Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyheal (not 100% Sure) Browser Hijacker & Popups


  • Please log in to reply
9 replies to this topic

#1 Modulus

Modulus

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Connecticut
  • Local time:02:52 PM

Posted 18 October 2006 - 05:09 PM

Here's my log file... I run WinXP (SP2), use IE 6 and WMPlayer 11. I went through the 7 or so steps outlined on your thread, "Read this topic before posting a log" before running hijack this including running my own virus software, Trend Micro Internet Security 2007, as suggested.

I have the tools Ad-Aware SE Pro, CCleaner, Killbox, Roguescanfix, HijackThis, Ewido anti-spyware, and Spybot Search & Destroy at my disposal as well.

THANK YOU!! :thumbsup:


Logfile of HijackThis v1.99.1
Scan saved at 5:55:32 PM, on 10/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Drcc] "C:\PROGRA~1\COMMON~1\YMBOLS~1\alg.exe" -vt yazr
O4 - HKCU\..\Run: [Che] C:\PROGRA~1\COMMON~1\SSTEM~1\WWEXEC~1.EXE
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [DesktopX] "C:\Program Files\Stardock\Object Desktop\DesktopX\DesktopX Builder.exe" -noui
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - Startup: Stardock Keyboard Launchpad.lnk = C:\Program Files\Stardock\Object Desktop\KLP\Keys.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
O20 - AppInit_DLLs: wbsys.dll C:\WINDOWS\system32\ati2evxx.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
I'm not a vegetarian because I dislike meat, I'm a vegetarian because I hate plants!

BC AdBot (Login to Remove)

 


m

#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 19 October 2006 - 06:48 PM

Look in your Control Panel under Add/Remove programs for the following:

PuritySCAN By OIN,
Snowballwars by OIN,
OuterInfo or anything similar ,

If found, click on it and click remove.

If not listed, download and run this uninstaller:

http://www.outerinfo.com/OiUninstaller.exe

=====================
You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O4 - HKCU\..\Run: [Drcc] "C:\PROGRA~1\COMMON~1\YMBOLS~1\alg.exe" -vt yazr

O4 - HKCU\..\Run: [Che] C:\PROGRA~1\COMMON~1\SSTEM~1\WWEXEC~1.EXE

DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\PROGRA~1\COMMON~1\YMBOLS~1
C:\PROGRA~1\COMMON~1\SSTEM~1

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 Modulus

Modulus
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Connecticut
  • Local time:02:52 PM

Posted 20 October 2006 - 04:53 PM

Well, I did everything you suggested, MFDnSC, but it didn't work completely. Before posting the first time I was able to get my browser home page to load after going through the 'read this before posting a log file' thread... Ran killbox and deleted both files without a problem and deleted everything in my temp folder. While in safe mode my taskbar and run/win explorer windows kept closing. I then would recieve the standard windows dialog asking me if I wanted to do a system restore or continue in safemode. After selecting the safemode option the taskbar would reopen... This happened ~5 times. May be nothing but I thought it was wierd.

In any case, the results are as follows. I still have popups from winantivirus pro and systemdoctor 2007 (or 2006 - I don't remember). Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 5:41:23 PM, on 10/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\WINDOW~1\wbload.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Common Files\Stardock\TrayServer.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Stardock\Object Desktop\DesktopX\DesktopX Builder.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [DesktopX] "C:\Program Files\Stardock\Object Desktop\DesktopX\DesktopX Builder.exe" -noui
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - Startup: Stardock Keyboard Launchpad.lnk = C:\Program Files\Stardock\Object Desktop\KLP\Keys.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
O20 - AppInit_DLLs: wbsys.dll C:\WINDOWS\system32\ati2evxx.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe



Thanks
I'm not a vegetarian because I dislike meat, I'm a vegetarian because I hate plants!

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 20 October 2006 - 05:00 PM

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/s...4129&ac=tsg

(It's a 2 week trial.)

* Click the Try Spy Sweeper for FreeDownload the trial link.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.

