Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Conversion.cpvfeed And Ad.firstadsolution Infections


  • This topic is locked This topic is locked
8 replies to this topic

#1 lifelonglufc

lifelonglufc

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 17 November 2005 - 03:43 PM

Recently, I've been getting popups from 64.192.130.141 which leads to conversion.cpvfeed and ad.firstadsolution and ad.yieldmanager. They just keep popping up left right and centre and I've tried every program out there to get rid of em'. And now this is my last hope before I throw my computer from the 12th Floor!
Heres my HJT Log: and please help me if you can. :thumbsup:


Logfile of HijackThis v1.99.1
Scan saved at 20:40:02, on 17/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\Program Files\Tech\MagicBall\2.1\LWBWHEEL.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Bryan\LOCALS~1\Temp\Rar$EX00.844\HijackThis.exe
C:\Documents and Settings\Bryan\Desktop\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\MagicBall\2.1\LWBWHEEL.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122416277296
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_D..._Non_Member.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by21fd.bay21.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{8535340F-4E57-4039-9F4C-B213EB7E82A6}: NameServer = 159.134.237.6,159.134.248.17
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\ktjol7131.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QnJ5YW4A\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe


Hopefully someone can help me with this!
:flowers:

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:54 PM

Posted 18 November 2005 - 05:18 AM

Hello,

First of all, extract your hijackthis.exe, because it's still packed and present in your tempfolder. So make a permanent folder (for example C:\Hijackthis) and extract hijackthis.exe to that folder.
This is because hijackthis creates backups and when still present in your tempfolder, those backups could get lost.

Then go to start > run and copy and paste next command in the field:

sc delete cmdService Click OK

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window and save in in Notepad and place it on your desktop.
  • Click the Summary tab and click Finish.
  • REBOOT (Really important!!)
  • Paste the contents of the session log you copied into your next reply together with a new hijackthislog.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 lifelonglufc

lifelonglufc
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 18 November 2005 - 08:05 AM

Hi!, thanks for quick reply miekiemoes :thumbsup:

Okay, I've done evrything you said (at least I think so) and these are my logs of spy sweeper and HJT:

