Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log - Stupid Me, Please Help!


  • Please log in to reply
7 replies to this topic

#1 damselindistress

damselindistress

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 05 October 2006 - 10:44 PM

Hi, i've been clean for a long time, but getting attacked terribly right now. Please help! It keeps coming and coming, pop up after pop up!!!


Logfile of HijackThis v1.99.1
Scan saved at 11:29:22 AM, on 10/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Interwise\Participant\pull.exe
D:\MISC\Waktu Solat\waktusolat.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mercerlink.mercer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mercerlink.mercer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mercerlink.mercer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: waktusolat.exe.lnk = D:\MISC\Waktu Solat\waktusolat.exe
O4 - Global Startup: Access Manager Client.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Push Client.LNK = C:\Program Files\Interwise\Participant\pull.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://mercerlink.mercer.com
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://mercerlink.mercer.com/msddsc.cab
O16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - http://gd1wdcrmap02/callcenter_enu/19221/a...x_HI_Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mercer.com
O17 - HKLM\Software\..\Telephony: DomainName = mercer.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mercer.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mercer.com,mercer.com,mercer.com,mercer.com,mercer.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mercer.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mercer.com,mercer.com,mercer.com,mercer.com,mercer.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mercer.com,mercer.com,mercer.com,mercer.com,mercer.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 12 October 2006 - 04:35 PM

download http://www.mvps.org/winhelp2002/DelDomains.inf with I.E.

Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute.

Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.


===========
Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/s...4129&ac=tsg

(It's a 2 week trial.)

* Click the Try Spy Sweeper for FreeDownload the trial link.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.

Also post a new Hijack This log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 damselindistress

damselindistress
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 13 October 2006 - 01:12 PM

Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
2:01 AM: Warning: The handle is invalid
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
2:01 AM: Shield States
2:01 AM: Spyware Definitions: 781
2:01 AM: Spy Sweeper 5.0.5.1286 started
1:21 AM: | End of Session, Saturday, October 14, 2006 |
1:21 AM: Your spyware definitions have been updated.
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
1:11 AM: Messenger service has been disabled.
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
1:11 AM: Shield States
1:11 AM: Spyware Definitions: 691
1:11 AM: Spy Sweeper 5.0.5.1286 started
1:11 AM: Spy Sweeper 5.0.5.1286 started
1:11 AM: | Start of Session, Saturday, October 14, 2006 |
********
1:56 AM: Removal process completed. Elapsed time 00:00:56
1:56 AM: Preparing to restart your computer. Please wait...
1:56 AM: Quarantining All Traces: adjuggler cookie
1:56 AM: Quarantining All Traces: partypoker cookie
1:55 AM: Quarantining All Traces: bizrate cookie
1:55 AM: Quarantining All Traces: yieldmanager cookie
1:55 AM: Quarantining All Traces: 3 cookie
1:55 AM: Quarantining All Traces: cws gonnasearch
1:55 AM: C:\WINDOWS\system32\nskD.dll is in use. It will be removed on reboot.
1:55 AM: C:\WINDOWS\System32\nskD.dll is in use. It will be removed on reboot.
1:55 AM: c:\windows\system32\nskd.dll is in use. It will be removed on reboot.
1:55 AM: C:\WINDOWS\System32\nskD.dll is in use. It will be removed on reboot.
1:55 AM: ezula ilookup is in use. It will be removed on reboot.
1:55 AM: Quarantining All Traces: ezula ilookup
1:55 AM: Quarantining All Traces: deluxecommunications
1:55 AM: Quarantining All Traces: elitemediagroup-mediamotor
1:55 AM: Quarantining All Traces: trafficsolution
1:55 AM: Quarantining All Traces: purityscan
1:55 AM: Removal process initiated
1:49 AM: Traces Found: 66
1:49 AM: Full Sweep has completed. Elapsed time 00:28:16
1:49 AM: C:\WINDOWS\system32\nsu17.dll (ID = 379156)
1:49 AM: C:\WINDOWS\system32\nsl16.dll (ID = 379156)
1:49 AM: C:\WINDOWS\system32\nskD.dll (ID = 379156)
1:49 AM: HKLM\software\microsoft\rotator\ (ID = 1730676)
1:49 AM: HKLM\software\microsoft\compression\ (ID = 1704496)
1:49 AM: HKLM\software\microsoft\windows\currentversion\uninstall\adrotator\ (ID = 1538545)
1:49 AM: Detected running threat: C:\WINDOWS\system32\nskD.dll (ID = 379156)
1:49 AM: Detected running threat: C:\WINDOWS\system32\nskD.dll (ID = 379156)
1:49 AM: File Sweep Complete, Elapsed Time: 00:25:26
1:40 AM: Warning: Failed to access drive E:
1:39 AM: Warning: Failed to open file "d:\documents and settings\hassan-odierno\application data\microsoft\templates\~$normal.dot". The operation completed successfully
1:39 AM: Warning: Failed to open file "d:\documents and settings\hassan-odierno\local settings\temp\~df2b84.tmp". The operation completed successfully
1:39 AM: Warning: Failed to open file "d:\documents and settings\hassan-odierno\cookies\hassan-odierno@85.12.25[3].txt". The operation completed successfully
1:38 AM: D:\Documents and Settings\All Users\Application Data\AutoSearch.dll (ID = 360405)
1:38 AM: Found Adware: cws gonnasearch
1:34 AM: D:\Documents and Settings\hassan-odierno\Local Settings\Temporary Internet Files\Content.IE5\UOASHTT1\ad1.78[1].exe (ID = 378751)
1:32 AM: C:\WINDOWS\system32\brrotate.dll (ID = 378529)
1:31 AM: C:\WINDOWS\DXCecho.exe (ID = 360403)
1:31 AM: C:\WINDOWS\system32\adrot-uninst.exe (ID = 335877)
1:31 AM: C:\WINDOWS\Eim03.exe (ID = 350199)
1:31 AM: C:\WINDOWS\motorsix.ocx (ID = 376042)
1:30 AM: C:\WINDOWS\system32\brrot-uninst.exe (ID = 378528)
1:25 AM: C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe (ID = 372953)
1:25 AM: Found Adware: purityscan
1:24 AM: Starting File Sweep
1:24 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
1:24 AM: d:\documents and settings\hassan-odierno\cookies\hassan-odierno@rotator.adjuggler[2].txt (ID = 2071)
1:24 AM: Found Spy Cookie: adjuggler cookie
1:24 AM: d:\documents and settings\hassan-odierno\cookies\hassan-odierno@partypoker[1].txt (ID = 3111)
1:24 AM: Found Spy Cookie: partypoker cookie
1:24 AM: d:\documents and settings\hassan-odierno\cookies\hassan-odierno@bizrate[2].txt (ID = 2308)
