Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spysweeper Has Blocked Access To Connection 8ad.com


  • Please log in to reply
259 replies to this topic

#1 Bill B

Bill B

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 12 December 2006 - 12:24 PM

Hello. I'm a first timer to your forum, and would appreciate your assistance.

I've been receiving a consistent message shortly after startup - "SpySweeper The Internet Communication Shield has blocked access to (connection) 8AD.com. From the web, I understand that this is a spyware-related address. Because this happens immediately after start-up (or as part of its process), I'm assuming I have a trojan that is activated by the start-up routine.

MY O/S is XP, and I have a router. I regularly update definitions and run AdAware, SpyBot, SpySweeper, Avast and, less frequently, TrojanHunter. As part of this event, I downloaded and ran on line (can't recall if Housecall), Panda, Bit Defender, Ewido, some other online scans, Stinger and CounterSpy (which latter picked up WebSnitch System Snooper and StartNow Hyperbar Tool).

Any thoughts as to what's causing this and how to remove would be appreciated. Below is a current HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 11:50:59 AM, on 12/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\ggviewer67-52.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\sistray.EXE
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AvaFind\AvaFind.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AvaFind] "C:\Program Files\AvaFind\AvaFind.exe" /minimized
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe"
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ?
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143401756593
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Many thanks.

Bill

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:57 PM

Posted 12 December 2006 - 02:30 PM

Hey there Bill, welcome to BleepingComputer.

Go to the folder where Hijackthis is kept and rename the hijackthis application to "showme".
This can be done by right clicking on the program and clicking "rename".
Press enter, then open "showme.exe" by double clicking.
Post a new Hijackthis log from the newly named application.

#3 Bill B

Bill B
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 12 December 2006 - 02:42 PM

Thank you, David. Here's the new HJT log from renamed ReadMe.exe.

Logfile of HijackThis v1.99.1
Scan saved at 2:35:56 PM, on 12/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\ggviewer67-52.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\sistray.EXE
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AvaFind\AvaFind.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\HJT\ShowMe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AvaFind] "C:\Program Files\AvaFind\AvaFind.exe" /minimized
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe"
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ?
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143401756593
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Bill

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:57 PM

Posted 12 December 2006 - 03:01 PM

Ok, nothing is hiding there, so that is a good starting sign.
In the meantime, whilst I research the log, I'd like two more scans from you.

1) Download and save Blacklight to your desktop.
Double-click blbeta.exe then accept the agreement.
Click on scan then click next,
You'll see a list of all items found.
Do not choose for rename yet! I want to see the log first; legitimate items can also be present.
There is a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.

2) Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

David

#5 Bill B

Bill B
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 12 December 2006 - 03:40 PM

Continuing thanks, David. As requested, in order are text files for Blacklight, Combofix and HJT, from renamed ReadMe.exe.

12/12/06 15:19:58 [Info]: BlackLight Engine 1.0.47 initialized
12/12/06 15:19:58 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/12/06 15:19:59 [Note]: 7019 4
12/12/06 15:19:59 [Note]: 7005 0
12/12/06 15:20:04 [Note]: 7006 0
12/12/06 15:20:04 [Note]: 7011 2336
12/12/06 15:20:04 [Note]: 7026 0
12/12/06 15:20:04 [Note]: 7026 0
12/12/06 15:20:17 [Note]: FSRAW library version 1.7.1020
12/12/06 15:25:07 [Note]: 7007 0

Bill - 06-12-12 15:26:37.79 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Bill\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-12 to 2006-12-12 ))))))))))))))))))))))))))))))))))