********
12:12: | Start of Session, 18 November 2005 |
12:12: Spy Sweeper started
12:12: Sweep initiated using definitions version 574
12:12: Found Adware: look2me
12:12: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\shell extensions\ || dllname (ID = 129986)
12:12: ktjol7131.dll (ID = 129986)
12:12: Starting Memory Sweep
12:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:13: Found Adware: icannnews
12:13: Detected running threat: C:\WINDOWS\system32\ktjol7131.dll (ID = 83)
12:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:15: Detected running threat: C:\WINDOWS\system32\cqyptext.dll (ID = 83)
12:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:16: Memory Sweep Complete, Elapsed Time: 00:03:51
12:16: Starting Registry Sweep
12:16: Found Adware: screensavers
12:16: HKCR\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (14 subtraces) (ID = 140550)
12:16: HKCR\clsid\{88d758a3-d33b-45fd-91e3-67749b4057fa}\ (14 subtraces) (ID = 140551)
12:16: HKCR\interface\{760aca60-79c3-4875-9d19-b14a5b3fea77}\ (8 subtraces) (ID = 140552)
12:16: HKCR\interface\{883ea659-ed80-46f9-9ed2-83327f67789f}\ (8 subtraces) (ID = 140553)
12:16: HKCR\interface\{b64c73d7-459e-4816-91f9-1348f8e36984}\ (8 subtraces) (ID = 140554)
12:16: HKLM\software\classes\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (14 subtraces) (ID = 140555)
12:16: HKLM\software\classes\clsid\{88d758a3-d33b-45fd-91e3-67749b4057fa}\ (14 subtraces) (ID = 140556)
12:16: HKLM\software\classes\interface\{760aca60-79c3-4875-9d19-b14a5b3fea77}\ (8 subtraces) (ID = 140557)
12:16: HKLM\software\classes\interface\{883ea659-ed80-46f9-9ed2-83327f67789f}\ (8 subtraces) (ID = 140558)
12:16: HKLM\software\classes\interface\{b64c73d7-459e-4816-91f9-1348f8e36984}\ (8 subtraces) (ID = 140559)
12:16: HKLM\software\classes\screensaversinstaller.installer.1\ (3 subtraces) (ID = 140560)
12:16: HKLM\software\classes\screensaversinstaller.installer\ (5 subtraces) (ID = 140561)
12:16: HKLM\software\classes\screensaversinstaller.sinstaller.1\ (3 subtraces) (ID = 140562)
12:16: HKLM\software\classes\screensaversinstaller.sinstaller.1\clsid\ (1 subtraces) (ID = 140563)
12:16: HKLM\software\classes\screensaversinstaller.sinstaller\ (5 subtraces) (ID = 140564)
12:16: HKLM\software\classes\typelib\{0ab5b0d8-2b74-4c1c-8fa4-e52550b8b45b}\ (9 subtraces) (ID = 140565)
12:16: HKLM\software\microsoft\windows\currentversion\uninstall\screensaversinstaller\ (2 subtraces) (ID = 140568)
12:16: HKCR\screensaversinstaller.installer.1\ (3 subtraces) (ID = 140570)
12:16: HKCR\screensaversinstaller.installer\ (5 subtraces) (ID = 140571)
12:16: HKCR\screensaversinstaller.sinstaller.1\ (3 subtraces) (ID = 140572)
12:16: HKCR\screensaversinstaller.sinstaller.1\clsid\ (1 subtraces) (ID = 140573)
12:16: HKCR\screensaversinstaller.sinstaller\ (5 subtraces) (ID = 140574)
12:16: HKCR\typelib\{0ab5b0d8-2b74-4c1c-8fa4-e52550b8b45b}\ (9 subtraces) (ID = 140575)
12:16: Found Adware: websearch toolbar
12:16: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (8 subtraces) (ID = 146518)
12:16: Found Adware: command
12:16: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
12:16: Found Adware: dollarrevenue
12:16: HKLM\software\microsoft\drsmartload\ (1 subtraces) (ID = 916795)
12:16: HKU\WRSS_Profile_S-1-5-21-381301015-2127068416-1027631290-1008\software\wintools\ (10 subtraces) (ID = 146514)
12:16: Found Adware: seekerbar hijack
12:16: HKU\WRSS_Profile_S-1-5-21-381301015-2127068416-1027631290-1008\software\microsoft\internet explorer\main\ || search bar (ID = 146557)
12:16: HKU\WRSS_Profile_S-1-5-21-381301015-2127068416-1027631290-1008\software\wintools\ (10 subtraces) (ID = 646241)
12:16: Found Adware: twain-tech
12:16: HKU\WRSS_Profile_S-1-5-21-381301015-2127068416-1027631290-1007\software\multimpp\ (29 subtraces) (ID = 145342)
12:16: HKU\WRSS_Profile_S-1-5-21-381301015-2127068416-1027631290-1007\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467)
12:16: HKU\WRSS_Profile_S-1-5-21-381301015-2127068416-1027631290-1007\software\wintools\ (11 subtraces) (ID = 146514)
12:16: HKU\WRSS_Profile_S-1-5-21-381301015-2127068416-1027631290-1007\software\microsoft\internet explorer\main\ || search bar (ID = 146557)
12:16: HKU\WRSS_Profile_S-1-5-21-381301015-2127068416-1027631290-1007\software\wintools\ (11 subtraces) (ID = 646241)
12:17: Registry Sweep Complete, Elapsed Time:00:00:29
12:17: Starting Cookie Sweep
12:17: Found Spy Cookie: a cookie
12:17: bridie@a[1].txt (ID = 2027)
12:17: Found Spy Cookie: cliks cookie
12:17: bridie@cliks[1].txt (ID = 2414)
12:17: Found Spy Cookie: offeroptimizer cookie
12:17: bridie@offeroptimizer[1].txt (ID = 3087)
12:17: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:17: Starting File Sweep
12:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:18: Found Adware: surf accuracy
12:18: 3e2c3e41-d8ff-4a56-bb09-6d5e94 (ID = 162775)
12:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:18: 7269a5fd-f6d4-4524-8c27-a92f5f (ID = 180136)
12:19: Found Adware: apropos
12:19: wingenerics.dll (ID = 50187)
12:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:22: sacc[1].cfg (ID = 162775)
12:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:23: j6n2lg5o16.dll (ID = 159)
12:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:24: uninstaller.prod.24oct2005.exe[1].67ed8085ef4da0dd46732bc56aa91a66 (ID = 180136)
12:24: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:24: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:24: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:24: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:24: cqyptext.dll (ID = 159)
12:24: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:24: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:24: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:24: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:26: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:26: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:26: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:26: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:26: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:26: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:26: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:26: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:26: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:26: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:26: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:26: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:27: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:27: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:27: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:27: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:29: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:29: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:29: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:29: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:29: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:29: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:29: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:29: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:30: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:30: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:30: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:30: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:30: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:30: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:30: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:30: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:30: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:30: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:30: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:30: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:31: atmtd.dll._ (ID = 166754)
12:31: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:31: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:31: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:31: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:31: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:31: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:31: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:31: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:32: ktjol7131.dll (ID = 159)
