BHO Shield: found: iesdpb.dll-- BHO installation allowed at user request 1:05 PM: BHO Shield: found: iesdsg.dll-- BHO installation allowed at user request 2:02 PM: IE Security Shield: found: C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE -- IE Security modification allowed at user request 2:02 PM: Processing Startup Alerts 2:02 PM: Allowed Startup entry: Spyware Doctor 2:18 PM: ActiveX Shield: found: Adware: coolwebsearch (cws), version 1.0.0.0 -- Installation denied 2:18 PM: BHO Shield: found: -- BHO installation denied at user request 2:18 PM: The Spy Communication shield has blocked access to: www.mt-download.com 2:18 PM: The Spy Communication shield has blocked access to: www.mt-download.com 2:19 PM: The Spy Communication shield has blocked access to: boostservice.com 2:19 PM: The Spy Communication shield has blocked access to: boostservice.com 2:21 PM: Memory Shield: Found: Memory-resident threat trojan-downloader-aux, version 1.0.0.0 2:21 PM: Ignored memory-resident threat: trojan-downloader-aux 2:36 PM: Memory Shield: Found: Memory-resident threat trojan-downloader-aux, version 1.0.0.0 2:36 PM: Ignored memory-resident threat: trojan-downloader-aux 4:23 PM: Program Version 4.5.9 (Build 709) Using Spyware Definitions 663 4:24 PM: | End of Session, Sunday, April 23, 2006 | ******** 12:39 PM: | Start of Session, Sunday, April 23, 2006 | 12:39 PM: Spy Sweeper started 12:39 PM: Sweep initiated using definitions version 663 12:39 PM: Found Trojan Horse: trojan-downloader-zlob 12:39 PM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || wininet.dll (ID = 1052561) 12:39 PM: dfrgsrv.exe (ID = 1052561) 12:39 PM: Starting Memory Sweep 12:39 PM: Sweep Canceled 12:39 PM: Memory Sweep Complete, Elapsed Time: 00:00:06 12:39 PM: Traces Found: 2 12:39 PM: Removal process initiated 12:39 PM: Quarantining All Traces: trojan-downloader-zlob 12:39 PM: Removal process completed. Elapsed time 00:00:01 12:39 PM: Updating spyware definitions 12:40 PM: Your definitions are up to date. 12:40 PM: | End of Session, Sunday, April 23, 2006 | ******** 9:01 AM: | Start of Session, Sunday, April 23, 2006 | 9:01 AM: Spy Sweeper started 9:01 AM: Sweep initiated using definitions version 663 9:01 AM: Starting Memory Sweep 9:11 AM: Memory Sweep Complete, Elapsed Time: 00:09:10 9:11 AM: Starting Registry Sweep 9:11 AM: Found Adware: coolwebsearch (cws) 9:11 AM: HKLM\software\classes\winres.windowsresources.1\ (3 subtraces) (ID = 109808) 9:11 AM: HKLM\software\classes\winres.windowsresources\ (5 subtraces) (ID = 109809) 9:11 AM: HKCR\winres.windowsresources.1\ (3 subtraces) (ID = 112518) 9:11 AM: HKCR\winres.windowsresources\ (5 subtraces) (ID = 112519) 9:11 AM: Found Adware: security2k hijacker 9:11 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objecta\ (2 subtraces) (ID = 735573) 9:11 AM: Found Trojan Horse: trojan agent winlogonhook 9:11 AM: HKLM\software\microsoft\mssmgr\ (13 subtraces) (ID = 937101) 9:11 AM: Registry Sweep Complete, Elapsed Time:00:00:21 9:11 AM: Starting Cookie Sweep 9:11 AM: Found Spy Cookie: 2o7.net cookie 9:11 AM: cory@122.2o7[2].txt (ID = 1958) 9:11 AM: Found Spy Cookie: 247realmedia cookie 9:11 AM: cory@247realmedia[1].txt (ID = 1953) 9:11 AM: cory@2o7[2].txt (ID = 1957) 9:11 AM: Found Spy Cookie: websponsors cookie 9:11 AM: cory@a.websponsors[2].txt (ID = 3665) 9:11 AM: Found Spy Cookie: go.com cookie 9:11 AM: cory@abc.go[1].txt (ID = 2729) 9:11 AM: cory@abclocal.go[2].txt (ID = 2729) 9:11 AM: cory@abcnews.go[1].txt (ID = 2729) 9:11 AM: Found Spy Cookie: about cookie 9:11 AM: cory@about[2].txt (ID = 2037) 9:11 AM: Found Spy Cookie: yieldmanager cookie 9:11 AM: cory@ad.yieldmanager[2].txt (ID = 3751) 9:11 AM: Found Spy Cookie: adknowledge cookie 9:11 AM: cory@adknowledge[2].txt (ID = 2072) 9:11 AM: Found Spy Cookie: specificclick.com cookie 9:11 AM: cory@adopt.specificclick[1].txt (ID = 3400) 9:11 AM: Found Spy Cookie: addynamix cookie 9:11 AM: cory@ads.addynamix[1].txt (ID = 2062) 9:11 AM: Found Spy Cookie: pointroll cookie 9:11 AM: cory@ads.pointroll[1].txt (ID = 3148) 9:11 AM: Found Spy Cookie: adtech cookie 9:11 AM: cory@adtech[2].txt (ID = 2155) 9:11 AM: Found Spy Cookie: advertising cookie 9:11 AM: cory@advertising[2].txt (ID = 2175) 9:11 AM: Found Spy Cookie: adviva cookie 9:11 AM: cory@adviva[2].txt (ID = 2177) 9:11 AM: Found Spy Cookie: falkag cookie 9:11 AM: cory@as-us.falkag[2].txt (ID = 2650) 9:11 AM: Found Spy Cookie: ask cookie 9:11 AM: cory@ask[1].txt (ID = 2245) 9:11 AM: Found Spy Cookie: atlas dmt cookie 9:11 AM: cory@atdmt[2].txt (ID = 2253) 9:11 AM: Found Spy Cookie: atwola cookie 9:11 AM: cory@atwola[1].txt (ID = 2255) 9:11 AM: Found Spy Cookie: a cookie 9:11 AM: cory@a[1].txt (ID = 2027) 9:11 AM: Found Spy Cookie: bizrate cookie 9:11 AM: cory@bizrate[2].txt (ID = 2308) 9:11 AM: Found Spy Cookie: bluestreak cookie 9:11 AM: cory@bluestreak[2].txt (ID = 2314) 9:11 AM: Found Spy Cookie: burstnet cookie 9:11 AM: cory@burstnet[1].txt (ID = 2336) 9:11 AM: Found Spy Cookie: zedo cookie 9:11 AM: cory@c1.zedo[1].txt (ID = 3763) 9:11 AM: Found Spy Cookie: pricegrabber cookie 9:11 AM: cory@camcorderinfo.pricegrabber[2].txt (ID = 3186) 9:11 AM: Found Spy Cookie: casalemedia cookie 9:11 AM: cory@casalemedia[2].txt (ID = 2354) 9:11 AM: cory@cnn.122.2o7[1].txt (ID = 1958) 9:11 AM: Found Spy Cookie: coremetrics cookie 9:11 AM: cory@data.coremetrics[1].txt (ID = 2472) 9:11 AM: Found Spy Cookie: overture cookie 9:11 AM: cory@data2.perf.overture[2].txt (ID = 3106) 9:11 AM: cory@data3.perf.overture[1].txt (ID = 3106) 9:11 AM: Found Spy Cookie: dealtime cookie 9:11 AM: cory@dealtime[2].txt (ID = 2505) 9:11 AM: cory@desktopvideo.about[2].txt (ID = 2038) 9:11 AM: Found Spy Cookie: ru4 cookie 9:11 AM: cory@edge.ru4[1].txt (ID = 3269) 9:11 AM: cory@entrepreneur.122.2o7[1].txt (ID = 1958) 9:11 AM: Found Spy Cookie: excite cookie 9:11 AM: cory@excite[2].txt (ID = 2631) 9:11 AM: Found Spy Cookie: fastclick cookie 9:11 AM: cory@fastclick[2].txt (ID = 2651) 9:11 AM: cory@forums.go[1].txt (ID = 2729) 9:11 AM: cory@go[1].txt (ID = 2728) 9:11 AM: Found Spy Cookie: domainsponsor cookie 9:11 AM: cory@landing.domainsponsor[1].txt (ID = 2535) 9:11 AM: Found Spy Cookie: linksynergy cookie 9:11 AM: cory@linksynergy[1].txt (ID = 2926) 9:11 AM: Found Spy Cookie: webtrends cookie 9:11 AM: cory@m.webtrends[2].txt (ID = 3669) 9:11 AM: Found Spy Cookie: maxserving cookie 9:11 AM: cory@maxserving[1].txt (ID = 2966) 9:11 AM: cory@media.fastclick[2].txt (ID = 2652) 9:11 AM: Found Spy Cookie: mediaplex cookie 9:11 AM: cory@mediaplex[2].txt (ID = 6442) 9:11 AM: cory@microsofteup.112.2o7[1].txt (ID = 1958) 9:11 AM: Found Spy Cookie: nextag cookie 9:11 AM: cory@nextag[1].txt (ID = 5014) 9:11 AM: cory@overture[1].txt (ID = 3105) 9:11 AM: Found Spy Cookie: paycounter cookie 9:11 AM: cory@paycounter[1].txt (ID = 3115) 9:11 AM: cory@perf.overture[1].txt (ID = 3106) 9:11 AM: cory@pinnaclesystems.122.2o7[1].txt (ID = 1958) 9:11 AM: cory@pricegrabber[1].txt (ID = 3185) 9:11 AM: cory@qantasairways.122.2o7[1].txt (ID = 1958) 9:11 AM: Found Spy Cookie: questionmarket cookie 9:11 AM: cory@questionmarket[1].txt (ID = 3217) 9:11 AM: Found Spy Cookie: realmedia cookie 9:11 AM: cory@realmedia[1].txt (ID = 3235) 9:11 AM: Found Spy Cookie: revenue.net cookie 9:11 AM: cory@revenue[1].txt (ID = 3257) 9:11 AM: Found Spy Cookie: adjuggler cookie 9:11 AM: cory@rotator.adjuggler[1].txt (ID = 2071) 9:11 AM: cory@sel.as-us.falkag[1].txt (ID = 2650) 9:11 AM: Found Spy Cookie: server.iad.liveperson cookie 9:11 AM: cory@server.iad.liveperson[1].txt (ID = 3341) 9:11 AM: Found Spy Cookie: serving-sys cookie 9:11 AM: cory@serving-sys[1].txt (ID = 3343) 9:11 AM: cory@sonycorporate.122.2o7[1].txt (ID = 1958) 9:11 