2006-12-12 13:14 <DIR> dr-h----- C:\Documents and Settings\Bill\Recent
2006-12-11 20:36 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2006-12-11 14:39 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-12-11 14:39 87,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-12-11 14:39 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-12-11 14:39 666,240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-12-11 14:39 36,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2006-12-11 14:39 24,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-12-11 14:39 16,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-12-11 13:38 <DIR> d-------- C:\HJT
2006-12-11 13:08 <DIR> d-------- C:\Program Files\InterMute
2006-12-10 12:03 684,032 --a------ C:\WINDOWS\system32\libeay32.dll
2006-12-10 12:03 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2006-12-10 12:03 15,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2006-12-10 12:03 15,360 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2006-12-10 12:03 14,848 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2006-12-10 12:03 122,368 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2006-12-10 12:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2006-12-04 22:11 <DIR> d-------- C:\Program Files\Mozilla Firefox
2006-11-30 00:20 <DIR> d-------- C:\WINDOWS\Minidump
2006-11-28 22:32 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2006-11-28 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2006-11-28 22:24 <DIR> d--h-c--- C:\WINDOWS\ie7
2006-11-28 21:03 <DIR> d-------- C:\WINDOWS\WBEM
2006-11-28 21:03 <DIR> d-------- C:\WINDOWS\system32\en-US
2006-11-28 21:01 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-11-28 20:59 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-11-28 20:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-11-28 20:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2006-11-27 13:47 <DIR> d-------- C:\Program Files\Lavasoft
2006-11-19 23:24 <DIR> d-------- C:\Program Files\Alwil Software


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-11 22:32 -------- d-------- C:\Documents and Settings\Bill\Application Data\AvaFind Data
2006-12-11 19:55 -------- d-------- C:\Program Files\WinZip
2006-12-11 19:55 -------- d-------- C:\Program Files\WinRAR
2006-12-11 19:54 -------- d-------- C:\Program Files\TrojanHunter 4.2
2006-12-11 19:53 -------- d-------- C:\Program Files\MSN Messenger
2006-12-11 19:45 -------- d-------- C:\Program Files\Internet Explorer
2006-12-11 19:45 -------- d-------- C:\Program Files\Google
2006-12-11 19:45 -------- d-------- C:\Program Files\Common Files\Webroot Shared
2006-12-11 19:43 -------- d-------- C:\Program Files\Common Files\Command Software
2006-12-11 19:43 -------- d-------- C:\Program Files\AvaFind
2006-12-10 12:03 -------- d-------- C:\Program Files\Webroot
2006-12-10 12:02 -------- d-------- C:\Documents and Settings\Bill\Application Data\Webroot
2006-12-09 12:36 -------- d-------- C:\Program Files\SpywareBlaster
2006-12-07 15:40 -------- d-------- C:\Program Files\AcqURL
2006-12-04 22:12 -------- d-------- C:\Documents and Settings\Bill\Application Data\Mozilla
2006-12-04 00:17 -------- d-------- C:\Documents and Settings\Bill\Application Data\AdobeUM
2006-12-02 13:57 -------- d-------- C:\Program Files\Java
2006-11-28 22:32 -------- d---s---- C:\Documents and Settings\Bill\Application Data\Microsoft
2006-11-27 13:47 -------- d-------- C:\Documents and Settings\Bill\Application Data\Lavasoft
2006-11-19 23:19 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-19 23:19 -------- d-------- C:\Program Files\Common Files
2006-11-19 23:13 -------- d-------- C:\Program Files\Norton AntiVirus
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-29 18:19 -------- d-------- C:\Program Files\Common Files\PestPatrol
2006-10-29 18:15 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-29 18:14 -------- d-------- C:\Program Files\Bell
2006-10-29 17:57 -------- d-------- C:\Documents and Settings\Bill\Application Data\Bell
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 07:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 07:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 07:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 05:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AvaFind"="\"C:\\Program Files\\AvaFind\\AvaFind.exe\" /minimized"
"Window Washer"="\"C:\\Program Files\\Webroot\\Washer\\wwDisp.exe\""
"System Mechanic Startup Guard"="\"C:\\Program Files\\iolo\\System Mechanic 5 Professional\\StartupGuard.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiS Windows KeyHook"="C:\\WINDOWS\\system32\\keyhook.exe"
"SiS Tray"="C:\\WINDOWS\\system32\\sistray.EXE"
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.2\\THGuard.exe\""
"SSA.exe"="\"C:\\Program Files\\Bell\\Sympatico Security Advisor\\SSA.exe\""
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061211-141404-569
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
backup-20061211-141404-818
O11 - Options group: [INTERNATIONAL] International*
backup-20061211-141404-675
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
backup-20061211-141404-791
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
backup-20061211-141404-665
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20061211-141404-269
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20061211-141404-427
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20061211-141404-635
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20061211-135908-757
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
backup-20061211-135908-894
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
backup-20061211-135908-183
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
backup-20061211-135908-593
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
backup-20061211-135908-762
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
backup-20061211-135908-695
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
backup-20061211-135908-566
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
backup-20061211-135908-777
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20061211-135907-192
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20061211-135907-799
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20061211-135907-844
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20061211-135907-272
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
backup-20061211-135907-353
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
backup-20061211-135907-188
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
backup-20061211-135907-831
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
backup-20061211-135907-975
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
backup-20061211-135907-547
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20061211-135907-179
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
backup-20061211-135907-531
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
backup-20061211-135907-607
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
backup-20061211-135907-915
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
backup-20061211-135906-550
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
backup-20061211-135906-717
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
backup-20061211-135906-164
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
backup-20061211-135906-143
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
backup-20061211-135906-884
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
backup-20061211-135906-132
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20061211-135906-556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20061211-135906-776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20061211-135906-922
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-12-12 15:27:40.34
C:\ComboFix.txt ... 06-12-12 15:27