1:24 AM: Found Spy Cookie: bizrate cookie
1:24 AM: d:\documents and settings\hassan-odierno\cookies\hassan-odierno@ad.yieldmanager[2].txt (ID = 3751)
1:24 AM: Found Spy Cookie: yieldmanager cookie
1:24 AM: d:\documents and settings\hassan-odierno\cookies\hassan-odierno@85.17.3[1].txt (ID = 1960)
1:24 AM: Found Spy Cookie: 3 cookie
1:24 AM: Starting Cookie Sweep
1:24 AM: Registry Sweep Complete, Elapsed Time:00:00:22
1:24 AM: HKLM\software\microsoft\windows\currentversion\uninstall\adrotator\ || uninstallstring (ID = 1730553)
1:24 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{e954db82-1533-4714-92f2-59c98d5c18cc}\ (ID = 1728778)
1:24 AM: HKLM\software\classes\typelib\{7dabffeb-649f-4077-9e03-202688d77676}\ (ID = 1728767)
1:24 AM: HKLM\software\classes\clsid\{e954db82-1533-4714-92f2-59c98d5c18cc}\ (ID = 1728755)
1:24 AM: HKLM\software\classes\bannerrotator.rotator2\ (ID = 1728745)
1:24 AM: HKCR\typelib\{7dabffeb-649f-4077-9e03-202688d77676}\ (ID = 1728735)
1:24 AM: HKCR\clsid\{e954db82-1533-4714-92f2-59c98d5c18cc}\ (ID = 1728723)
1:24 AM: HKCR\bannerrotator.rotator2.1\ (ID = 1728719)
1:24 AM: HKCR\bannerrotator.rotator2\ (ID = 1728713)
1:24 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{eec590d8-0a3c-4464-bb20-25a4747992f9}\ (ID = 1728336)
1:24 AM: HKLM\software\classes\typelib\{7ac21a02-5b24-47ae-9b0e-b05ae3a50fc4}\ (ID = 1728320)
1:24 AM: HKLM\software\classes\clsid\{eec590d8-0a3c-4464-bb20-25a4747992f9}\ (ID = 1728308)
1:24 AM: HKLM\software\classes\adrotator.rotator.1\ (ID = 1728296)
1:24 AM: HKLM\software\classes\adrotator.rotator\ (ID = 1728290)
1:24 AM: HKCR\typelib\{7ac21a02-5b24-47ae-9b0e-b05ae3a50fc4}\ (ID = 1728277)
1:24 AM: HKCR\clsid\{eec590d8-0a3c-4464-bb20-25a4747992f9}\ (ID = 1728263)
1:24 AM: HKCR\adrotator.rotator.1\ (ID = 1728250)
1:24 AM: HKCR\adrotator.rotator\ (ID = 1728244)
1:24 AM: HKLM\software\deluxecommunications\ (ID = 1681439)
1:24 AM: Found Adware: deluxecommunications
1:24 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{746455fe-d059-47e7-af0e-140e03f5a447}\ (ID = 1586270)
1:24 AM: HKLM\software\classes\typelib\{fdb10602-aa12-4e76-aae2-2b328a3e950a}\ (ID = 1586223)
1:24 AM: HKLM\software\classes\crypt.core.1\ (ID = 1586219)
1:24 AM: HKLM\software\classes\crypt.core\ (ID = 1586213)
1:24 AM: HKLM\software\classes\clsid\{746455fe-d059-47e7-af0e-140e03f5a447}\ (ID = 1586201)
1:24 AM: HKLM\software\classes\clsid\{2cab0356-88e3-4902-a85d-379689c625e1}\ (ID = 1586189)
1:24 AM: HKCR\typelib\{fdb10602-aa12-4e76-aae2-2b328a3e950a}\ (ID = 1586179)
1:24 AM: HKCR\crypt.core.1\ (ID = 1586175)
1:24 AM: HKCR\crypt.core\ (ID = 1586169)
1:24 AM: HKCR\clsid\{746455fe-d059-47e7-af0e-140e03f5a447}\ (ID = 1586157)
1:24 AM: HKCR\clsid\{2cab0356-88e3-4902-a85d-379689c625e1}\ (ID = 1586145)
1:24 AM: HKLM\software\microsoft\windows\currentversion\run\ || adstart (ID = 1582881)
1:24 AM: HKLM\software\classes\onone.theimp.1\ (ID = 1221523)
1:24 AM: HKLM\software\classes\onone.theimp\ (ID = 1221515)
1:24 AM: HKCR\onone.theimp.1\ (ID = 1221367)
1:24 AM: HKCR\onone.theimp\ (ID = 1221362)
1:24 AM: HKLM\software\mm\ (ID = 140211)
1:24 AM: Found Adware: elitemediagroup-mediamotor
1:24 AM: Starting Registry Sweep
1:24 AM: Memory Sweep Complete, Elapsed Time: 00:02:15
1:21 AM: Detected running threat: C:\WINDOWS\system32\brrotate.dll (ID = 378529)
1:21 AM: Starting Memory Sweep
1:21 AM: C:\WINDOWS\system32\adrotate.dll (ID = 1728884)
1:21 AM: HKCR\clsid\{eec590d8-0a3c-4464-bb20-25a4747992f9}\inprocserver32\ (ID = 1728884)
1:21 AM: C:\WINDOWS\system32\brrotate.dll (ID = 1728883)
1:21 AM: HKCR\clsid\{e954db82-1533-4714-92f2-59c98d5c18cc}\inprocserver32\ (ID = 1728883)
1:21 AM: Found Adware: trafficsolution
1:21 AM: HKCR\clsid\{2cab0356-88e3-4902-a85d-379689c625e1}\inprocserver32\ (ID = 1704840)
1:21 AM: C:\WINDOWS\system32\nskD.dll (ID = 1704495)
1:21 AM: HKCR\clsid\{746455fe-d059-47e7-af0e-140e03f5a447}\inprocserver32\ (ID = 1704495)
1:21 AM: Found Adware: ezula ilookup
1:21 AM: Sweep initiated using definitions version 781
1:21 AM: Spy Sweeper 5.0.5.1286 started
1:21 AM: | Start of Session, Saturday, October 14, 2006 |