Also post a new Hijack This log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 Modulus

Modulus
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Connecticut
  • Local time:02:52 PM

Posted 21 October 2006 - 06:13 PM

Spy Sweeper Log:

6:33 PM: Removal process completed. Elapsed time 00:01:00
6:33 PM: A reboot was required but declined.
6:33 PM: Warning: Quarantine process could not restart Explorer.
6:33 PM: Warning: Launched explorer.exe
6:33 PM: Quarantining All Traces: zedo cookie
6:33 PM: Quarantining All Traces: yadro cookie
6:33 PM: Quarantining All Traces: seeq cookie
6:33 PM: Quarantining All Traces: wirefly cookie
6:33 PM: Quarantining All Traces: winantiviruspro cookie
6:33 PM: Quarantining All Traces: myaffiliateprogram.com cookie
6:33 PM: Quarantining All Traces: ugo cookie
6:33 PM: Quarantining All Traces: starware.com cookie
6:33 PM: Quarantining All Traces: tribalfusion cookie
6:33 PM: Quarantining All Traces: trafficmp cookie
6:33 PM: Quarantining All Traces: webtrendslive cookie
6:33 PM: Quarantining All Traces: reliablestats cookie
6:33 PM: Quarantining All Traces: serving-sys cookie
6:33 PM: Quarantining All Traces: searchadnetwork cookie
6:33 PM: Quarantining All Traces: search123 cookie
6:33 PM: Quarantining All Traces: adjuggler cookie
6:33 PM: Quarantining All Traces: questionmarket cookie
6:33 PM: Quarantining All Traces: one-time-offer cookie
6:33 PM: Quarantining All Traces: nextag cookie
6:33 PM: Quarantining All Traces: realmedia cookie
6:33 PM: Quarantining All Traces: mygeek cookie
6:33 PM: Quarantining All Traces: go.com cookie
6:33 PM: Quarantining All Traces: monstermarketplace cookie
6:33 PM: Quarantining All Traces: mediaplex cookie
6:33 PM: Quarantining All Traces: malwarewipe cookie
6:33 PM: Quarantining All Traces: webtrends cookie
6:33 PM: Quarantining All Traces: infospace cookie
6:33 PM: Quarantining All Traces: linksynergy cookie
6:33 PM: Quarantining All Traces: about cookie
6:33 PM: Quarantining All Traces: screensavers.com cookie
6:33 PM: Quarantining All Traces: gamespy cookie
6:33 PM: Quarantining All Traces: findwhat cookie
6:33 PM: Quarantining All Traces: directtrack cookie
6:33 PM: Quarantining All Traces: did-it cookie
6:33 PM: Quarantining All Traces: overture cookie
6:33 PM: Quarantining All Traces: exitexchange cookie
6:33 PM: Quarantining All Traces: goclick cookie
6:33 PM: Quarantining All Traces: burstnet cookie
6:33 PM: Quarantining All Traces: bizrate cookie
6:33 PM: Quarantining All Traces: belnk cookie
6:33 PM: Quarantining All Traces: atwola cookie
6:33 PM: Quarantining All Traces: atlas dmt cookie
6:33 PM: Quarantining All Traces: ask cookie
6:33 PM: Quarantining All Traces: falkag cookie
6:33 PM: Quarantining All Traces: aptimus cookie
6:33 PM: Quarantining All Traces: tacoda cookie
6:33 PM: Quarantining All Traces: advertising cookie
6:33 PM: Quarantining All Traces: adserver cookie
6:33 PM: Quarantining All Traces: adrevolver cookie
6:33 PM: Quarantining All Traces: adprofile cookie
6:33 PM: Quarantining All Traces: specificclick.com cookie
6:33 PM: Quarantining All Traces: adknowledge cookie
6:33 PM: Quarantining All Traces: adecn cookie
6:33 PM: Quarantining All Traces: yieldmanager cookie
6:33 PM: Quarantining All Traces: 3 cookie
6:33 PM: Quarantining All Traces: 2o7.net cookie
6:33 PM: Quarantining All Traces: 247realmedia cookie
6:33 PM: Quarantining All Traces: vs toolbar
6:33 PM: Quarantining All Traces: download plugin
6:33 PM: Quarantining All Traces: command
6:33 PM: Quarantining All Traces: trojan-vbstat-c
6:33 PM: Quarantining All Traces: elitemediagroup-mediamotor
6:33 PM: Quarantining All Traces: enbrowser
6:33 PM: C:\WINDOWS\system32\mllmm.dll is in use. It will be removed on reboot.
6:33 PM: C:\WINDOWS\system32\mllmm.dll is in use. It will be removed on reboot.
6:33 PM: virtumonde is in use. It will be removed on reboot.
6:33 PM: Quarantining All Traces: virtumonde
6:32 PM: Removal process initiated
6:32 PM: Traces Found: 108
6:32 PM: Full Sweep has completed. Elapsed time 00:14:34
6:32 PM: File Sweep Complete, Elapsed Time: 00:13:22
6:31 PM: The Spy Communication shield has blocked access to: E0.EXTREME-DM.COM
6:31 PM: The Spy Communication shield has blocked access to: E0.EXTREME-DM.COM
6:31 PM: The Spy Communication shield has blocked access to: E0.EXTREME-DM.COM
6:31 PM: The Spy Communication shield has blocked access to: E0.EXTREME-DM.COM
