Help - Search - Members
Full Version: Pop-up pain!
Piriform Community Forums > Computer Help and Discussion > Spyware Hell
de_spy_ser
Apr 5 2007, 11:35 AM
Hi folks,

Hope someone can point me in the right direction. Helping a friend and I dont have access to his PC at the moment. He is getting pop-ups non stop when on the net - the usual dodgy ones, windrivecleaner stuff, dating junk etc.

The popups always appear in an IE window saying - SUPANET Internet explorer at the top, now I believe this is an ISP ? He is on AOL though blink.gif

So far I tried -

Ran adaware
Ran Spybot S&D

Got a Hijack log - found some dodgy stuff.

Some mention of Topsearch, www.gophersearch, & Supa net rubbish.

I went into the registry and deleted anything with the above in it.

Unfortuantely he still gets the pop-ups blink.gif although it doesn't say Supanet at the top.

I left McAfee to do a virus scan over night and dont yet know the results - I'd be surprised if that does the trick though.

I ran another Hijack log, can anybody see anything else ? or suggest another anti-spy prog to run? Thanks in advance..................

Logfile of HijackThis v1.99.1
Scan saved at 22:13:29, on 04/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\VoyagerTest\fts.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\AOL\1133206603\ee\AOLSoftware.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\AOL 9.0d\aoltray.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\program files\common files\aol\1133206603\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\program files\common files\aol\1133206603\ee\aolsoftware.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\AOL 9.0d\waol.exe
C:\Program Files\AOL 9.0d\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index.php?tp...44&ttid=104
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [as4Sb] C:\WINDOWS\qsyhpv.exe
O4 - HKLM\..\Run: [Á³#  L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\qsyhpv.exe
O4 - HKLM\..\Run: [clwjuhsj] C:\WINDOWS\clwjuhsj.exe
O4 - HKLM\..\Run: [RebateNation] "C:\Program Files\RebateNation4\RebateNation.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133206603\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kwzr] C:\PROGRA~1\COMMON~1\kwzr\kwzrm.exe
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0d\aoltray.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Rebate Nation. - file://C:\Program Files\RebateNation4\rebatesnation\rebatetnation\rebnC0.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molbin/sha...84/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145640398375
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-p...-en/FlashAX.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F456EBA-4D03-4B82-A7B0-64C1B60C6182}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{1F456EBA-4D03-4B82-A7B0-64C1B60C6182}: NameServer = 205.188.146.145
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

rridgely
Apr 5 2007, 08:30 PM
Welcome to the forum. smile.gif
This computer is infected, but we can help you clean it up.

To start off run this scan:

Download Superantispyware
  1. Load Superantispyware and click the check for updates button.
  2. Once the update is finished click the scan your computer button.
  3. Check Perform Complete Scan and then next.
  4. Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  5. Make sure that they all have a check next to them and press next.
  6. Click finish and you will be taken back to the main interface.
  7. Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  8. Copy and paste the log onto the forum.

After superantispyware run the below tool as well:

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.


In your next reply I want a superantispyware log, a smitfraudfix log, and a new hijackthis log. Make sure you do these in the order that I posted them.
de_spy_ser
Apr 10 2007, 10:03 AM
Hi Rridgely,

Firstly, thanks for your help, greatly appreciated.

I encounter a problem with Superantispyware on this PC. After it has completed the scan Superantispyware closes down, when I reopen it there is no log file mad.gif

I have uninstalled and reinstalled - no use.

Also installed and ran on another PC to make sure I was doing it correctly, no problems on the other puter.

Is there any progs Installed which would cause this? Is the PC that riddled that the spyware is causing it ?

Thanks again for your help.

cheers
rridgely
Apr 10 2007, 05:03 PM
I wouldn't worry about it, just run smitfraud fix and post the log for that with a new hijackthis log. smile.gif
de_spy_ser
Apr 11 2007, 08:43 AM
QUOTE(rridgely @ Apr 10 2007, 06:03 PM) [snapback]67954[/snapback]
I wouldn't worry about it, just run smitfraud fix and post the log for that with a new hijackthis log. smile.gif


Should have mentioned the Bitdefender scan has been ran as well!