12:32: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:32: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:32: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:32: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:32: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:32: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:32: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:32: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:32: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:32: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:32: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:32: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:33: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:33: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:33: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:33: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:33: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:33: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:33: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:33: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:33: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:33: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:33: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:33: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:34: atmtd.dll (ID = 166754)
12:34: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:34: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:34: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:34: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:34: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:34: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:34: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:34: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:35: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:35: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:35: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:35: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:35: Found Adware: spysheriff
12:35: secure32.html (ID = 184319)
12:36: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:36: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:36: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:36: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:36: nvv6xu.vbs (ID = 185675)
12:36: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:36: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:36: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:36: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:36: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:36: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:36: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:36: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:36: File Sweep Complete, Elapsed Time: 00:19:30
12:36: Full Sweep has completed. Elapsed time 00:24:05
12:36: Traces Found: 298
12:37: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:37: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:37: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:37: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:37: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:37: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:37: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:37: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:37: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:37: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:37: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:37: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:38: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:38: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:38: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:38: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:38: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:38: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:38: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:38: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:39: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:39: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:39: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:39: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:39: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:39: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:39: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:39: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:40: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:40: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:40: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:40: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:40: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:40: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:40: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:40: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:40: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:40: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:40: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:40: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:41: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:41: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:41: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:41: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:41: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:41: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:41: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:41: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:42: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:42: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:42: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:42: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:42: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:42: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:42: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:42: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:42: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:42: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:42: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:42: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:43: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:43: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:43: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:43: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:43: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:43: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:43: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:43: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:44: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:44: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:44: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:44: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:44: Removal process initiated
12:44: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:44: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:44: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:44: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:44: Quarantining All Traces: icannnews
12:45: icannnews is in use. It will be removed on reboot.
12:45: C:\WINDOWS\system32\ktjol7131.dll is in use. It will be removed on reboot.
12:45: C:\WINDOWS\system32\cqyptext.dll is in use. It will be removed on reboot.
12:45: Quarantining All Traces: look2me
12:45: look2me is in use. It will be removed on reboot.
12:45: ktjol7131.dll is in use. It will be removed on reboot.
12:45: j6n2lg5o16.dll is in use. It will be removed on reboot.
12:45: cqyptext.dll is in use. It will be removed on reboot.
12:45: ktjol7131.dll is in use. It will be removed on reboot.
12:45: Quarantining All Traces: spysheriff
12:45: Quarantining All Traces: websearch toolbar
12:45: Quarantining All Traces: apropos
12:45: Quarantining All Traces: command
12:45: Quarantining All Traces: dollarrevenue
12:45: Quarantining All Traces: screensavers
12:45: Quarantining All Traces: seekerbar hijack
12:45: Quarantining All Traces: surf accuracy
12:45: Quarantining All Traces: twain-tech
12:45: Quarantining All Traces: a cookie
12:45: Quarantining All Traces: cliks cookie
12:45: Quarantining All Traces: offeroptimizer cookie
12:45: Warning: Launched explorer.exe
12:45: Warning: Quarantine process could not restart Explorer.
12:46: Removal process completed. Elapsed time 00:02:08
********