Logfile of HijackThis v1.99.1
Scan saved at 3:28:54 PM, on 12/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\ggviewer67-52.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\sistray.EXE
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AvaFind\AvaFind.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\ShowMe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AvaFind] "C:\Program Files\AvaFind\AvaFind.exe" /minimized
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe"
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ?
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143401756593
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Bill

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:57 PM

Posted 12 December 2006 - 04:17 PM

At the moment I don't see anything wrong here at all Bill.
Before we consider what might be causing your computer to access 8ad.com, I want to run on last scanner.

Please perform this online scan: Kaspersky Webscan
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.
When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

#7 Bill B

Bill B
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 12 December 2006 - 04:21 PM

I ran Kaspersky's online scan last eve, David, but am rerunning, which may take an hour or so to adv. Bill

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:57 PM

Posted 12 December 2006 - 04:24 PM

Ok, no rush at all..

#9 Bill B

Bill B
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 12 December 2006 - 04:55 PM

This will take hours - 4% in 27 min so far...

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:57 PM

Posted 12 December 2006 - 04:59 PM

Ok, when you said you visited the scan yesterday did you fully run it?
Did you notice whether any infections were found?
Quit the scan now, I think I know enough.

#11 Bill B

Bill B
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 12 December 2006 - 06:54 PM

I only saw your message now - Kaspersky completed faster after I shut down overhead. Now that I see the report, I suspect that I may not have seen the locations of the list of infections and thought it ran clean (see below). I did run it completely yesterday.

I'm wondering if there is some type of logging app that would show the command that results in a connection through a port to the web, resulting by an attempt from http://www.8AD.com that is blocked by SpySweeper? That's the best I can devine.

Here's Kaspersky - I haven't done anything subsequent i.e. page left open.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, December 12, 2006 6:47:52 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 12/12/2006
Kaspersky Anti-Virus database records: 236282
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 46155
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:22:59

