Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log - Flat_picker


  • This topic is locked This topic is locked
11 replies to this topic

#1 flat_picker

flat_picker

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 25 October 2005 - 05:35 PM

Spyware Wizards,

The attached HJT log is from my machine that has been "cleaned" with the latest versions of Spybot S&D and Adaware SE but before reboot. These great products find many spyware malware instances on my system and "clean" them. However, even after running scans that come up clean, the PC is still attempting to access the internet. If it is connected to internet, mega popups flood the system. Following reboot the evilwares are back as indicated when running Spybot and Adaware again. The system will barely run and it's taking over a hour to accomplish the Spybot and Adaware semi-cleaning process each time the system is rebooted. Any help you can provide in banishing these demons would be greatly appreciated. Thanks


Logfile of HijackThis v1.99.1
Scan saved at 10:36:22 PM, on 10/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RGVyZWsA\command.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\uxwpacq.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\PSof1.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\dinst.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\vmivvzz.exe
C:\WINDOWS\system\jsiwnpfq.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\WINDOWS\System32\??anregw.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\CMSystem\CMSystem.exe
C:\Program Files\coss\swrr.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Derek\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchtheworld4you.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [478h39S] regrt4.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [ksiyba] C:\WINDOWS\System32\apovlud.exe r
O4 - HKLM\..\Run: [vmivvzz] C:\WINDOWS\vmivvzz.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ssglp4.exe reg_run
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Uqv] C:\WINDOWS\System32\??anregw.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - HKCU\..\Run: [Tcoe] C:\Program Files\coss\swrr.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O20 - AppInit_DLLs: repairs.dll,repairs302972949.dll
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\absnw.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RGVyZWsA\command.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\uxwpacq.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:38 PM

Posted 25 October 2005 - 05:53 PM

Hello,

This is a nasty log with some nasty infections. So we can't deal with this in once.

It is really important you follow all my steps I am giving you, because this is with a reason.

Please uninstall next Programs via Software > add/remove:

Windows Overlay Components
Surfside Kick
Freeprod Toolbar
VBouncer

Reboot afterwards.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window and save in in Notepad and place it on your desktop.
  • Click the Summary tab and click Finish.
  • REBOOT (Really important!!)
  • Paste the contents of the session log you copied into your next reply together with a new hijackthislog.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 flat_picker

flat_picker
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 30 October 2005 - 10:48 PM

Hello,

This is a nasty log with some nasty infections. So we can't deal with this in once.

It is really important you follow all my steps I am giving you, because this is with a reason.

Please uninstall next Programs via Software > add/remove:

Windows Overlay Components
Surfside Kick
Freeprod Toolbar
VBouncer

Reboot afterwards.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window and save in in Notepad and place it on your desktop.
  • Click the Summary tab and click Finish.
  • REBOOT (Really important!!)
  • Paste the contents of the session log you copied into your next reply together with a new hijackthislog.



#4 flat_picker

flat_picker
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 30 October 2005 - 10:59 PM

Sorry that I've been late to respond. To many other duties and distractions.

I did do as instructed in previous response; however, could not find FreeProd Toolbar or VBouncer in the add/remove programs list. Ran SpySweeper and rebooted as instructed and have attached the log and a fresh HJT log for you to review. SpySweeper found much nastiness which hopefully it removed. Things appear to be better after running Spy Sweeper. A pretty nice product from what I can see. Give this a look and let me know if there is any hope. Thanks