OK, here are the 2 logs: -





SmitFraudFix v2.166

Scan done at 9:19:36.67, 11/04/2007
Run from C:\Documents and Settings\G Kelly\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\1133206603\ee\AOLSoftware.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\windows\system32\fkxozl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100
series\Bin\hpogrp07.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\AOL 9.0d\aoltray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\program files\common
files\aol\1133206603\ee\services\antiSpywareApp\ver2_0_12\AOLSP
Scheduler.exe
c:\program files\common files\aol\1133206603\ee\aolsoftware.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\AOL 9.0d\waol.exe
C:\Program Files\AOL 9.0d\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\G Kelly


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\G Kelly\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\GKELLY~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 205.188.146.145

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1F456EBA-4D03-4B82-A7B0-64C1B60C6182}:
NameServer=205.188.146.145
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1F456EBA-4D03-4B82-A7B0-64C1B60C6182}:
NameServer=205.188.146.145
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1F456EBA-4D03-4B82-A7B0-64C1B60C6182}:
NameServer=205.188.146.145


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End





Hijack this:-



Logfile of HijackThis v1.99.1
Scan saved at 09:21:57, on 11/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\1133206603\ee\AOLSoftware.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\windows\system32\fkxozl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\AOL 9.0d\aoltray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\program files\common files\aol\1133206603\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\program files\common files\aol\1133206603\ee\aolsoftware.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\AOL 9.0d\waol.exe
C:\Program Files\AOL 9.0d\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index.php?tp...44&ttid=104
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [as4Sb] C:\WINDOWS\qsyhpv.exe
O4 - HKLM\..\Run: [Á³#  L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\qsyhpv.exe
O4 - HKLM\..\Run: [clwjuhsj] C:\WINDOWS\clwjuhsj.exe
O4 - HKLM\..\Run: [RebateNation] "C:\Program Files\RebateNation4\RebateNation.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133206603\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kwzr] C:\PROGRA~1\COMMON~1\kwzr\kwzrm.exe
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0d\aoltray.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Rebate Nation. - file://C:\Program Files\RebateNation4\rebatesnation\rebatetnation\rebnC0.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molbin/sha...84/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145640398375
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-p...-en/FlashAX.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F456EBA-4D03-4B82-A7B0-64C1B60C6182}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{1F456EBA-4D03-4B82-A7B0-64C1B60C6182}: NameServer = 205.188.146.145
O17 - HKLM\System\CS2\Services\Tcpip\..\{1F456EBA-4D03-4B82-A7B0-64C1B60C6182}: NameServer = 205.188.146.145
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe




Thanks once again for all the help Rridgely !! smile.gif


rridgely
Apr 11 2007, 02:10 PM
Thanks for the logs. Follow the below instructions and we will get this cleaned up. smile.gif

Please download WebRoot SpySweeper from HERE (It's a 14 day trial):
  • Click the Download now link on the right to download the program.
  • Double-click the file to install it as follows:
  • Click "Next", read the agreement, Click "Next"
  • Choose "Custom" click "Next".
  • Leave the default installation directory as it is, then click "Next".
  • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
  • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
  • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, disconnect from the internet.
  • Click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Post the webroot log and a new hijackthis log

Run Kaspersky WebScanner
  • Please go HERE and click Kaspersky Online Scanner
  • Read and Accept the Agreement
  • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • If you see a Windows dialog asking if you want to install this software, click the Install button.
  • The program will launch and then begin downloading the latest definition files,
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  • Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
  • When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
  • Paste kaspersky log onto forum.

Come back with a webroot log, a kaspersky log, and a new hijackthis log.
de_spy_ser
Apr 12 2007, 01:11 PM
Here are the 3 logs as requested - Thanks again !