Logfile of HijackThis v1.99.1
Scan saved at 2:06:12 AM, on 10/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Interwise\Participant\pull.exe
D:\MISC\Waktu Solat\waktusolat.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mercerlink.mercer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mercerlink.mercer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [JobHisInit] "C:\Program Files\RMClient\JobHisInit.exe"
O4 - HKLM\..\Run: [MplSetUp] "C:\Program Files\RMClient\MplSetUp.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: waktusolat.exe.lnk = D:\MISC\Waktu Solat\waktusolat.exe
O4 - Global Startup: Access Manager Client.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Push Client.LNK = C:\Program Files\Interwise\Participant\pull.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://mercerlink.mercer.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://mercerlink.mercer.com/msddsc.cab
O16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - http://gd1wdcrmap02/callcenter_enu/19221/a...x_HI_Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mercer.com
O17 - HKLM\Software\..\Telephony: DomainName = mercer.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC289614-2DB8-40D6-BA97-3E98484242B3}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mercer.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mercer.com,mercer.com,mercer.com,mercer.com,mercer.com,mercer.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mercer.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mercer.com,mercer.com,mercer.com,mercer.com,mercer.com,mercer.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mercer.com,mercer.com,mercer.com,mercer.com,mercer.com,mercer.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

So, how did I do?

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 13 October 2006 - 02:28 PM

Make sure that after we are done you get SP2 and the latest critical updates!

===========================

Get all of these and/or verify you have the current versions

SpywareBlaster 3.5.1 http://majorgeeks.com/download2859.html
SpyBot V1.4 http://www.majorgeeks.com/download2471.html
AdAware SE 1.06 http://www.majorgeeks.com/download506.html
MS Windows Defender - http://www.microsoft.com/downloads/details...;displaylang=en (XP and W2K only)

DownLoad them (they are free), install them, check each for their
definition updates
and then run AdAware, MS Defender (W2k/XP) and Spybot, fixing anything they say.

In SpywareBlaster - Always enable all protection after updates
In SpyBot - After an update run immunize

Check for updates and run weekly
====================

Clean Posted Image

Restore points
Turn off restore points, boot, turn them back on – here’s how

XP
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 damselindistress

damselindistress
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 20 October 2006 - 10:26 AM

Hi. The problem is not gone yet unfortunately. it isn't as bad, but the computer is still slower than normal, and when I rescanned the same trojans... were back. Any idea?

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 20 October 2006 - 02:54 PM

Right click hijackthis.exe and rename it to bleep.exe

please explain in detail what is wrong - what trojans etc..

post a new log
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 damselindistress

damselindistress
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 20 October 2006 - 09:19 PM

The spysweeper caught the following for the second time (after deleting):

purityscan
trojan-vbstat-b
trafficsolution
cws gonnasearch


Logfile of HijackThis v1.99.1
Scan saved at 10:09:49 AM, on 10/21/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\Interwise\Participant\pull.exe
D:\MISC\Waktu Solat\waktusolat.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HijackThis\beep.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mercerlink.mercer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mercerlink.mercer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {BE5B9BBC-4285-4E98-A280-131600DD840B} - C:\WINDOWS\System32\efebc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [JobHisInit] "C:\Program Files\RMClient\JobHisInit.exe"
O4 - HKLM\..\Run: [MplSetUp] "C:\Program Files\RMClient\MplSetUp.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: waktusolat.exe.lnk = D:\MISC\Waktu Solat\waktusolat.exe
O4 - Global Startup: Access Manager Client.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Push Client.LNK = C:\Program Files\Interwise\Participant\pull.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://mercerlink.mercer.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://mercerlink.mercer.com/msddsc.cab
O16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - http://gd1wdcrmap02/callcenter_enu/19221/a...x_HI_Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mercer.com
O17 - HKLM\Software\..\Telephony: DomainName = mercer.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC289614-2DB8-40D6-BA97-3E98484242B3}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mercer.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mercer.com,mercer.com,mercer.com,mercer.com,mercer.com,mercer.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mercer.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mercer.com,mercer.com,mercer.com,mercer.com,mercer.com,mercer.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mercer.com,mercer.com,mercer.com,mercer.com,mercer.com,mercer.com
O20 - Winlogon Notify: efebc - C:\WINDOWS\System32\efebc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#8 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 21 October 2006 - 09:07 AM

Please download http://www.atribune.org/ccount/click.php?id=4 to C:\
Double-click VundoFix.exe to run it.
click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HijackThis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users