********
8:54 PM: | Start of Session, Sunday, October 30, 2005 |
8:54 PM: Spy Sweeper started
8:54 PM: Sweep initiated using definitions version 564
8:54 PM: Starting Memory Sweep
8:54 PM: ActiveX Shield: found: Adware: surfsidekick, version 1.0.0.0 -- Installation denied
8:54 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:54 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:54 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:54 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:54 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:54 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:54 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:54 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:55 PM: Found Adware: clkoptimizer
8:55 PM: Detected running threat: C:\WINDOWS\system32\fsjsskg.dll (ID = 150806)
8:55 PM: Detected running threat: C:\WINDOWS\system32\ssglp4.exe (ID = 146393)
8:56 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:56 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:56 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:56 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:56 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:56 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:56 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:56 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:56 PM: Found Adware: cas
8:56 PM: Detected running threat: C:\Program Files\CMSystem\CMSystem.exe (ID = 154757)
8:56 PM: Found Adware: surfsidekick
8:56 PM: Detected running threat: C:\WINDOWS\system32\repairs302972949.dll (ID = 163735)
8:56 PM: Found Adware: icannnews
8:56 PM: Detected running threat: C:\WINDOWS\system32\absnw.dll (ID = 125214)
8:57 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:57 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:57 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:57 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:57 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:57 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:57 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:57 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:58 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:58 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:58 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:58 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:58 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:58 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:58 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:58 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:59 PM: Detected running threat: C:\WINDOWS\system32\lzadperf.dll (ID = 125214)
8:59 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:59 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:59 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:59 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:59 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:59 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:59 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:59 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:59 PM: Detected running threat: C:\Program Files\SurfSideKick 3\SskBho.dll (ID = 163865)
9:00 PM: Found Adware: isearch desktop search
9:00 PM: Detected running threat: C:\WINDOWS\RGVyZWsA\command.exe (ID = 144946)
9:00 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:00 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:00 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:00 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:01 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:01 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:01 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:01 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:02 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:02 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:02 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:02 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:02 PM: Detected running threat: C:\Program Files\SurfSideKick 3\SskCore.dll (ID = 163866)
9:02 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:02 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:02 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:02 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:03 PM: Memory Sweep Complete, Elapsed Time: 00:08:50
9:03 PM: Starting Registry Sweep
9:03 PM: Found Adware: apropos
9:03 PM: HKCR\clsid\{b5ab638f-d76c-415b-a8f2-f3ceac502212}\ (7 subtraces) (ID = 103726)
9:03 PM: HKCR\clsid\{bc333116-6ea1-40a1-9d07-ecb192db8cea}\ (4 subtraces) (ID = 103729)
9:03 PM: HKLM\software\aprps\ (8 subtraces) (ID = 103741)
9:03 PM: HKLM\software\classes\clsid\{b5ab638f-d76c-415b-a8f2-f3ceac502212}\ (7 subtraces) (ID = 103764)
9:03 PM: HKLM\software\classes\clsid\{bc333116-6ea1-40a1-9d07-ecb192db8cea}\ (4 subtraces) (ID = 103767)
9:03 PM: HKLM\software\classes\interface\{bc333116-6ea1-40a1-9d07-ecb192db8cea}\ (5 subtraces) (ID = 103774)
9:03 PM: Found Adware: bookedspace
9:03 PM: HKLM\software\configuration manager\cfgmgr52\ (242 subtraces) (ID = 104873)
9:03 PM: HKLM\software\microsoft\windows\currentversion\run\ || cfgmgr52 (ID = 104883)
9:03 PM: Found Adware: maxifiles
9:03 PM: HKCR\clsid\{11a4ca8c-a8b9-49c2-a6d3-3f64c9eebae6}\ (11 subtraces) (ID = 134838)
9:03 PM: HKCR\shorty.gopher\ (5 subtraces) (ID = 134839)
9:03 PM: HKCR\shorty.gopher.1\ (3 subtraces) (ID = 134840)