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Bill\Application Data\AvaFind Data\3b5d0b3d64b8b11d98db3806d6172696f.db Object is locked skipped
C:\Documents and Settings\Bill\Application Data\AvaFind Data\3b5d0b3d74b8b11d98db3806d6172696f.db Object is locked skipped
C:\Documents and Settings\Bill\Application Data\AvaFind Data\aui40.db Object is locked skipped
C:\Documents and Settings\Bill\Application Data\Bell\Sympatico Security Advisor\client_gateway.log Object is locked skipped
C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\ua1ugmzv.default\cert8.db Object is locked skipped
C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\ua1ugmzv.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\ua1ugmzv.default\history.dat Object is locked skipped
C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\ua1ugmzv.default\key3.db Object is locked skipped
C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\ua1ugmzv.default\parent.lock Object is locked skipped
C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\ua1ugmzv.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\ua1ugmzv.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Bill\Application Data\Webroot\Spy Sweeper\Logs\061211131539.ses Object is locked skipped
C:\Documents and Settings\Bill\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Bill\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Bill\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Bill\Local Settings\Application Data\Mozilla\Firefox\Profiles\ua1ugmzv.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Bill\Local Settings\Application Data\Mozilla\Firefox\Profiles\ua1ugmzv.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Bill\Local Settings\Application Data\Mozilla\Firefox\Profiles\ua1ugmzv.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Bill\Local Settings\Application Data\Mozilla\Firefox\Profiles\ua1ugmzv.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Bill\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bill\Local Settings\History\History.IE5\MSHist012006121220061213\index.dat Object is locked skipped
C:\Documents and Settings\Bill\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Bill\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bill\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Bill\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS005BF2FC-64B5-47E0-89AB-01626538A5DB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS03A14BE3-2007-407B-A314-F11E0908A56C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS05CA6259-638D-4CFC-8C8A-5DBB417F426B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS07BDACDE-3CB8-4B0D-8697-84869F62DA74.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS08E4542B-BBF0-44C5-9DBA-145644E1F625.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0928B94F-3F71-4A05-B46F-68E10DB24E3C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0EA39528-6958-47A2-897F-DA9A45E9309D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS11B2539E-B6E2-4099-978D-6D6F2C1AD059.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1599A013-3569-4C47-B9EC-F49123D0613F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS18807116-C067-4CBC-B31A-8608B7BF278D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1F105DD3-B2E6-4B82-A2A1-22C97D7FC6CB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1F6FCB45-CC34-4FED-95AD-9D52E8794B39.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1F99263E-38C2-4AEC-B7FF-615CFEF1E1A5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2028804F-7F4F-4E6A-A770-9A0D65BF4843.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS26C31104-F420-4269-8F57-87336435F6EF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS27F68956-DD3D-4580-BAAD-F46E9F2D7379.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2836487A-7CEE-4FDD-A3AD-BA261DE1FFAF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2A7EFBE0-E0EF-47C3-8FBF-C4521ECA2DDF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2BCED45D-15EC-41E4-B547-25ADE9C55465.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2F0AF564-DBD0-49D1-8290-BEE064E9060E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2FF0F12D-AEEA-4A5A-AC17-01BF0B582EFB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS30C52BF2-3382-4013-BC0B-C1B1F0FC97C6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS31A3F13C-405B-4C89-89F4-243A49289B63.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS34F25E49-DFA4-4C49-868B-BE71B8447BC0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3503C67D-B490-4A67-ABA5-C63C62EC9B89.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3513E7F2-EB1C-4402-BB27-3CB5E1CFDD47.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS36F59628-BE42-43B9-A13E-C299669652CC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS374A48F5-4EA4-4637-BAAF-7CB163EFDA5B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS38B8F754-6179-4AA3-8B88-EB0CB627FC89.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3ACEBA5F-3377-4CC8-AC12-FDCCD5A84D83.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3B5B875E-30AF-481C-B98A-7DC20B71472B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS45FF7A11-D68A-460D-9A83-E60333D22141.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS49D65C77-89E8-48D1-B121-B78AF0BB085D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4A86B603-5339-46FC-B719-B46FBF4E8B6C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4BEED36B-554D-4F35-9A00-AF613C793123.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4C6F7301-FFCC-4794-9CEE-CA4958F6EF9A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4E2CB47A-6327-4ECF-8182-3C2697EAE578.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS529345A2-8AC7-4939-A41C-0CA75CB68B68.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5BAFF4CB-AF46-4896-B634-70AB6E1F8F08.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5CDCDFE4-36E7-4487-AB27-7FC99CC89DC0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5DEFC286-0290-4C77-8BDE-5F8C77024916.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5EF45ECF-3DD0-4624-B9C2-FD6CCE79F9A8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS611073AE-937E-4139-8FF0-037EAAF4109F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS61D4AA20-E66B-4E4E-9E42-9FA092AF807B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS637DF0AB-93C7-49DB-81E1-B82F4FD75B68.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS66ECD82C-D80C-45AA-8882-2B70ECE642FF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6E06A956-99FE-4CD8-BC1C-DF5222A474D3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS73A0F7E5-410C-4FEC-AE45-774222FFC730.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS77E2814D-4746-4E00-BDA8-462399016043.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7979A77A-811D-484F-BDC0-1CFFA89C46D1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7ACAC599-5D32-405D-B7E9-B242547D0FB9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS816407BA-84AE-4AD6-A487-B41AF9E09DC5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS84C0E378-78CB-4B12-A5CC-1EA472B3ECE7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8A85D254-7B32-4942-B278-96A1889926CD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8CE1285E-62CE-4E31-8373-07C695172685.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS962C154D-FC7E-4ED6-A2E6-53C496640136.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9A580F40-C844-497D-BA5D-A198FFDAF274.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9CD3E04B-878D-4467-9B63-2F82425F9509.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9E32E0CE-0431-4113-AFDA-F4A0F0856BD7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9EA5187D-8E2C-433F-896E-C936AA11C2C3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA68DF6F4-FB6D-4FB6-9432-72DC0D954BBC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA95EECE8-B12A-447F-97D9-66FDF9160962.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSACB3E890-8C32-4F41-9762-4AA2B7CA29FE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAEC66FEE-D5E5-49F8-B959-6A1435CEF7FC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB1585B42-01EA-406B-996F-4B127CE8E904.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB52C99C4-5730-4EF9-974E-75B7C5E394C3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB7B7BB2C-30DB-49D5-BF09-15CC5857CA8A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB874CFC9-067F-4F5E-A815-29FE0E55608E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBE3E218D-14BE-4CC7-ABF5-B8D9D999C341.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBFEC8B4B-2380-4F67-9816-A666BEF950F3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC0554FCA-80F7-4C78-932D-5A59391D2D06.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC25E1F3F-4950-4092-83A5-82BACFCDECB8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC26EB26B-AE36-4C43-AE58-1A17BEE50AF8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC6D21BD9-E653-47B2-A877-662EC59B99AB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC89B1D24-85A9-4DEE-B666-BD1C3B2A9A59.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC9002FF1-447D-4D02-A3BF-A2852F308CC8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC97A2E11-4736-4814-B23F-41B0B384CDDD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCBC96212-6E2D-421A-9202-0B39C9F2160F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCBE45E7F-E03F-4E1D-BE12-08ADAA5F1CF8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD80DA10A-BAA7-48E8-82D2-F9210293347F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDCAC69B5-D4C3-4ED0-849B-6246BD763A4A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDF31F8B4-5393-4307-9085-FBB54BDED838.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDF7C0AE0-DEA9-4498-B5AC-E90AA29B9B22.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDFD709C8-7EF2-4B97-B72B-D01A582936E0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE1319DDD-A550-4491-BB3A-13003BBF1F9A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE66C0196-F6C8-4F6A-847E-21FE93E92672.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE6FEC026-8D4E-4B09-9DCF-C43C096926A7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEDDFB80D-E95B-44E1-B47A-84486939FBBC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF1A1C072-CA71-4093-97AC-DF1033990D2C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF349EE65-951A-4E93-AB25-119F6147B191.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF801437D-3E7E-4B7F-B16D-746EC6A58DF3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{38FD7517-1E33-42D9-B2B9-3503B5BA0488}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_608.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\Temp\Junk-Delete\~DF1988.tmp Object is locked skipped
D:\Temp\Junk-Delete\~DFAE2A.tmp Object is locked skipped