Spysweeper:

08:09: Removal process completed. Elapsed time 00:00:39
08:08: Quarantining All Traces: aa cookie
08:08: Quarantining All Traces: screensavers.com cookie
08:08: Quarantining All Traces: www.mature-post cookie
08:08: Quarantining All Traces: frenchcum cookie
08:08: Quarantining All Traces: passion cookie
08:08: Quarantining All Traces: starware.com cookie
08:08: Quarantining All Traces: adjuggler cookie
08:08: Quarantining All Traces: mrskin cookie
08:08: Quarantining All Traces: monstermarketplace cookie
08:08: Quarantining All Traces: myaffiliateprogram.com cookie
08:08: Quarantining All Traces: 123count cookie
08:08: Quarantining All Traces: bs.serving-sys cookie
08:08: Quarantining All Traces: tradedoubler cookie
08:08: Quarantining All Traces: adtech cookie
08:08: Quarantining All Traces: about cookie
08:08: Quarantining All Traces: goldenpalace cookie
08:08: Quarantining All Traces: overture cookie
08:08: Quarantining All Traces: sexsearch cookie
08:08: Quarantining All Traces: advertising cookie
08:08: Quarantining All Traces: a cookie
08:08: Quarantining All Traces: yieldmanager cookie
08:08: Quarantining All Traces: wegcash cookie
08:08: Quarantining All Traces: serving-sys cookie
08:08: Quarantining All Traces: xren_cj cookie
08:08: Quarantining All Traces: topfivesearch cookie
08:08: Quarantining All Traces: zango cookie
08:08: Quarantining All Traces: questionmarket cookie
08:08: Quarantining All Traces: moviemonster cookie
08:08: Quarantining All Traces: cassava cookie
08:08: Quarantining All Traces: atlas dmt cookie
08:08: Quarantining All Traces: mediaplex cookie
08:08: Quarantining All Traces: webservicehosts cookie
08:08: Quarantining All Traces: clicktracks cookie
08:08: Quarantining All Traces: metareward.com cookie
08:08: Quarantining All Traces: domain sponsor cookie
08:08: Quarantining All Traces: nuker cookie
08:08: Quarantining All Traces: esurance cookie
08:08: Quarantining All Traces: reliablestats cookie
08:08: Quarantining All Traces: tracking cookie
08:08: Quarantining All Traces: eroticy cookie
08:08: Quarantining All Traces: yadro cookie
08:08: Quarantining All Traces: customer cookie
08:08: Quarantining All Traces: ccbill cookie
08:08: Quarantining All Traces: clickzs cookie
08:08: Quarantining All Traces: herfirstlesbiansex cookie
08:08: Quarantining All Traces: kinghost cookie
08:08: Quarantining All Traces: web-stat cookie
08:08: Quarantining All Traces: bpath cookie
08:08: Quarantining All Traces: searchadnetwork cookie
08:08: Quarantining All Traces: search123 cookie
08:08: Quarantining All Traces: adshooter cookie
08:08: Quarantining All Traces: touchclarity cookie
08:08: Quarantining All Traces: epilot cookie
08:08: Quarantining All Traces: infospace cookie
08:08: Quarantining All Traces: ic-live cookie
08:08: Quarantining All Traces: 2o7.net cookie
08:08: Quarantining All Traces: associated new media cookie
08:08: Quarantining All Traces: mediapipe
08:08: Quarantining All Traces: desktoptraffic
08:08: Quarantining All Traces: topsearch
08:08: Quarantining All Traces: searchrelevancy
08:08: Quarantining All Traces: instant access
08:08: Quarantining All Traces: blazefind_adman
08:08: Quarantining All Traces: targetsaver
08:08: Quarantining All Traces: coolwebsearch (cws)
08:08: Quarantining All Traces: begin2search
08:08: Quarantining All Traces: fastvideoplayer
08:08: Quarantining All Traces: cws-aboutblank
08:08: Removal process initiated
08:07: The Internet Communication shield has blocked access to:
WWW.AMAENA.COM
07:48: ApplicationMinimized - EXIT
07:48: ApplicationMinimized - EXIT
07:48: ApplicationMinimized - ENTER
07:48: ApplicationMinimized - ENTER
07:48: IE Security Shield: found: C:\PROGRAM FILES\AOL 9.0D\WAOL.EXE -- IE
Security modification denied
07:36: ApplicationMinimized - EXIT
07:36: ApplicationMinimized - EXIT
07:36: ApplicationMinimized - ENTER
07:36: ApplicationMinimized - ENTER