9:03 PM: HKLM\software\classes\clsid\{11a4ca8c-a8b9-49c2-a6d3-3f64c9eebae6}\ (11 subtraces) (ID = 134842)
9:03 PM: HKLM\software\classes\shorty.gopher\ (5 subtraces) (ID = 134843)
9:03 PM: HKLM\software\classes\shorty.gopher.1\clsid\ (1 subtraces) (ID = 134844)
9:03 PM: HKLM\software\classes\shorty.gopher.1\ (3 subtraces) (ID = 134845)
9:03 PM: HKCR\clsid\{02ee5b04-f144-47bb-83fb-a60bd91b74a9}\ (3 subtraces) (ID = 143389)
9:03 PM: HKLM\software\classes\clsid\{02ee5b04-f144-47bb-83fb-a60bd91b74a9}\ (3 subtraces) (ID = 143392)
9:03 PM: HKLM\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143400)
9:03 PM: HKLM\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143406)
9:03 PM: Found Trojan Horse: trojan-downloader-topinstalls
9:03 PM: HKLM\software\microsoft\windows\currentversion\run\ || exp.exe (ID = 144814)
9:03 PM: HKLM\software\microsoft\windows\currentversion\run\ || wintask driver (ID = 144815)
9:03 PM: Found Adware: drsnsrch hijacker
9:03 PM: HKCR\dsrch.band\ (5 subtraces) (ID = 509134)
9:03 PM: HKCR\dsrch.bottomframe\ (5 subtraces) (ID = 509135)
9:03 PM: HKCR\dsrch.leftframe\ (5 subtraces) (ID = 509136)
9:03 PM: HKCR\dsrch.popupbrowser\ (5 subtraces) (ID = 509137)
9:03 PM: HKCR\dsrch.popupwindow\ (5 subtraces) (ID = 509138)
9:03 PM: HKCR\clsid\{8b51fc2f-c687-40a3-b54a-bb9ebf8d407f}\ (11 subtraces) (ID = 509139)
9:03 PM: HKCR\clsid\{ce27d4df-714b-4427-95eb-923fe53adf8e}\ (13 subtraces) (ID = 509140)
9:03 PM: HKCR\clsid\{e2d2fe40-5674-4b77-802b-ec86b6c2c41d}\ (13 subtraces) (ID = 509141)
9:03 PM: HKCR\clsid\{e311d3a5-4a3b-4e49-9e0a-b40fae1f0b28}\ (11 subtraces) (ID = 509142)
9:03 PM: HKCR\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 509153)
9:03 PM: HKLM\software\classes\dsrch.band\ (5 subtraces) (ID = 509171)
9:03 PM: HKLM\software\classes\dsrch.leftframe\ (5 subtraces) (ID = 509179)
9:03 PM: HKLM\software\classes\dsrch.popupbrowser\ (5 subtraces) (ID = 509185)
9:03 PM: HKLM\software\classes\dsrch.popupwindow\ (5 subtraces) (ID = 509191)
9:03 PM: HKLM\software\classes\clsid\{8b51fc2f-c687-40a3-b54a-bb9ebf8d407f}\ (11 subtraces) (ID = 509198)
9:03 PM: HKLM\software\classes\clsid\{ce27d4df-714b-4427-95eb-923fe53adf8e}\ (13 subtraces) (ID = 509210)
9:03 PM: HKLM\software\classes\clsid\{e2d2fe40-5674-4b77-802b-ec86b6c2c41d}\ (13 subtraces) (ID = 509224)
9:03 PM: HKLM\software\classes\clsid\{e311d3a5-4a3b-4e49-9e0a-b40fae1f0b28}\ (11 subtraces) (ID = 509238)
9:03 PM: HKCR\dsrch.band\clsid\ (1 subtraces) (ID = 509361)
9:03 PM: HKCR\dsrch.band\curver\ (1 subtraces) (ID = 509362)
9:03 PM: HKCR\dsrch.bottomframe\clsid\ (1 subtraces) (ID = 509363)
9:03 PM: HKCR\dsrch.bottomframe\curver\ (1 subtraces) (ID = 509364)
9:03 PM: HKCR\dsrch.leftframe\clsid\ (1 subtraces) (ID = 509365)
9:03 PM: HKCR\dsrch.leftframe\curver\ (1 subtraces) (ID = 509366)
9:03 PM: HKCR\dsrch.popupbrowser\clsid\ (1 subtraces) (ID = 509367)
9:03 PM: HKCR\dsrch.popupbrowser\curver\ (1 subtraces) (ID = 509368)
9:03 PM: HKCR\dsrch.popupwindow\clsid\ (1 subtraces) (ID = 509369)
9:03 PM: HKCR\dsrch.popupwindow\curver\ (1 subtraces) (ID = 509370)
9:03 PM: HKCR\dsrch.band.1\ (3 subtraces) (ID = 512692)
9:03 PM: HKCR\dsrch.bottomframe.1\ (3 subtraces) (ID = 512699)
9:03 PM: HKCR\dsrch.leftframe.1\ (3 subtraces) (ID = 512706)
9:03 PM: HKCR\dsrch.popupbrowser.1\ (3 subtraces) (ID = 512713)
9:03 PM: HKCR\dsrch.popupwindow.1\ (3 subtraces) (ID = 512720)
9:03 PM: HKCR\clsid\{00f1d395-4744-40f0-a611-980f61ae2c59}\ (11 subtraces) (ID = 512747)
9:03 PM: HKLM\software\classes\dsrch.band.1\ (3 subtraces) (ID = 513072)
9:03 PM: HKLM\software\classes\dsrch.bottomframe.1\ (3 subtraces) (ID = 513076)
9:03 PM: HKLM\software\classes\dsrch.leftframe.1\ (3 subtraces) (ID = 513080)
9:03 PM: HKLM\software\classes\dsrch.popupbrowser.1\ (3 subtraces) (ID = 513084)
9:03 PM: HKLM\software\classes\dsrch.popupwindow.1\ (3 subtraces) (ID = 513088)
9:03 PM: HKLM\software\classes\clsid\{00f1d395-4744-40f0-a611-980f61ae2c59}\ (11 subtraces) (ID = 513114)
9:03 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{00f1d395-4744-40f0-a611-980f61ae2c59}\ (ID = 513230)
9:03 PM: HKLM\software\microsoft\windows\currentversion\run\ || winsync (ID = 601545)
9:03 PM: HKLM\software\classes\dsrch.bottomframe\ (5 subtraces) (ID = 646382)
9:03 PM: HKLM\software\classes\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 646384)
9:03 PM: HKLM\software\microsoft\windows\currentversion\run\ || dinst (ID = 705664)
9:03 PM: Found Adware: directrevenue-abetterinternet
9:03 PM: HKLM\software\microsoft\windows\currentversion\uninstall\bsto-1\ (7 subtraces) (ID = 746835)
9:03 PM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
9:03 PM: HKCR\iecatcher.iewebcatcher\ (5 subtraces) (ID = 829231)
9:03 PM: HKCR\iecatcher.iewebcatcher.1\ (3 subtraces) (ID = 829237)
9:03 PM: HKCR\clsid\{fff4e223-7019-4ce7-be03-d7d3c8cce884}\ (11 subtraces) (ID = 829241)
9:03 PM: HKCR\typelib\{fff24f28-3ae2-46cd-aebe-2f625133a1ca}\ (9 subtraces) (ID = 829253)
9:03 PM: HKLM\software\classes\typelib\{fff24f28-3ae2-46cd-aebe-2f625133a1ca}\ (9 subtraces) (ID = 829282)
9:03 PM: HKLM\software\classes\iecatcher.iewebcatcher\ (5 subtraces) (ID = 829292)
9:03 PM: HKLM\software\classes\iecatcher.iewebcatcher.1\ (3 subtraces) (ID = 829298)
9:03 PM: HKLM\software\classes\clsid\{fff4e223-7019-4ce7-be03-d7d3c8cce884}\ (11 subtraces) (ID = 829302)
9:03 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{fff4e223-7019-4ce7-be03-d7d3c8cce884}\ (2 subtraces) (ID = 829305)
9:03 PM: HKLM\software\qstat\ || brr (ID = 877670)
9:03 PM: Found Adware: drsnsrch.com hijack