Logfile of HijackThis v1.99.1
Scan saved at 12:53:47, on 18/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Tech\MagicBall\2.1\LWBWHEEL.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\BigFix\BigFix.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\MagicBall\2.1\LWBWHEEL.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122416277296
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_D..._Non_Member.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by21fd.bay21.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{8535340F-4E57-4039-9F4C-B213EB7E82A6}: NameServer = 159.134.237.6,159.134.248.17
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


Even now I already appear to be getting less pop-ups after using spy sweeper, but if theres anything else you can find through these logs that I need to fix I hope you can help me with them.

Thanks again for quick reply!

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:54 PM

Posted 18 November 2005 - 08:43 AM

Great, we made improvements here... But we still need to restore some things.

First of all; check and fix next entry in your hijackthislog:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

In this case, this policy is set by malware.

Then perform next:

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder and doubleclick second.bat
Your icons and desktop will disappear while scanning. This is normal.
Afterwards notepad will open. Copy and paste the contents of the log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 lifelonglufc

lifelonglufc
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 18 November 2005 - 09:19 AM

Here are the contents of the log from L2mfix:

Setting Directory
C:\Documents and Settings\Bryan\Desktop\l2mfix

Running From:
C:\Documents and Settings\Bryan\Desktop\l2mfix

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 364 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 676 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 432 'explorer.exe'
Killing PID 432 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1516 'rundll32.exe'
Killing PID 124 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
zip warning: name not matched: *.dll

zip error: Nothing to do! (backup.zip)
zip warning: name not matched: *.tmp

zip error: Nothing to do! (backup.zip)
updating: clear.reg (164 bytes security) (deflated 2%)
zip warning: name not matched: *.ini

zip error: Nothing to do! (backup.zip)
updating: flag.txt (164 bytes security) (stored 0%)
updating: lo2.txt (164 bytes security) (deflated 67%)
updating: readme.txt (164 bytes security) (deflated 52%)
updating: test.txt (164 bytes security) (stored 0%)
updating: test2.txt (164 bytes security) (stored 0%)
updating: test3.txt (164 bytes security) (stored 0%)
updating: test5.txt (164 bytes security) (stored 0%)
adding: log.txt (164 bytes security) (deflated 75%)
zip warning: name not matched: backregs\*.reg

zip error: Nothing to do! (backup.zip)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Warning (option /rga:(IO)) - There is no ACE to remove!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:54 PM

Posted 18 November 2005 - 09:35 AM

Looks good. Defaults are restored. :thumbsup:

How are things running now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 lifelonglufc

lifelonglufc
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 18 November 2005 - 09:55 AM

Everything seems to be perfect again, I spent nearly two weeks tryin to get rid of this myself and you managed to do it in under a day!
Thanks a million, it seems you have saved my computer from the peril of a 12 story drop!
:thumbsup: :flowers:

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:54 PM

Posted 18 November 2005 - 09:59 AM

Glad i could help. :thumbsup:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again! :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:54 PM

Posted 27 November 2005 - 07:17 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users