AM: cory@stat.dealtime[1].txt (ID = 2506) 9:11 AM: Found Spy Cookie: onestat.com cookie 9:11 AM: cory@stat.onestat[2].txt (ID = 3098) 9:11 AM: Found Spy Cookie: statcounter cookie 9:11 AM: cory@statcounter[1].txt (ID = 3447) 9:11 AM: Found Spy Cookie: webtrendslive cookie 9:11 AM: cory@statse.webtrendslive[2].txt (ID = 3667) 9:11 AM: Found Spy Cookie: tacoda cookie 9:11 AM: cory@tacoda[2].txt (ID = 6444) 9:11 AM: Found Spy Cookie: tradedoubler cookie 9:11 AM: cory@tradedoubler[2].txt (ID = 3575) 9:11 AM: Found Spy Cookie: trafficmp cookie 9:11 AM: cory@trafficmp[1].txt (ID = 3581) 9:11 AM: Found Spy Cookie: tribalfusion cookie 9:11 AM: cory@tribalfusion[2].txt (ID = 3589) 9:11 AM: cory@twci.coremetrics[1].txt (ID = 2472) 9:11 AM: Found Spy Cookie: clickzs cookie 9:11 AM: cory@vip.clickzs[1].txt (ID = 2413) 9:11 AM: cory@www.abcnews.go[2].txt (ID = 2729) 9:11 AM: Found Spy Cookie: burstbeacon cookie 9:11 AM: cory@www.burstbeacon[2].txt (ID = 2335) 9:11 AM: cory@www.dealtime[1].txt (ID = 2506) 9:11 AM: Found Spy Cookie: xiti cookie 9:11 AM: cory@xiti[1].txt (ID = 3717) 9:11 AM: Found Spy Cookie: adserver cookie 9:11 AM: cory@z1.adserver[1].txt (ID = 2142) 9:11 AM: cory@zedo[1].txt (ID = 3762) 9:11 AM: Cookie Sweep Complete, Elapsed Time: 00:00:03 9:12 AM: Starting File Sweep 9:49 AM: Found Trojan Horse: trojan-downloader-errlook 9:49 AM: wizp32[1].exe (ID = 283245) 9:50 AM: win754.tmp.exe (ID = 283245) 10:37 AM: Sweep Canceled 10:37 AM: File Sweep Complete, Elapsed Time: 01:25:18 10:37 AM: Traces Found: 116 10:37 AM: Removal process initiated 10:37 AM: Quarantining All Traces: security2k hijacker 10:37 AM: Quarantining All Traces: coolwebsearch (cws) 10:37 AM: Quarantining All Traces: trojan agent winlogonhook 10:37 AM: Quarantining All Traces: trojan-downloader-errlook 10:37 AM: Quarantining All Traces: 247realmedia cookie 10:37 AM: Quarantining All Traces: 2o7.net cookie 10:37 AM: Quarantining All Traces: a cookie 10:37 AM: Quarantining All Traces: about cookie 10:37 AM: Quarantining All Traces: addynamix cookie 10:37 AM: Quarantining All Traces: adjuggler cookie 10:37 AM: Quarantining All Traces: adknowledge cookie 10:37 AM: Quarantining All Traces: adserver cookie 10:37 AM: Quarantining All Traces: adtech cookie 10:37 AM: Quarantining All Traces: advertising cookie 10:37 AM: Quarantining All Traces: adviva cookie 10:37 AM: Quarantining All Traces: ask cookie 10:37 AM: Quarantining All Traces: atlas dmt cookie 10:37 AM: Quarantining All Traces: atwola cookie 10:37 AM: Quarantining All Traces: bizrate cookie 10:37 AM: Quarantining All Traces: bluestreak cookie 10:37 AM: Quarantining All Traces: burstbeacon cookie 10:37 AM: Quarantining All Traces: burstnet cookie 10:37 AM: Quarantining All Traces: casalemedia cookie 10:37 AM: Quarantining All Traces: clickzs cookie 10:37 AM: Quarantining All Traces: coremetrics cookie 10:37 AM: Quarantining All Traces: dealtime cookie 10:37 AM: Quarantining All Traces: domainsponsor cookie 10:37 AM: Quarantining All Traces: excite cookie 10:37 AM: Quarantining All Traces: falkag cookie 10:37 AM: Quarantining All Traces: fastclick cookie 10:37 AM: Quarantining All Traces: go.com cookie 10:37 AM: Quarantining All Traces: linksynergy cookie 10:37 AM: Quarantining All Traces: maxserving cookie 10:37 AM: Quarantining All Traces: mediaplex cookie 10:37 AM: Quarantining All Traces: nextag cookie 10:37 AM: Quarantining All Traces: onestat.com cookie 10:37 AM: Quarantining All Traces: overture cookie 10:37 AM: Quarantining All Traces: paycounter cookie 10:37 AM: Quarantining All Traces: pointroll cookie 10:37 AM: Quarantining All Traces: pricegrabber cookie 10:37 AM: Quarantining All Traces: questionmarket cookie 10:37 AM: Quarantining All Traces: realmedia cookie 10:37 AM: Quarantining All Traces: revenue.net cookie 10:37 AM: Quarantining All Traces: ru4 