9:03 PM: HKU\S-1-5-21-1220945662-113007714-1060284298-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
9:03 PM: HKU\S-1-5-21-1220945662-113007714-1060284298-1003\software\xbtb07618\ (1 subtraces) (ID = 134858)
9:03 PM: Found Trojan Horse: trojan-downloader-pacisoft
9:03 PM: HKU\S-1-5-21-1220945662-113007714-1060284298-1003\software\psof1\ (18 subtraces) (ID = 136530)
9:03 PM: HKU\S-1-5-21-1220945662-113007714-1060284298-1003\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
9:03 PM: HKU\S-1-5-21-1220945662-113007714-1060284298-1003\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143403)
9:03 PM: HKU\S-1-5-21-1220945662-113007714-1060284298-1003\software\surfsidekick3\ (2 subtraces) (ID = 143412)
9:03 PM: HKU\S-1-5-21-1220945662-113007714-1060284298-1003\software\dsrch\ (11 subtraces) (ID = 509156)
9:03 PM: HKU\S-1-5-21-1220945662-113007714-1060284298-1003\software\cmsystem\ (8 subtraces) (ID = 820421)
9:03 PM: HKU\S-1-5-21-1220945662-113007714-1060284298-1003\software\microsoft\windows\currentversion\run\ || cmsystem (ID = 820436)
9:03 PM: Found Adware: searchtheworld4you.com hiajck
9:03 PM: HKU\S-1-5-21-1220945662-113007714-1060284298-1003\software\microsoft\internet explorer\ || searchurl (ID = 831885)
9:03 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:03 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:03 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:03 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:03 PM: Registry Sweep Complete, Elapsed Time:00:00:39
9:03 PM: Starting Cookie Sweep
9:03 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:03 PM: Starting File Sweep
9:03 PM: c:\program files\aprps (10 subtraces) (ID = -2147481420)
9:03 PM: c:\program files\surfsidekick 3 (3 subtraces) (ID = -2147480186)
9:03 PM: c:\program files\cmsystem (6 subtraces) (ID = -2147471610)
9:03 PM: c:\windows\cfgmgr52 (76 subtraces) (ID = -2147479590)
9:03 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:03 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:03 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:03 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:03 PM: Found Adware: elitebar
9:03 PM: dc34.tmp1 (ID = 137430)
9:03 PM: wuauclt.dll (ID = 150833)
9:04 PM: Found Adware: virtualbouncer
9:04 PM: dc26.exe (ID = 107514)
9:04 PM: dc6.exe (ID = 121121)
9:04 PM: 131528_2860_3296_464_63.41.tmp1 (ID = 137430)
9:04 PM: dc38.tmp1 (ID = 137430)
9:04 PM: Found Adware: winad
9:04 PM: dc18.exe (ID = 121286)
9:04 PM: 131564_2368_876_3988_63.41.tmp1 (ID = 137430)
9:04 PM: Found Trojan Horse: trojan downloader matcash
9:04 PM: mc-110-12-0000079.exe (ID = 114256)
9:04 PM: rp63.tmp (ID = 166386)
9:04 PM: wmplayer.exe.tmp (ID = 71771)
9:04 PM: dc33.tmp1 (ID = 137430)
9:04 PM: repairs302972949.dll (ID = 163735)
9:04 PM: x.bmp (ID = 69314)
9:04 PM: 197496_576_1444_2312_63.41.tmp (ID = 137425)
9:04 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:04 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:04 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:04 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:04 PM: dc24.com (ID = 114110)
9:04 PM: eanja.dll (ID = 155302)
9:04 PM: vgactl.cpl (ID = 150831)
9:04 PM: ssk3_b5 seedcorn 4.exe (ID = 77679)
9:04 PM: Found Adware: shopathomeselect
9:04 PM: dc1.exe (ID = 107429)
9:05 PM: dc12.exe (ID = 52230)
9:05 PM: dc17.exe (ID = 132351)
9:05 PM: dc39.tmp1 (ID = 137430)
9:05 PM: Found Trojan Horse: trojan-downloader-mainstreamdollars
9:05 PM: dc16.dll (ID = 80729)
9:05 PM: rikn.execommon startup (ID = 146393)
9:05 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:05 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:05 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:05 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:05 PM: plugin.dll (ID = 154758)
9:05 PM: dc25.exe (ID = 71765)
9:05 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:05 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:05 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:05 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:05 PM: dmnbaro.exe (ID = 155879)
9:06 PM: 852596_3080_976_3048_63.41.tmp (ID = 137425)
9:06 PM: nsh_110.exe (ID = 93699)
9:06 PM: Found Trojan Horse: trojan-downloader-traf34
9:06 PM: dc14.exe (ID = 81005)
9:06 PM: autoit3.exe (ID = 119348)
9:06 PM: rikn.exe (ID = 146393)
9:06 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:06 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:06 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:06 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:06 PM: proxystub.dll (ID = 120164)
9:06 PM: aurareco.exe (ID = 135103)
9:06 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:06 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:06 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:06 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:07 PM: dc30.com (ID = 95127)
9:07 PM: Found Adware: isearch toolbar
9:07 PM: mte2odm6odoxng.exe (ID = 145831)
9:07 PM: 655962_1708_1996_3864_63.41.tmp (ID = 137425)
9:07 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:07 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:07 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:07 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:07 PM: dc21.dll (ID = 125214)
9:08 PM: ssk.exe (ID = 163864)
9:08 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || SurfSideKick 3 (ID = 0)
9:08 PM: HKU\S-1-5-21-1220945662-113007714-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Run || SurfSideKick 3 (ID = 0)