6:31 PM: The Spy Communication shield has blocked access to: E0.EXTREME-DM.COM
6:31 PM: The Spy Communication shield has blocked access to: E0.EXTREME-DM.COM
Access is denied
6:30 PM: Warning: Unable to sweep compressed file: System Error. Code: 5.
6:29 PM: Warning: Failed to access drive E:
6:26 PM: Warning: Failed to open file "c:\documents and settings\mike\cookies\mike@89.188.16[2].txt". The operation completed successfully
6:23 PM: C:\WINDOWS\Setup90.exe (ID = 336716)
6:23 PM: Found Adware: enbrowser
6:18 PM: C:\Program Files\VSToolbar (1 subtraces) (ID = 2147531659)
6:18 PM: Found Adware: vs toolbar
6:18 PM: Starting File Sweep
6:18 PM: Warning: Failed to access drive A:
6:18 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
6:18 PM: c:\documents and settings\mike\cookies\mike@zedo[1].txt (ID = 3762)
6:18 PM: Found Spy Cookie: zedo cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@z1.adserver[1].txt (ID = 2142)
6:18 PM: c:\documents and settings\mike\cookies\mike@yadro[1].txt (ID = 3743)
6:18 PM: Found Spy Cookie: yadro cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@www48.seeq[1].txt (ID = 3332)
6:18 PM: Found Spy Cookie: seeq cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@www.wirefly[2].txt (ID = 3694)
6:18 PM: Found Spy Cookie: wirefly cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@www.winantiviruspro[2].txt (ID = 3690)
6:18 PM: Found Spy Cookie: winantiviruspro cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@www.searchadnetwork[1].txt (ID = 3312)
6:18 PM: c:\documents and settings\mike\cookies\mike@www.screensavers[1].txt (ID = 3298)
6:18 PM: c:\documents and settings\mike\cookies\mike@www.myaffiliateprogram[1].txt (ID = 3032)
6:18 PM: Found Spy Cookie: myaffiliateprogram.com cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@www.burstnet[1].txt (ID = 2337)
6:18 PM: c:\documents and settings\mike\cookies\mike@ugo[1].txt (ID = 3608)
6:18 PM: Found Spy Cookie: ugo cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@try.starware[1].txt (ID = 3442)
6:18 PM: Found Spy Cookie: starware.com cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@try.screensavers[1].txt (ID = 3298)
6:18 PM: c:\documents and settings\mike\cookies\mike@tribalfusion[1].txt (ID = 3589)
6:18 PM: Found Spy Cookie: tribalfusion cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@trafficmp[1].txt (ID = 3581)
6:18 PM: Found Spy Cookie: trafficmp cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@statse.webtrendslive[1].txt (ID = 3667)
6:18 PM: Found Spy Cookie: webtrendslive cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@stats1.reliablestats[1].txt (ID = 3254)
6:18 PM: Found Spy Cookie: reliablestats cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@sonymediasoftware.122.2o7[1].txt (ID = 1958)
6:18 PM: c:\documents and settings\mike\cookies\mike@serving-sys[2].txt (ID = 3343)
6:18 PM: Found Spy Cookie: serving-sys cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@searchadnetwork[2].txt (ID = 3311)
6:18 PM: Found Spy Cookie: searchadnetwork cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@search123[1].txt (ID = 3305)
6:18 PM: Found Spy Cookie: search123 cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@screensavers[1].txt (ID = 3297)
6:18 PM: c:\documents and settings\mike\cookies\mike@rotator.adjuggler[2].txt (ID = 2071)
6:18 PM: Found Spy Cookie: adjuggler cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@realmedia[2].txt (ID = 3235)
6:18 PM: c:\documents and settings\mike\cookies\mike@rapidresponse.directtrack[2].txt (ID = 2528)
6:18 PM: c:\documents and settings\mike\cookies\mike@questionmarket[2].txt (ID = 3217)
6:18 PM: Found Spy Cookie: questionmarket cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@perf.overture[1].txt (ID = 3106)
6:18 PM: c:\documents and settings\mike\cookies\mike@partygaming.122.2o7[1].txt (ID = 1958)
6:18 PM: c:\documents and settings\mike\cookies\mike@one-time-offer[1].txt (ID = 3095)
6:18 PM: Found Spy Cookie: one-time-offer cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@nextag[1].txt (ID = 5014)
6:18 PM: Found Spy Cookie: nextag cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@network.realmedia[2].txt (ID = 3236)
6:18 PM: Found Spy Cookie: realmedia cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@network.aptimus[1].txt (ID = 2235)
6:18 PM: c:\documents and settings\mike\cookies\mike@mygeek[1].txt (ID = 3041)