cookie 10:37 AM: Quarantining All Traces: server.iad.liveperson cookie 10:37 AM: Quarantining All Traces: serving-sys cookie 10:37 AM: Quarantining All Traces: specificclick.com cookie 10:37 AM: Quarantining All Traces: statcounter cookie 10:37 AM: Quarantining All Traces: tacoda cookie 10:37 AM: Quarantining All Traces: tradedoubler cookie 10:37 AM: Quarantining All Traces: trafficmp cookie 10:37 AM: Quarantining All Traces: tribalfusion cookie 10:37 AM: Quarantining All Traces: websponsors cookie 10:37 AM: Quarantining All Traces: webtrends cookie 10:37 AM: Quarantining All Traces: webtrendslive cookie 10:37 AM: Quarantining All Traces: xiti cookie 10:37 AM: Quarantining All Traces: yieldmanager cookie 10:37 AM: Quarantining All Traces: zedo cookie 10:37 AM: Removal process completed. Elapsed time 00:00:29 10:43 AM: Memory Shield: Found: Memory-resident threat trojan-downloader-aux, version 1.0.0.0 10:43 AM: Ignored memory-resident threat: trojan-downloader-aux 12:39 PM: The Spy Communication shield has blocked access to: www.mt-download.com 12:39 PM: The Spy Communication shield has blocked access to: www.mt-download.com 12:39 PM: ActiveX Shield: found: Adware: coolwebsearch (cws), version 1.0.0.0 -- Installation denied 12:39 PM: BHO Shield: found: -- BHO installation denied at user request 12:39 PM: Spy Installation Shield: found: Adware: purityscan, version 1.0.0.0 -- Execution Denied 12:39 PM: | End of Session, Sunday, April 23, 2006 | ******** 8:45 AM: | Start of Session, Sunday, April 23, 2006 | 8:45 AM: Spy Sweeper started 8:45 AM: Sweep initiated using definitions version 663 8:45 AM: Starting Memory Sweep 8:46 AM: The Spy Communication shield has blocked access to: download15.spywarequake.com 8:46 AM: The Spy Communication shield has blocked access to: download15.spywarequake.com 8:46 AM: BHO Shield: found: hp722B.tmp-- BHO installation denied at user request 8:46 AM: IE Security Shield: found: C:\WINDOWS\SYSTEM32\1024\LD5BF4.TMP -- IE Security modification denied 8:53 AM: Sweep Canceled 8:53 AM: Memory Sweep Complete, Elapsed Time: 00:08:19 8:53 AM: Traces Found: 0 8:54 AM: Processing Internet Explorer Favorites Alerts 8:54 AM: Removed IE Favorite: Antivirus Test Online 8:54 AM: Processing Startup Alerts 8:54 AM: Allowed Startup entry: *Restore ******** 8:45 AM: | Start of Session, Sunday, April 23, 2006 | 8:45 AM: Spy Sweeper started 8:45 AM: Sweep initiated using definitions version 663 8:45 AM: Found Trojan Horse: trojan-downloader-zlob 8:45 AM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || wininet.dll (ID = 1052561) 8:45 AM: dfrgsrv.exe (ID = 1052561) 8:45 AM: Starting Memory Sweep 8:45 AM: Sweep Canceled 8:45 AM: Memory Sweep Complete, Elapsed Time: 00:00:05 8:45 AM: Traces Found: 2 8:45 AM: Removal process initiated 8:45 AM: Quarantining All Traces: trojan-downloader-zlob 8:45 AM: Removal process completed. Elapsed time 00:00:00 8:45 AM: | End of Session, Sunday, April 23, 2006 | ******** 8:44 AM: | Start of Session, Sunday, April 23, 2006 | 8:44 AM: Spy Sweeper started 8:44 AM: Sweep initiated using definitions version 663 8:44 AM: Found Trojan Horse: trojan-downloader-zlob 8:44 AM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || wininet.dll (ID = 1052561) 8:44 AM: dfrgsrv.exe (ID = 1052561) 8:44 AM: Found Adware: coolwebsearch (cws) 8:44 AM: HKCR\clsid\{2d38a51a-23c9-48a1-a33c-48675aa2b494}\inprocserver32\ (2 subtraces) (ID = 1183061) 8:44 AM: winres.dll (ID = 1183061) 8:44 AM: Starting Memory Sweep 8:44 AM: Sweep Canceled 8:44 AM: Memory Sweep Complete, Elapsed Time: 00:00:36 8:44 AM: Traces Found: 6 8:44 AM: Removal process initiated 8:44 AM: Quarantining All Traces: trojan-downloader-zlob 8:44 AM: Quarantining All Traces: coolwebsearch (cws) 8:45 AM: Removal process completed. Elapsed time 00:00:05 8:45 AM: | End of Session, Sunday, April 23, 2006 |