9:08 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:08 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:08 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:08 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:08 PM: Found Adware: windows afa internet enhancement
9:08 PM: qbuninstaller.exe (ID = 90525)
9:08 PM: dc28.exe (ID = 71761)
9:08 PM: appwrap[1].exe (ID = 114110)
9:08 PM: lzadperf.dll (ID = 125214)
9:08 PM: thin-155-1-x-x[1].exe (ID = 83566)
9:09 PM: thin-155-1-x-x.exe (ID = 83566)
9:09 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:09 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:09 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:09 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:09 PM: 131488_1496_1444_4004_63.41.tmp (ID = 137425)
9:09 PM: cmsystem.exe (ID = 154757)
9:09 PM: dc7.exe (ID = 179116)
9:09 PM: dc13.dll (ID = 180465)
9:09 PM: tmp333.exe (ID = 156523)
9:09 PM: 983700_1708_1996_1688_63.41.tmp (ID = 137425)
9:09 PM: cwebpage.dll (ID = 69301)
9:09 PM: dc35.tmp1 (ID = 137430)
9:09 PM: 65946_2672_1996_2944_63.41.tmp (ID = 137425)
9:09 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:09 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:09 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:09 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:09 PM: 2949776_3364_2116_3628_63.41.tmp1 (ID = 137430)
9:09 PM: 131252_1468_632_3940_63.41.tmp1 (ID = 137430)
9:09 PM: 65966_2408_1016_3384_63.41.tmp1 (ID = 137430)
9:09 PM: dc27.exe (ID = 82854)
9:09 PM: 1245844_1708_1996_1912_63.41.tmp (ID = 137425)
9:09 PM: sskcore.dll (ID = 163866)
9:09 PM: casstub.exe (ID = 52230)
9:09 PM: 328074_1708_1996_3316_63.41.tmp (ID = 137425)
9:09 PM: 459220_1708_1996_3668_63.41.tmp (ID = 137425)
9:09 PM: Found Adware: visfx
9:09 PM: 202_app13.exe (ID = 180416)
9:09 PM: atmtd.dll._ (ID = 166754)
9:09 PM: 66590_4088_1444_272_63.41.tmp (ID = 137425)
9:09 PM: 1114772_1708_1996_3968_63.41.tmp (ID = 137425)
9:09 PM: dc2.exe (ID = 115471)
9:09 PM: dc9.exe (ID = 95082)
9:10 PM: 66010_2860_2172_3332_63.41.tmp1 (ID = 137430)
9:10 PM: fsjsskg.dll (ID = 150806)
9:10 PM: dc20.exe (ID = 77678)
9:10 PM: 1114594_1708_1996_3048_63.41.tmp (ID = 137425)
9:10 PM: 524770_1708_1996_3472_63.41.tmp (ID = 137425)
9:10 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:10 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:10 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:10 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:10 PM: dc11.exe (ID = 93586)
9:10 PM: atmtd.dll (ID = 166754)
9:10 PM: dc37.tmp1 (ID = 137430)
9:10 PM: wingenerics.dll (ID = 50187)
9:10 PM: dc36.tmp1 (ID = 137430)
9:10 PM: 852596_3080_976_3048_63.41.tmp1 (ID = 137430)
9:10 PM: cxtpls.dll (ID = 120160)
9:10 PM: 262620_1600_2156_3620_63.41.tmp1 (ID = 137430)
9:10 PM: sskknwrd.dll (ID = 77733)
9:10 PM: dc32.tmp1 (ID = 137430)
9:10 PM: wkapu.dat (ID = 146393)
9:10 PM: dc22.exe (ID = 164842)
9:10 PM: 66010_2860_2172_3332_63.41.tmp (ID = 137425)
9:10 PM: dc23.exe (ID = 107491)
9:10 PM: sskbho.dll (ID = 163865)
9:10 PM: dc31.exe (ID = 133272)
9:10 PM: ssglp4.exe (ID = 146393)
9:10 PM: Found Adware: 180search assistant/zango
9:10 PM: res873.tmp (ID = 93785)
9:10 PM: 131252_1468_632_3940_63.41.tmp (ID = 137425)
9:10 PM: cxtpls.exe (ID = 120161)
9:10 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:10 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:10 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:10 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:10 PM: command.exe (ID = 144946)
9:11 PM: absnw.dll (ID = 125214)
9:11 PM: dc19.exe (ID = 71763)
9:11 PM: dc4.exe (ID = 115631)
9:11 PM: cfgmgr52.dll (ID = 51659)
9:11 PM: Found Trojan Horse: alwaysupdatednews
9:11 PM: aunps2.dll (ID = 49883)
9:11 PM: dc8.exe (ID = 90520)
9:11 PM: dc5.dll (ID = 115632)
9:11 PM: mc-110-12-0000079.exe (ID = 114256)
9:11 PM: mc-110-12-0000079.exe (ID = 114257)
9:11 PM: dc3.exe (ID = 51663)
9:11 PM: services32.exe (ID = 114260)
9:11 PM: services.exe (ID = 69312)
9:11 PM: temp.fre9ec (ID = 122356)
9:11 PM: 721498_2360_1996_3132_63.41.tmp (ID = 137425)
9:11 PM: 787002_2360_1996_1888_63.41.tmp (ID = 137425)
9:11 PM: 459468_2360_1996_652_63.41.tmp (ID = 137425)
9:11 PM: 66414_2360_1996_176_63.41.tmp (ID = 137425)
9:11 PM: 1049146_2360_1996_240_63.41.tmp (ID = 137425)
9:11 PM: 918194_2360_1996_3260_63.41.tmp (ID = 137425)
9:11 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:11 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:11 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:11 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:11 PM: dc29.exe (ID = 71765)
9:11 PM: sskcwrd.dll (ID = 77712)
9:11 PM: sf.txt (ID = 110126)
9:11 PM: rf.txt (ID = 110125)
9:11 PM: File Sweep Complete, Elapsed Time: 00:07:58
9:11 PM: Full Sweep has completed. Elapsed time 00:17:35
9:11 PM: Traces Found: 975
9:12 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:12 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:12 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:12 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:12 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:12 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:12 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:12 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:13 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:13 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:13 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:13 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:13 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:13 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:13 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:13 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:14 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:14 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:14 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:14 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:14 PM: Removal process initiated