07:36: IE Security Shield: found: C:\PROGRAM FILES\AOL 9.0D\WAOL.EXE -- IE
Security modification denied
07:35: ApplicationMinimized - EXIT
07:35: ApplicationMinimized - EXIT
07:35: ApplicationMinimized - ENTER
07:35: ApplicationMinimized - ENTER
07:23: IE Security Shield: found: C:\PROGRAM FILES\AOL 9.0D\WAOL.EXE -- IE
Security modification denied
18:43: IE Security Shield: found: C:\PROGRAM FILES\AOL 9.0D\WAOL.EXE -- IE
Security modification denied
18:42: ApplicationMinimized - EXIT
18:42: ApplicationMinimized - EXIT
18:42: ApplicationMinimized - ENTER
18:42: ApplicationMinimized - ENTER
17:16: Traces Found: 120
17:16: Full Sweep has completed. Elapsed time 00:25:14
17:16: File Sweep Complete, Elapsed Time: 00:20:31
17:13: Warning: SweepDirectories: Cannot find directory "i:". This
directory was not added to the list of paths to be scanned.
17:13: Warning: SweepDirectories: Cannot find directory "h:". This
directory was not added to the list of paths to be scanned.
17:13: Warning: SweepDirectories: Cannot find directory "g:". This
directory was not added to the list of paths to be scanned.
17:13: Warning: SweepDirectories: Cannot find directory "f:". This
directory was not added to the list of paths to be scanned.
17:13: Warning: SweepDirectories: Cannot find directory "e:". This
directory was not added to the list of paths to be scanned.
17:13: Warning: SweepDirectories: Cannot find directory "d:". This
directory was not added to the list of paths to be scanned.
17:13: Error: Access violation at address 77C47FD4 in module 'msvcrt.dll'.
Read of address 05C20000.
17:07: Warning: Failed to open file "c:\documents and settings\g
kelly\local settings\application data\microsoft\windows\usrclass.dat". The
process cannot access the file because it is being used by another process
17:07: Warning: Failed to open file "c:\documents and settings\g
kelly\local settings\application data\microsoft\windows\usrclass.dat.log".
The process cannot access the file because it is being used by another
process
17:06: Warning: Failed to open file "c:\documents and settings\g
kelly\ntuser.dat". The process cannot access the file because it is being
used by another process
17:06: Warning: Failed to open file "c:\documents and settings\g
kelly\ntuser.dat.log". The process cannot access the file because it is
being used by another process
17:06: Warning: Failed to open file "c:\documents and
settings\localservice\application data\webroot\spy
sweeper\data\settings.dat". The process cannot access the file because it is
being used by another process
17:06: Warning: Failed to open file "c:\documents and
settings\localservice\local settings\application
data\microsoft\windows\usrclass.dat". The process cannot access the file
because it is being used by another process
17:06: Warning: Failed to open file "c:\documents and
settings\localservice\local settings\application
data\microsoft\windows\usrclass.dat.log". The process cannot access the file
because it is being used by another process
17:06: Warning: Failed to open file "c:\documents and
settings\localservice\ntuser.dat". The process cannot access the file
because it is being used by another process
17:06: Warning: Failed to open file "c:\documents and
settings\localservice\ntuser.dat.log". The process cannot access the file
because it is being used by another process
17:06: Warning: Failed to open file "c:\documents and
settings\networkservice\local settings\application
data\microsoft\windows\usrclass.dat". The process cannot access the file
because it is being used by another process
17:06: Warning: Failed to open file "c:\documents and
settings\networkservice\local settings\application
data\microsoft\windows\usrclass.dat.log". The process cannot access the file
because it is being used by another process
17:06: Warning: Failed to open file "c:\documents and
settings\networkservice\ntuser.dat". The process cannot access the file