#4 Cory Cunningham

Cory Cunningham

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 29 April 2006 - 03:47 PM

Here's the rest of the log. If you need anything else, let me know. Stupidly, I already deleted Ewido, Spybot, and the other programs from my computer, figuring that I wouldn't need them anymore because I had gotten rid of everything, so I can't give you the logs from them. ******** 7:29 PM: | Start of Session, Monday, April 24, 2006 | 7:29 PM: Spy Sweeper started 7:29 PM: Sweep initiated using definitions version 663 7:29 PM: Starting Memory Sweep 7:33 PM: Found Adware: purityscan 7:33 PM: Detected running threat: C:\Documents and Settings\Cory\My Documents\??stem32\msdtc.exe (ID = 230) 7:33 PM: Memory Sweep Complete, Elapsed Time: 00:03:53 7:33 PM: Starting Registry Sweep 7:33 PM: Found Adware: coolwebsearch (cws) 7:33 PM: HKCR\clsid\{2d38a51a-23c9-48a1-a33c-48675aa2b494}\ (10 subtraces) (ID = 107171) 7:33 PM: HKLM\software\classes\clsid\{2d38a51a-23c9-48a1-a33c-48675aa2b494}\ (10 subtraces) (ID = 108560) 7:33 PM: HKLM\software\classes\typelib\{344ee577-2027-4714-82ff-0d7538488547}\ (9 subtraces) (ID = 109797) 7:33 PM: HKLM\software\classes\winres.windowsresources.1\ (3 subtraces) (ID = 109808) 7:33 PM: HKLM\software\classes\winres.windowsresources\ (5 subtraces) (ID = 109809) 7:33 PM: HKCR\typelib\{344ee577-2027-4714-82ff-0d7538488547}\ (9 subtraces) (ID = 112503) 7:33 PM: HKCR\winres.windowsresources.1\ (3 subtraces) (ID = 112518) 7:33 PM: HKCR\winres.windowsresources\ (5 subtraces) (ID = 112519) 7:33 PM: HKLM\software\clickspring\ (2 subtraces) (ID = 137699) 7:34 PM: Found Adware: security2k hijacker 7:34 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objecta\ (2 subtraces) (ID = 735573) 7:34 PM: Found Trojan Horse: trojan agent winlogonhook 7:34 PM: HKLM\software\microsoft\mssmgr\ (13 subtraces) (ID = 937101) 7:34 PM: Registry Sweep Complete, Elapsed Time:00:00:21 7:34 PM: Starting Cookie Sweep 7:34 PM: Found Spy Cookie: 2o7.net cookie 7:34 PM: cory@112.2o7[1].txt (ID = 1958) 7:34 PM: cory@2o7[2].txt (ID = 1957) 7:34 PM: Found Spy Cookie: yieldmanager cookie 7:34 PM: cory@ad.yieldmanager[2].txt (ID = 3751) 7:34 PM: Found Spy Cookie: adknowledge cookie 7:34 PM: cory@adknowledge[2].txt (ID = 2072) 7:34 PM: Found Spy Cookie: specificclick.com cookie 7:34 PM: cory@adopt.specificclick[2].txt (ID = 3400) 7:34 PM: Found Spy Cookie: adtech cookie 7:34 PM: cory@adtech[2].txt (ID = 2155) 7:34 PM: Found Spy Cookie: advertising cookie 7:34 PM: cory@advertising[1].txt (ID = 2175) 7:34 PM: Found Spy Cookie: falkag cookie 7:34 PM: cory@as-us.falkag[2].txt (ID = 2650) 7:34 PM: Found Spy Cookie: ask cookie 7:34 PM: cory@ask[1].txt (ID = 2245) 7:34 PM: Found Spy Cookie: atlas dmt cookie 7:34 PM: cory@atdmt[1].txt (ID = 2253) 7:34 PM: Found Spy Cookie: burstnet cookie 7:34 PM: cory@burstnet[1].txt (ID = 2336) 7:34 PM: Found Spy Cookie: casalemedia cookie 7:34 PM: cory@casalemedia[1].txt (ID = 2354) 7:34 PM: Found Spy Cookie: excite cookie 7:34 PM: cory@excite[2].txt (ID = 2631) 7:34 PM: Found Spy Cookie: fastclick cookie 7:34 PM: cory@fastclick[1].txt (ID = 2651) 7:34 PM: Found Spy Cookie: hotlog cookie 7:34 PM: cory@hotlog[1].txt (ID = 2801) 7:34 PM: Found Spy Cookie: linksynergy cookie 7:34 PM: cory@linksynergy[1].txt (ID = 2926) 7:34 PM: Found Spy Cookie: maxserving cookie 7:34 PM: cory@maxserving[2].txt (ID = 2966) 7:34 PM: cory@media.fastclick[2].txt (ID = 2652) 7:34 PM: Found Spy Cookie: mediaplex cookie 7:34 PM: cory@mediaplex[1].txt (ID = 6442) 7:34 PM: Found Spy Cookie: nextag cookie 7:34 PM: cory@nextag[1].txt (ID = 5014) 7:34 PM: Found Spy Cookie: overture cookie 7:34 PM: cory@overture[2].txt (ID = 3105) 7:34 PM: Found Spy Cookie: questionmarket cookie 7:34 PM: cory@questionmarket[1].txt (ID = 3217) 7:34 PM: Found Spy Cookie: realmedia cookie 7:34 PM: cory@realmedia[1].txt (ID = 3235) 7:34 PM: Found Spy Cookie: server.iad.liveperson cookie 7:34 PM: cory@server.iad.liveperson[2].txt (ID = 3341) 7:34 PM: Found Spy Cookie: spylog cookie 7:34 PM: cory@spylog[2].txt (ID = 3415) 7:34 PM: Found Spy Cookie: webtrendslive cookie 7:34 PM: cory@statse.webtrendslive[1].txt (ID = 3667) 7:34 PM: Found Spy Cookie: tribalfusion cookie 7:34 PM: cory@tribalfusion[2].txt (ID = 3589) 7:34 PM: Found Spy Cookie: tripod cookie 7:34 PM: cory@tripod[1].txt (ID = 3591) 7:34 PM: Found Spy Cookie: burstbeacon cookie 7:34 PM: cory@www.burstbeacon[2].txt (ID = 2335) 7:34 PM: Found Spy Cookie: zedo cookie 7:34 PM: cory@zedo[1].txt (ID = 3762) 7:34 PM: Cookie Sweep Complete, Elapsed Time: 00:00:23 7:34 PM: Starting File Sweep 7:36 PM: Found Trojan Horse: trojan-downloader-errlook 7:36 PM: win11.tmp.exe (ID = 283245) 7:43 PM: Sweep Canceled 7:43 PM: File Sweep Complete, Elapsed Time: 00:08:38 7:43 PM: Traces Found: 114 7:43 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 7:43 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com 7:43 PM: Removal process initiated 7:43 PM: Quarantining All Traces: security2k hijacker 7:43 PM: Quarantining All Traces: trojan agent winlogonhook 7:43 PM: Quarantining All Traces: trojan-downloader-errlook 7:43 PM: Quarantining All Traces: 2o7.net cookie 7:43 PM: Quarantining All Traces: adknowledge cookie 7:43 PM: Quarantining All Traces: adtech cookie 7:43 PM: Quarantining All Traces: advertising cookie 7:43 PM: Quarantining All Traces: ask cookie 7:43 PM: Quarantining All Traces: atlas dmt cookie 7:43 PM: Quarantining All Traces: burstbeacon cookie 7:43 PM: Quarantining All Traces: burstnet cookie 7:43 PM: Quarantining All Traces: casalemedia cookie 7:43 PM: Quarantining All Traces: excite cookie 7:43 PM: Quarantining All Traces: falkag cookie 7:43 PM: Quarantining All Traces: fastclick cookie 7:43 PM: Quarantining All Traces: hotlog cookie 7:43 PM: Quarantining All Traces: linksynergy cookie 7:43 PM: Quarantining All Traces: maxserving cookie 7:43 PM: Quarantining All Traces: mediaplex cookie 7:43 PM: Quarantining All Traces: nextag cookie 7:43 PM: Quarantining All Traces: overture cookie 7:43 PM: Quarantining All Traces: questionmarket cookie 7:43 PM: Quarantining All Traces: realmedia cookie 7:43 PM: Quarantining All Traces: server.iad.liveperson cookie 7:43 PM: Quarantining All Traces: specificclick.com cookie 7:43 PM: Quarantining All Traces: spylog cookie 7:43 PM: Quarantining All Traces: tribalfusion cookie 7:43 PM: Quarantining All Traces: tripod cookie 7:43 PM: Quarantining All Traces: webtrendslive cookie 7:43 PM: Quarantining All Traces: yieldmanager cookie 7:43 PM: Quarantining All Traces: zedo cookie 7:43 PM: Quarantining All Traces: purityscan 7:43 PM: Quarantining All Traces: coolwebsearch (cws) 7:43 PM: Removal process completed. Elapsed time 00:00:08 8:19 PM: Memory Shield: Found: Memory-resident threat trojan-downloader-aux, version 1.0.0.0 8:19 PM: Ignored memory-resident threat: trojan-downloader-aux 9:14 PM: Memory Shield: Found: Memory-resident threat trojan-downloader-aux, version 1.0.0.0 9:14 PM: Ignored memory-resident threat: trojan-downloader-aux 3:15 PM: Memory Shield: Found: Memory-resident threat trojan-downloader-aux, version 1.0.0.0 3:15 PM: Ignored memory-resident threat: trojan-downloader-aux 8:04 PM: Your spyware definitions have been updated. 8:23 PM: Processing Startup Alerts 8:23 PM: Allowed Startup entry: Windows Defender 8:06 PM: Your spyware definitions have been updated. 8:48 PM: Processing Internet Explorer Favorites Alerts 8:48 PM: Allowed IE Favorite: AudioVideoSoft.com - Collection of only the best audio converters, rippers, editors, recorders, burners, text to speed solutions, video encoders, decoders, DVD rippers, DVD burners, etc. 8:48 PM: Processing Startup Alerts 8:48 PM: Allowed Startup entry: CakeManiaGESetup.exe 8:48 PM: Processing Startup Alerts 8:48 PM: Allowed Startup entry: GrpConv 9:50 PM: IE Security Shield: found: C:\PROGRAM FILES\GAMES\CAKE MANIA\CAKEMANIA.EXE -- IE Security modification denied 11:36 PM: Processing Startup Alerts 11:36 PM: Allowed Startup entry: MSConfig 11:44 PM: Processing Startup Alerts 11:44 PM: Allowed Startup entry: CyberPatrolNew 11:44 PM: Processing Startup Alerts 11:44 PM: Allowed Startup entry: MSConfig ********