Scan process completed.


Bill

#12 Bill B

Bill B
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 12 December 2006 - 06:59 PM

Sorry, David, I just noticed that it was headed by, "No Malware has been detected. The sections that have been scanned are CLEAN." It was then followed by the items contained in the report that is in my message just sent. Bill

#13 Bill B

Bill B
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 12 December 2006 - 08:18 PM

David, I had forgotten something that may assist your focus. Early on, I thought I might have MsUpdate, also referenced as SearchV, as MsUpdate and 2 dlls were in the registry, which I removed; however, I wasn't able to locate the (2) dlls outside the registry (and hidden and system files were revealed) by using Windows search. I can't remember the dll names.

I don't think this is the same link, but similar:
http://www.spywaredb.com/remove-searchv/

Bill

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:57 PM

Posted 14 December 2006 - 12:37 PM

Ok, I don't think this is a malware problem, everything comes up clean.
If anything was hidden from us the Blacklight scan would have picked it up.
One concern I have is "AvaFind", how much do you know about this program.
I want to try and disable the program, then see if you still get the alert.
So, firstly click on start, then run and type msconfig. Then hit enter.
Click on the startup tab and a list of programs will appear.
Untick the entry for Avafind and Ok your way out.
Now reboot and let me know if you get the alert.
If not you can re-enable it by reversing the above.

Also, do you know exactly when this alert started? I can look in the combofix log at the timings.
We might be able to place the cause of the problem with the timings.
I know I said the above was the last log, but I want one more.
This can detect files hiding that Hijackthis cannot.
Download Silent Runners and extract it to a new folder on your Desktop.
Run the Silent Runners.vbs file.
You will receive a prompt: "Do you want to skip supplementary searches?" - click "NO."
If your antivirus has a script blocker, you will get a warning asking if you want to allow Silent Runners.vbs to run.
This script is not malicious so please allow it.
A text file will appear in the folder - it's not done, let it run. (It won't appear to be doing anything!)
Once the "All Done!" prompt flashes up, open the text file, and copy & paste it in your next reply.