9:15 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:15 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:15 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:15 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:15 PM: Quarantining All Traces: directrevenue-abetterinternet
9:15 PM: Quarantining All Traces: elitebar
9:15 PM: Quarantining All Traces: clkoptimizer
9:15 PM: clkoptimizer is in use. It will be removed on reboot.
9:15 PM: fsjsskg.dll is in use. It will be removed on reboot.
9:15 PM: ssglp4.exe is in use. It will be removed on reboot.
9:15 PM: Quarantining All Traces: visfx
9:15 PM: Quarantining All Traces: 180search assistant/zango
9:15 PM: Quarantining All Traces: alwaysupdatednews
9:15 PM: Quarantining All Traces: apropos
9:16 PM: Quarantining All Traces: bookedspace
9:16 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:16 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:16 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:16 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:16 PM: Quarantining All Traces: cas
9:16 PM: cas is in use. It will be removed on reboot.
9:16 PM: cmsystem.exe is in use. It will be removed on reboot.
9:16 PM: Quarantining All Traces: drsnsrch hijacker
9:16 PM: Quarantining All Traces: drsnsrch.com hijack
9:16 PM: Quarantining All Traces: icannnews
9:16 PM: icannnews is in use. It will be removed on reboot.
9:16 PM: lzadperf.dll is in use. It will be removed on reboot.
9:16 PM: absnw.dll is in use. It will be removed on reboot.
9:16 PM: C:\WINDOWS\system32\absnw.dll is in use. It will be removed on reboot.
9:16 PM: C:\WINDOWS\system32\lzadperf.dll is in use. It will be removed on reboot.
9:16 PM: Quarantining All Traces: isearch desktop search
9:16 PM: isearch desktop search is in use. It will be removed on reboot.
9:16 PM: command.exe is in use. It will be removed on reboot.
9:16 PM: Quarantining All Traces: isearch toolbar
9:16 PM: Quarantining All Traces: maxifiles
9:16 PM: Quarantining All Traces: searchtheworld4you.com hiajck
9:16 PM: Quarantining All Traces: shopathomeselect
9:16 PM: Quarantining All Traces: trojan downloader matcash
9:16 PM: Quarantining All Traces: trojan-downloader-mainstreamdollars
9:16 PM: Quarantining All Traces: trojan-downloader-pacisoft
9:16 PM: Quarantining All Traces: trojan-downloader-topinstalls
9:16 PM: Quarantining All Traces: trojan-downloader-traf34
9:16 PM: Quarantining All Traces: virtualbouncer
9:16 PM: Quarantining All Traces: winad
9:16 PM: Quarantining All Traces: windows afa internet enhancement
9:17 PM: Warning: Timed out waiting for explorer.exe
9:17 PM: Warning: Timed out waiting for explorer.exe
9:17 PM: Warning: Timed out waiting for explorer.exe
9:17 PM: Warning: Quarantine process could not restart Explorer.
9:17 PM: ActiveX Shield: found: Adware: icannnews, version 1.0.0.0 -- Installation denied
9:17 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:17 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:17 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:17 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:17 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:17 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:17 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:17 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:18 PM: Quarantining All Traces: surfsidekick
9:18 PM: surfsidekick is in use. It will be removed on reboot.
9:18 PM: Quarantining All Traces: icannnews
9:18 PM: icannnews is in use. It will be removed on reboot.
9:18 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:18 PM: The Spy Communication shield has blocked access to: www.icannnews.com
9:18 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:18 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:18 PM: Preparing to restart your computer. Please wait...
9:18 PM: Removal process completed. Elapsed time 00:04:05
9:26 PM: Your definitions are up to date.
********
8:51 PM: | Start of Session, Sunday, October 30, 2005 |
8:51 PM: Spy Sweeper started
8:51 PM: Messenger service has been disabled.
8:52 PM: Updating spyware definitions
8:53 PM: Warning: TDefFileIO.CompressAndEncrypt: Converting to LZMA Exception: Out of memory
8:53 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:53 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:53 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:53 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:53 PM: Error: Out of memory.
8:53 PM: Updating spyware definitions
8:53 PM: Your spyware definitions have been updated.
8:53 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:53 PM: The Spy Communication shield has blocked access to: www.icannnews.com
8:53 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:53 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:53 PM: Deleted error log without sending: C:\Documents and Settings\Derek\Application Data\Webroot\Spy Sweeper\Logs\bugreport.txt
8:54 PM: | End of Session, Sunday, October 30, 2005 |