#5 Cory Cunningham

Cory Cunningham

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 29 April 2006 - 03:55 PM

Here's my SmitRem log as well, if this helps you out at all. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pre-run SharedTask Export (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright© 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" "{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}"="SivuWare" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" [HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}\InProcServer32] @="C:\WINDOWS\system32\sivudro.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! checking for WinHound.com key WinHound.com key not present! spyaxe uninstaller NOT present Winhound uninstaller NOT present SpywareStrike uninstaller NOT present ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ 1024 dir ncompat.tlb ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1344 'explorer.exe' Starting registry repairs Registry repairs complete ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SharedTask Export after registry fix (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright© 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" "{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}"="SivuWare" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" [HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}\InProcServer32] @="C:\WINDOWS\system32\sivudro.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Deleting files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ CLEAN! :)

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 29 April 2006 - 04:18 PM

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.


Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Documents and Settings\Cory\Desktop\icq\ICQToolbar\toolbaru.dll (file missing)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,msc0nfig.bat,

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Documents and Settings\Cory\Desktop\icq\ICQToolbar\toolbaru.dll (file missing

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [ifacxqj] C:\WINDOWS\System32\oadsqh.exe

O4 - HKLM\..\Run: [COM Services] msc0nfig.bat

O4 - Startup: PowerReg Scheduler V3.exe

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...lla/ext360.html

O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildt...iveLauncher.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE6.cab

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1123

O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildt...uncherSetup.cab

O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.bright...bin/actxcab.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v5.cab


Close ALL windows and browsers except HijackThis and click "Fix checked"


Delete these Files if listed:
msc0nfig.bat I'm guessing it will be C:\WINDOWS\msc0nfig.bat if not you'll need to search for it.
C:\WINDOWS\System32\oadsqh.exe



Open C:\Windows\Prefetch\ Delete ALL files in this folder.



Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 Cory Cunningham

Cory Cunningham

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 29 April 2006 - 04:45 PM

I did everything you said - thanks again for your help. My computer is behaving completely normally, as it did before I was infected with anything. On the whole, I find Spy Sweeper to be pretty effective in removing spyware from the computer, although it apparently failed this time. One quick point of note - "ICQ Toolbar", while now gone from the toolbar options in Internet Explorer, is still appearing in Add & Remove Programs and refuses to leave even when I click on it. Any ideas?