6:18 PM: Found Spy Cookie: mygeek cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@movies.go[1].txt (ID = 2729)
6:18 PM: Found Spy Cookie: go.com cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@monstermarketplace[1].txt (ID = 3006)
6:18 PM: Found Spy Cookie: monstermarketplace cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@mediaplex[1].txt (ID = 6442)
6:18 PM: Found Spy Cookie: mediaplex cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@malwarewipe[1].txt (ID = 6467)
6:18 PM: Found Spy Cookie: malwarewipe cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@m.webtrends[2].txt (ID = 3669)
6:18 PM: Found Spy Cookie: webtrends cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@local.infospace[1].txt (ID = 2866)
6:18 PM: Found Spy Cookie: infospace cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@linksynergy[1].txt (ID = 2926)
6:18 PM: Found Spy Cookie: linksynergy cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@jewelry.about[1].txt (ID = 2038)
6:18 PM: Found Spy Cookie: about cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@i.screensavers[2].txt (ID = 3298)
6:18 PM: Found Spy Cookie: screensavers.com cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@highbeam.122.2o7[1].txt (ID = 1958)
6:18 PM: c:\documents and settings\mike\cookies\mike@gamespy[1].txt (ID = 2719)
6:18 PM: Found Spy Cookie: gamespy cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@findwhat[1].txt (ID = 2674)
6:18 PM: Found Spy Cookie: findwhat cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@exitexchange[1].txt (ID = 2633)
6:18 PM: c:\documents and settings\mike\cookies\mike@dist.belnk[2].txt (ID = 2293)
6:18 PM: c:\documents and settings\mike\cookies\mike@directtrack[2].txt (ID = 2527)
6:18 PM: Found Spy Cookie: directtrack cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@did-it[1].txt (ID = 2523)
6:18 PM: Found Spy Cookie: did-it cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@data2.perf.overture[1].txt (ID = 3106)
6:18 PM: c:\documents and settings\mike\cookies\mike@data1.perf.overture[2].txt (ID = 3106)
6:18 PM: Found Spy Cookie: overture cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@count4.exitexchange[1].txt (ID = 2634)
6:18 PM: c:\documents and settings\mike\cookies\mike@count3.exitexchange[1].txt (ID = 2634)
6:18 PM: c:\documents and settings\mike\cookies\mike@count2.exitexchange[1].txt (ID = 2634)
6:18 PM: c:\documents and settings\mike\cookies\mike@count1.exitexchange[1].txt (ID = 2634)
6:18 PM: Found Spy Cookie: exitexchange cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@cnn.122.2o7[1].txt (ID = 1958)
6:18 PM: c:\documents and settings\mike\cookies\mike@cnetaustralia.122.2o7[1].txt (ID = 1958)
6:18 PM: c:\documents and settings\mike\cookies\mike@c.goclick[2].txt (ID = 2733)
6:18 PM: Found Spy Cookie: goclick cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@burstnet[2].txt (ID = 2336)
6:18 PM: c:\documents and settings\mike\cookies\mike@burstnet[1].txt (ID = 2336)
6:18 PM: Found Spy Cookie: burstnet cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@bizrate[2].txt (ID = 2308)
6:18 PM: Found Spy Cookie: bizrate cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@belnk[1].txt (ID = 2292)
6:18 PM: Found Spy Cookie: belnk cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@atwola[1].txt (ID = 2255)
6:18 PM: Found Spy Cookie: atwola cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@atdmt[2].txt (ID = 2253)
6:18 PM: Found Spy Cookie: atlas dmt cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@ask[2].txt (ID = 2245)
6:18 PM: Found Spy Cookie: ask cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@as-us.falkag[1].txt (ID = 2650)
6:18 PM: Found Spy Cookie: falkag cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@aptimus[1].txt (ID = 2233)
6:18 PM: Found Spy Cookie: aptimus cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@anat.tacoda[2].txt (ID = 6445)
6:18 PM: c:\documents and settings\mike\cookies\mike@anad.tacoda[2].txt (ID = 6445)
6:18 PM: Found Spy Cookie: tacoda cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@advertising[2].txt (ID = 2175)
6:18 PM: Found Spy Cookie: advertising cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@adserver[1].txt (ID = 2141)
6:18 PM: Found Spy Cookie: adserver cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@adrevolver[2].txt (ID = 2088)