Logfile of HijackThis v1.99.1
Scan saved at 9:31:44 PM, on 10/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\??anregw.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Drivers and Software\HijackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [478h39S] regrt4.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Uqv] C:\WINDOWS\System32\??anregw.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\absnw.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RGVyZWsA\command.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:38 PM

Posted 31 October 2005 - 03:17 AM

Hi,

Things improved, but we're not done here yet.

First of all..
Please download NTrights.zip by freeatlast.
Save it on your desktop.
Unzip/extract it.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Open the NTrights-folder
Double click on the Debug.bat file to run it, follow any prompts it asks.

It will create a log.
If the log says:
"Granting SeDebugPrivilege to Administrators ... successful", you must be ok and things restored well.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [478h39S] regrt4.exe
O4 - HKCU\..\Run: [Uqv] C:\WINDOWS\System32\??anregw.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\absnw.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RGVyZWsA\command.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, go to start > run and copy and paste next command in the field:

sc delete cmdService

Click OK.

Run another full scan with Spysweeper to get rid of this file:
??anregw.exe. Normally Spyweeper must be able to get it together with some other leftovers.
But before scanning again with spysweeper, I want you to enable something in its settings, because I'm sure you're dealing with the apropos rootkit here as well:

[*]Click Options (left side)
[*]Choose the tab 'Sweep Options' and also check Sweep for Rootkits !!Important Step!!