David

#15 Bill B

Bill B
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 14 December 2006 - 01:21 PM

That's comforting, David. No, Ava is a slick utility, much like Windows Explorer, but far more useful in identifying the existence and location of files, objects... I did take it out of the start up, though, and still get the same 8AD.com denial by SS. All I can tell you is that it comes right at the very end of start i.e. apparently after all the apps are loaded in sequence. Below as requested from Silent Runners. Thks. Bill

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Window Washer" = ""C:\Program Files\Webroot\Washer\wwDisp.exe"" ["Webroot Software"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SiS Windows KeyHook" = "C:\WINDOWS\system32\keyhook.exe" ["Silicon Integrated Systems Corporation"]
"SiS Tray" = "C:\WINDOWS\system32\sistray.EXE" ["Silicon Integrated Systems Corporation"]
"SiSUSBRG" = "C:\WINDOWS\SiSUSBrg.exe" ["Silicon Integrated Systems Corp."]
"THGuard" = ""C:\Program Files\TrojanHunter 4.2\THGuard.exe"" ["Mischel Internet Security"]
"SSA.exe" = ""C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe"" ["Bell"]
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray" ["Webroot Software, Inc."]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{DCA04635-8950-48D5-8404-35A5ADCE3E3B}" = "Google Deskbar"
-> {HKLM...CLSID} = "&Google Deskbar"
\InProcServer32\(Default) = "C:\PROGRA~1\Google\GGTASK~1.DLL" ["Google"]
"{6EE51AA0-77A0-11D7-B4E1-000347126E46}" = "Window Washer Shell Shredding Utility"
-> {HKLM...CLSID} = "Window Washer Shell Shredding Utility"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL" ["Webroot Software"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"
-> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll" ["Roxio"]
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}" = "My Media"
-> {HKLM...CLSID} = "My Media"
\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\MediaSX.dll" ["Roxio, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"SsiEfr.e" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
IMMenuShellExt\(Default) = "{F8984111-38B6-11D5-8725-0050DA2761C4}"
-> {HKLM...CLSID} = "IMMenuShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\INCRED~1\bin\ImShExt.dll" ["IncrediMail, Ltd."]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
Washer\(Default) = "{6EE51AA0-77A0-11D7-B4E1-000347126E46}"
-> {HKLM...CLSID} = "Window Washer Shell Shredding Utility"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL" ["Webroot Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
QuickFinderMenu\(Default) = "{C0E10002-0028-0004-C0E1-C0E1C0E1C0E1}"
-> {HKLM...CLSID} = "QuickFinder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL" ["Novell, Inc., c/o Corel Corporation Limited"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
Washer\(Default) = "{6EE51AA0-77A0-11D7-B4E1-000347126E46}"
-> {HKLM...CLSID} = "Window Washer Shell Shredding Utility"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL" ["Webroot Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Bliss.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Bliss.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Bill" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Kaspersky Anti-Hacker" -> shortcut to: "C:\WINDOWS\Installer\{75D46594-4DE1-4A90-AE74-38637D301EF2}\StartUpShortcut.exe /silence" ["InstallShield Software Corp."]


Enabled Scheduled Tasks:
------------------------

"Check Updates for Windows Live Toolbar" -> launches: "C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE" [MS]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDetect.exe" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Diskeeper, Diskeeper, ""C:\Program Files\Executive Software\Diskeeper\DkService.exe"" ["Executive Software International, Inc."]
DvpApi, dvpapi, ""C:\Program Files\Common Files\Command Software\dvpapi.exe"" ["Command Software Systems, Inc."]
Norton Unerase Protection, NProtectService, ""C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE"" ["Symantec Corporation"]
Webroot Spy Sweeper Engine, WebrootSpySweeperService, ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe"" ["Webroot Software, Inc."]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
HP Master Monitor\Driver = "HPBMMON.DLL" ["Hewlett-Packard"]
Microsoft Office Live Meeting Document Writer Monitor\Driver = "lmdimon.dll" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 52 seconds.
---------- (total run time: 122 seconds)


Bill




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users