6:18 PM: c:\documents and settings\mike\cookies\mike@adrevolver[1].txt (ID = 2088)
6:18 PM: Found Spy Cookie: adrevolver cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@adprofile[2].txt (ID = 2084)
6:18 PM: Found Spy Cookie: adprofile cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@adopt.specificclick[1].txt (ID = 3400)
6:18 PM: Found Spy Cookie: specificclick.com cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@adknowledge[2].txt (ID = 2072)
6:18 PM: Found Spy Cookie: adknowledge cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@adecn[1].txt (ID = 2063)
6:18 PM: Found Spy Cookie: adecn cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@ad.yieldmanager[2].txt (ID = 3751)
6:18 PM: Found Spy Cookie: yieldmanager cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@85.17.3[2].txt (ID = 1960)
6:18 PM: Found Spy Cookie: 3 cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@2o7[1].txt (ID = 1957)
6:18 PM: Found Spy Cookie: 2o7.net cookie
6:18 PM: c:\documents and settings\mike\cookies\mike@247realmedia[1].txt (ID = 1953)
6:18 PM: Found Spy Cookie: 247realmedia cookie
6:18 PM: Starting Cookie Sweep
6:18 PM: Registry Sweep Complete, Elapsed Time:00:00:06
6:18 PM: HKU\S-1-5-21-789336058-448539723-839522115-1004\software\download plugin\ (ID = 1569536)
6:18 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{1daefcb9-06c8-47c6-8f20-3fb54b244daa}\ (ID = 1738180)
6:18 PM: HKLM\software\classes\clsid\{1daefcb9-06c8-47c6-8f20-3fb54b244daa}\ (ID = 1738158)
6:18 PM: HKCR\clsid\{1daefcb9-06c8-47c6-8f20-3fb54b244daa}\ (ID = 1738142)
6:18 PM: Found Trojan Horse: trojan-vbstat-c
6:18 PM: HKLM\software\classes\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\ (ID = 1704202)
6:18 PM: HKCR\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\ (ID = 1704193)
6:18 PM: HKLM\software\classes\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697697)
6:18 PM: HKCR\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697618)
6:18 PM: HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks\ || {5a3e97dd-2a08-48bc-8f43-c0deabc90266} (ID = 1597934)
6:18 PM: HKLM\software\microsoft\windows\currentversion\uninstall\download plugin (activex)\ (ID = 1569570)
6:18 PM: Found Adware: download plugin
6:18 PM: HKLM\system\controlset001\enum\root\legacy_cmdservice\ (ID = 1556665)
6:18 PM: HKLM\software\classes\interface\{7682c1a6-c500-4c78-93b9-5a76a91520f8}\ (ID = 1502055)
6:18 PM: HKLM\software\classes\interface\{597aa130-f00b-40b8-adaf-529d4da9be52}\ (ID = 1502046)
6:18 PM: HKCR\interface\{7682c1a6-c500-4c78-93b9-5a76a91520f8}\ (ID = 1497902)
6:18 PM: HKCR\interface\{597aa130-f00b-40b8-adaf-529d4da9be52}\ (ID = 1497893)
6:18 PM: Found Adware: elitemediagroup-mediamotor
6:18 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\mllmm\ (ID = 1229701)
6:18 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (ID = 1016072)
6:18 PM: Found Adware: command
6:18 PM: Starting Registry Sweep
6:18 PM: Memory Sweep Complete, Elapsed Time: 00:00:47
6:18 PM: Detected running threat: C:\WINDOWS\system32\mllmm.dll (ID = 519)
6:17 PM: Starting Memory Sweep
6:17 PM: C:\WINDOWS\system32\ylhydesu.dll (ID = 1738138)
6:17 PM: HKCR\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\inprocserver32\ (ID = 1738138)
6:17 PM: C:\WINDOWS\system32\eppwdxln.dll (ID = 1728503)
6:17 PM: HKCR\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\inprocserver32\ (ID = 1728503)
6:17 PM: C:\WINDOWS\system32\mllmm.dll (ID = 1232682)
6:17 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\mllmm\ || dllname (ID = 1232682)
6:17 PM: Found Adware: virtumonde
6:17 PM: Sweep initiated using definitions version 783
6:17 PM: Spy Sweeper 5.0.5.1286 started
6:17 PM: | Start of Session, Saturday, October 21, 2006 |
********
6:17 PM: | End of Session, Saturday, October 21, 2006 |
6:15 PM: The Spy Communication shield has blocked access to: WWW.DRIVECLEANER.COM
6:14 PM: The Spy Communication shield has blocked access to: WWW.DRIVECLEANER.COM
6:14 PM: Your spyware definitions have been updated.
6:14 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
6:10 PM: Shield States
6:10 PM: Spyware Definitions: 691
6:10 PM: Spy Sweeper 5.0.5.1286 started
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
6:07 PM: Shield States
6:07 PM: Spyware Definitions: 691
6:07 PM: Spy Sweeper 5.0.5.1286 started
6:07 PM: Spy Sweeper 5.0.5.1286 started
6:07 PM: | Start of Session, Saturday, October 21, 2006 |
********