Also, neither msc0nfig.bat or oadsqh.exe appeared in the folders where you mentioned or when I searched for them in Windows.

Logfile of HijackThis v1.99.1
Scan saved at 6:48:21 PM, on 4/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SurfControl\CyberPatrol\cphq.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\SurfControl\CyberPatrol\cpserver.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\SurfControl\CyberPatrol\cpACtrl.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\SurfControl\CyberPatrol\cpCCtrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SurfControl\CyberPatrol\cpkbinst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Cory\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [fbdirect] C:\PROGRA~1\VISION~1\PAPERP~1\fbdirect.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [hpinstantsupport] "C:\Program Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" "C:\Program Files\Hewlett-Packard\hpis\" -boot
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [CyberPatrolNew] "C:\Program Files\SurfControl\CyberPatrol\cphq.exe" /m
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Documents and Settings\Cory\Desktop\icq\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: GO Messenger - {16E505F2-96ED-11D3-B986-00A0C99FB02A} - C:\Documents and Settings\Cory\Desktop\Sean's Folder\aim\dismsgr.exe (file missing)
O9 - Extra 'Tools' menuitem: GO Messenger - {16E505F2-96ED-11D3-B986-00A0C99FB02A} - C:\Documents and Settings\Cory\Desktop\Sean's Folder\aim\dismsgr.exe (file missing)
O9 - Extra button: @C:\Documents and Settings\Cory\Desktop\messenger\Messenger2\im2_ie_plugin.dll,-4 - {410C30C7-098A-4090-928E-F1D356D34C7F} - C:\Documents and Settings\Cory\Desktop\messenger\Messenger2\im2_ie_plugin.dll (file missing)
O9 - Extra 'Tools' menuitem: Run IM2 Messenger - {410C30C7-098A-4090-928E-F1D356D34C7F} - C:\Documents and Settings\Cory\Desktop\messenger\Messenger2\im2_ie_plugin.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5....m/c381/chat.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.cab
O16 - DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} (cre8tiv 3Di ATL Control (Internet)) - http://www.quick-ste...cre8tiv3dix.cab
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) - http://activex.liveu...ntrols/cres.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {140F03AE-0588-11D4-BD45-0050048A82BF} (eShare Web Collaboration Class) - https://chat.microso...ects/emagic.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {25064DE4-9CC0-11D5-BB86-0050DAC5EBD0} (printQuick Browser Add In) - http://www.pqvalet.c.../printQuick.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5....v43/yacscom.cab
O16 - DPF: {31150A86-0BBA-409F-BEB4-F3922D10BF34} (Gif89 Class) - http://www.absoluter...e.com/xplug.ocx
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {53A1630A-DB38-4316-B18F-911719E1F66E} (MSN Money Ticker) - http://fdl.msn.com/p.../v10/ticker.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {76D31A21-9402-11D6-97B6-0010DC2A6243} (SecureLogin.SecureControl) - https://secure2.comn...iveSecurity.CAB
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://download.shoc...otoy/OTOYAX.cab
O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} (Sandlot Loader Control) - http://www.shockwave...gwebinstall.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave...eDownloader.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.co...FamilyTeleX.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com...ior/Outside.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...c/bin/cabsa.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...5/Installer.exe
O16 - DPF: {C8A88E8D-9D33-4F01-80EC-E558545C0A9E} (Detector Class) - http://www.optimumon...s/xdetector.cab
O16 - DPF: {CAC335E0-9FFB-4A59-A3F5-03B7713E937B} - http://www.starwood....bar/install.cab
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D62B5127-8D03-4175-BA71-E0041595DA4B} (UDConnect Class) - http://01.sharedsour...D_1.0.0.3ie.cab?
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.sunterra....svh/svideo3.cab
O16 - DPF: {ECF5F2BD-C78B-4C6F-91BB-2A311FCCA4C7} (WTApp Class) - http://www.shockwave...ic/CMonline.dll
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE

Edited by Cory Cunningham, 29 April 2006 - 04:51 PM.


#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 29 April 2006 - 04:55 PM

Look for a ICQ folder and see if there's a uninstall in there.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 Cory Cunningham

Cory Cunningham

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 29 April 2006 - 04:59 PM

I checked - nothing for ICQ, and I know that it's not the real thing. If it were, there wouldn't have been two spaces between ICQ and Toolbar, and it would have the symbol of a flower for the icon in the Add/Remove Programs list - not a generic Windows software symbol. Otherwise, how does my computer look?

Edited by Cory Cunningham, 29 April 2006 - 04:59 PM.


#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 29 April 2006 - 05:07 PM

Good Job :thumbup:

Log looks good :D :thumbup: How is it running any issues?

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.





If you dont have these programs I would recommend that you get them. Spywareblaster, Spywareguard. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing. :D

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#11 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 01 May 2006 - 04:20 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users