Then run the Spysweeperscan once again, save the spysweeperlog, reboot when prompted and post the log from spysweeper together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 flat_picker

flat_picker
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 31 October 2005 - 07:31 PM

Did as instructed on your last post and things seem to be much better. So far no random popups but I haven't launched IE yet. I'm doing another AV scan and hopefully it will come up OK. Thanks for all the help. What next?




********
5:22 PM: | Start of Session, Monday, October 31, 2005 |
5:22 PM: Spy Sweeper started
5:22 PM: Sweep initiated using definitions version 564
5:23 PM: Starting Memory Sweep
5:28 PM: Memory Sweep Complete, Elapsed Time: 00:05:22
5:28 PM: Starting Registry Sweep
5:29 PM: Registry Sweep Complete, Elapsed Time:00:00:32
5:29 PM: Starting Cookie Sweep
5:29 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:29 PM: Starting File Sweep
5:38 PM: File Sweep Complete, Elapsed Time: 00:09:45
5:38 PM: Full Sweep has completed. Elapsed time 00:15:59
5:38 PM: Traces Found: 0
********
5:15 PM: | Start of Session, Monday, October 31, 2005 |
5:15 PM: Spy Sweeper started


Logfile of HijackThis v1.99.1
Scan saved at 5:41:58 PM, on 10/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\coss\swrr.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\Drivers and Software\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Tcoe] C:\Program Files\coss\swrr.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:38 PM

Posted 31 October 2005 - 07:42 PM

Hello,

Please check and fix next line in Hijackthis again:

O4 - HKCU\..\Run: [Tcoe] C:\Program Files\coss\swrr.exe

Then delete next folder:

C:\Program Files\coss

Let me know if you are having any problems with deleting that folder.

Also, I see spysweeper didn't get rid of next file: C:\WINDOWS\System32\??anregw.exe

It's not present in your hijackthislog anymore, because I let you fix it in there but didn't let you manually delete it, because I was pretty sure spysweeper could get rid of it. But it seems that spysweeper didn't find any traces anymore.

That's why I need more info, because there's also a legit file called scanregw.exe and I don't want you to delete it..
For that I need more info about the filesize and date of the bad one.
So perform next:

Open notepad, copy and paste next content (bold) in it:

dir C:\WINDOWS\System32\??anregw.exe /a h > look.txt
start notepad look.txt


Save this as look.bat ,choose to save as *all files and save it to your desktop.
This is how the batch must look after you created it: Posted Image
Doubleclick on it and notepad will open with some text in it.
Copy and paste this in your next reply together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 flat_picker

flat_picker
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 31 October 2005 - 08:37 PM

Proceeded as instructed in last post. No problems with deleting coss folder. Below is output from look.bat and HJT log.



Volume in drive C has no label.
Volume Serial Number is E02D-248E

Directory of C:\WINDOWS\System32

08/08/2005 07:22 AM 401,408 ??anregw.exe
1 File(s) 401,408 bytes

Directory of C:\Documents and Settings\Derek\Desktop


Logfile of HijackThis v1.99.1
Scan saved at 7:31:42 PM, on 10/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Drivers and Software\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:38 PM

Posted 01 November 2005 - 03:09 AM

hello,

I see a clean log. :thumbsup:

Now we just have to delete the ??anregw.exe
For that, open your system32-folder
On top in the menu, click the 'views'-icon
select: details
You'll see new tabs present on top of the system32-folder
Click 'Date Modified'
If you click it, the files are sorted on date.
Now you have to search for a file that is modified 08/08/2005
The file ends on ..anregw.exe
You won't find it with questionmarks in it.
The questionmarks will be replaced with letters.
It could be possible that file is called scanregw.exe
In your case, there is no legit scanregw.exe present, only a bad one.
If you rightclick it and select properties > general tab
You'll see the date again: august 8, 2005, 07:22 AM
That's the bad one you need to delete.
Make sure you don't leftclick that file or you'll activate it again and won't be able to delete it.

Let me know afterwards.
Also let me know how things are running now. :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 flat_picker

flat_picker
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 03 November 2005 - 09:59 PM

Completed tasks as instructed and all is well now. System is running fine with no nasty popups or other unsavory activity. Thanks for all the great advice and assistance. I purchased a retail copy of SpySweeper today since it seemed to be a good tool to fight and find spyware. Don't want to go through this again anytime soon. Thanks again for all the help.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:38 PM

Posted 04 November 2005 - 03:32 AM

Hello,

Yes, Spysweeper is really worth the money, you won't regret. :thumbsup:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Avoid illegal sites, because that's where most malware is present.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates, so visit asap: http://windowsupdate.microsoft.com/ to update to SP2!

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again! :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:38 PM

Posted 10 November 2005 - 10:54 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users