Hijack This! Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:06:32 PM, on 10/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Stardock\TrayServer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30FBEAAB-0DCF-DFDB-1FFD-A7FCB90EB540} - C:\WINDOWS\gqqdvt.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C1C399D2-4965-47E3-A4D6-69BE88771C12} - C:\Program Files\Online Services\horeboku.dll (file missing)
O2 - BHO: (no name) - {CE7DA154-61C6-611D-EDC5-36B6A29D78B6} - C:\WINDOWS\system32\tewxbh.dll (file missing)
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [H2O] "C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe"
O4 - HKCU\..\Run: [DesktopX] "C:\Program Files\Stardock\Object Desktop\DesktopX\DesktopX Builder.exe" -noui
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - Startup: Stardock Keyboard Launchpad.lnk = C:\Program Files\Stardock\Object Desktop\KLP\Keys.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
O20 - AppInit_DLLs: wbsys.dll C:\WINDOWS\system32\ati2evxx.dll
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


Thanks
I'm not a vegetarian because I dislike meat, I'm a vegetarian because I hate plants!

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 21 October 2006 - 06:59 PM

Please download http://www.atribune.org/ccount/click.php?id=4 to C:\
Double-click VundoFix.exe to run it.
click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HijackThis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
=========================

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O2 - BHO: (no name) - {30FBEAAB-0DCF-DFDB-1FFD-A7FCB90EB540} - C:\WINDOWS\gqqdvt.dll (file missing)

O2 - BHO: (no name) - {C1C399D2-4965-47E3-A4D6-69BE88771C12} - C:\Program Files\Online Services\horeboku.dll (file missing)

O2 - BHO: (no name) - {CE7DA154-61C6-611D-EDC5-36B6A29D78B6} - C:\WINDOWS\system32\tewxbh.dll (file missing)

O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)

DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.



Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 Modulus

Modulus
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Connecticut
  • Local time:02:52 PM

Posted 22 October 2006 - 05:03 PM

::double post::

Edited by Modulus, 22 October 2006 - 05:33 PM.

I'm not a vegetarian because I dislike meat, I'm a vegetarian because I hate plants!

#8 Modulus

Modulus
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Connecticut
  • Local time:02:52 PM

Posted 22 October 2006 - 05:06 PM

Logfile of HijackThis v1.99.1
Scan saved at 5:53:52 PM, on 10/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\WINDOW~1\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Stardock\TrayServer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Stardock\Object Desktop\DesktopX\DesktopX Builder.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [H2O] "C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe"
O4 - HKCU\..\Run: [DesktopX] "C:\Program Files\Stardock\Object Desktop\DesktopX\DesktopX Builder.exe" -noui
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: Really Simple Syndicate.lnk = C:\Program Files\Stardock\Object Desktop\DesktopX\Widgets\ReallySimpleSyndicate.exe
O4 - Startup: SD_MailChecker_202.exe.lnk = C:\Program Files\Stardock\Object Desktop\DesktopX\Widgets\SD_MailChecker_202.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
O20 - AppInit_DLLs: wbsys.dll C:\WINDOWS\system32\ati2evxx.dll
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


VundoFix V6.2.6

Checking Java version...

Sun Java not detected
Scan started at 5:18:11 PM 10/22/2006

Listing files found while scanning....

C:\WINDOWS\system32\dcwagckh.dll
C:\WINDOWS\system32\fwvkjlri.dll
C:\WINDOWS\system32\kbnnlnjn.dll
C:\WINDOWS\system32\qbjvjdud.dll
C:\WINDOWS\system32\yqxstvbv.dll
C:\WINDOWS\system32\ywkrnhwp.dll
C:\WINDOWS\system32\bwjslkye.exe
C:\WINDOWS\system32\itpomnmg.exe
C:\WINDOWS\system32\jlyhxatw.exe
C:\WINDOWS\system32\tckapdpb.exe
C:\WINDOWS\system32\uoitfhdh.exe
C:\WINDOWS\system32\wlgwqcwh.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dcwagckh.dll
C:\WINDOWS\system32\dcwagckh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fwvkjlri.dll
C:\WINDOWS\system32\fwvkjlri.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kbnnlnjn.dll
C:\WINDOWS\system32\kbnnlnjn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qbjvjdud.dll
C:\WINDOWS\system32\qbjvjdud.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yqxstvbv.dll
C:\WINDOWS\system32\yqxstvbv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ywkrnhwp.dll
C:\WINDOWS\system32\ywkrnhwp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bwjslkye.exe
C:\WINDOWS\system32\bwjslkye.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\itpomnmg.exe
C:\WINDOWS\system32\itpomnmg.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\jlyhxatw.exe
C:\WINDOWS\system32\jlyhxatw.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\tckapdpb.exe
C:\WINDOWS\system32\tckapdpb.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\uoitfhdh.exe
C:\WINDOWS\system32\uoitfhdh.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\wlgwqcwh.exe
C:\WINDOWS\system32\wlgwqcwh.exe Has been deleted!

Performing Repairs to the registry.
Done!


Everything seemed to go OK there... But in your last post, where you said, "Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box." -- you didn't list any files to be deleted? Am I missing something? I booted into safemode anyway, ran kill box and tried to delete the files I just fixed with hijack this (to no avail obviously) and deleted my temp folder.

Thanks
I'm not a vegetarian because I dislike meat, I'm a vegetarian because I hate plants!

#9 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 22 October 2006 - 05:11 PM

Sorry - there were no files to go after - I just didn't remove the canned stuff

Clean Posted Image

Restore points
Turn off restore points, boot, turn them back on – here’s how

XP
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#10 Modulus

Modulus
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Connecticut
  • Local time:02:52 PM

Posted 22 October 2006 - 06:12 PM

Thanks so much, MFDnSC!
I'm not a vegetarian because I dislike meat, I'm a vegetarian because I hate plants!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users