because it is being used by another process
17:06: Warning: Failed to open file "c:\documents and
settings\networkservice\ntuser.dat.log". The process cannot access the file
because it is being used by another process
17:01: Warning: Failed to open file
"c:\windows\softwaredistribution\eventcache\{1e80db8a-9232-435e-9372-64b2ebd24d79}.bin".
The process cannot access the file because it is being used by another
process
17:00: c:\windows\downloaded program files\fastvideoplayer.inf (ID =
60913)
16:59: C:\WINDOWS\inf\fastvideoplayer.inf (ID = 60913)
16:58: C:\WINDOWS\system32\cache32_gpstool (1 subtraces) (ID = 2147519835)
16:57: Warning: Failed to open file "c:\windows\system32\config\sam". The
process cannot access the file because it is being used by another process
16:57: Warning: Failed to open file "c:\windows\system32\config\system".
The process cannot access the file because it is being used by another
process
16:57: Warning: Failed to open file "c:\windows\system32\config\software".
The process cannot access the file because it is being used by another
process
16:57: Warning: Failed to open file "c:\windows\system32\config\security".
The process cannot access the file because it is being used by another
process
16:57: Warning: Failed to open file "c:\windows\system32\config\default".
The process cannot access the file because it is being used by another
process
16:57: Warning: Failed to open file
"c:\windows\system32\config\security.log". The process cannot access the
file because it is being used by another process
16:57: Warning: Failed to open file "c:\windows\system32\config\sam.log".
The process cannot access the file because it is being used by another
process
16:57: Warning: Failed to open file
"c:\windows\system32\config\default.log". The process cannot access the file
because it is being used by another process
16:57: Warning: Failed to open file
"c:\windows\system32\config\software.log". The process cannot access the
file because it is being used by another process
16:57: Warning: Failed to open file
"c:\windows\system32\config\system.log". The process cannot access the file
because it is being used by another process
16:57: C:\WINDOWS\system32\kas pink123312.ico (ID = 51041)
16:57: C:\WINDOWS\system32\kas pink12331.ico (ID = 51041)
16:57: C:\WINDOWS\system32\eg_auth_srv_1044.dll (ID = 134777)
16:56: C:\WINDOWS\system32\moviesgreen.ico (ID = 51033)
16:56: C:\WINDOWS\system32\moviesgreen1.ico (ID = 51033)
16:56: C:\WINDOWS\system32\eaffiliate2.exe (ID = 78230)
16:56: Found Adware: targetsaver
16:56: C:\WINDOWS\p2esocks_1044.dll (ID = 134777)
16:55: Warning: Failed to open file "c:\pagefile.sys". Access is denied
16:55: Warning: Failed to open file "c:\hiberfil.sys". Access is denied
16:55: Starting File Sweep
16:55: Warning: SweepDirectories: Cannot find directory "a:". This directory
was not added to the list of paths to be scanned.
16:55: Cookie Sweep Complete, Elapsed Time: 00:00:14
16:55: c:\documents and settings\g kelly\cookies\g
kelly@i.screensavers[2].txt (ID = 3298)
16:55: c:\documents and settings\g kelly\cookies\g kelly@aa[2].txt (ID =
2029)
16:55: Found Spy Cookie: aa cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@www.screensavers[1].txt (ID = 3298)
16:55: Found Spy Cookie: screensavers.com cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@www.mature-post[1].txt (ID = 3703)
16:55: Found Spy Cookie: www.mature-post cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@yieldmanager[2].txt (ID = 3749)
16:55: c:\documents and settings\g kelly\cookies\g
kelly@www.frenchcum[1].txt (ID = 2707)
16:55: Found Spy Cookie: frenchcum cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@stats1.reliablestats[1].txt (ID = 3254)
16:55: c:\documents and settings\g kelly\cookies\g
kelly@tour.splash.sexsearch[2].txt (ID = 3358)
16:55: c:\documents and settings\g kelly\cookies\g kelly@passion[2].txt
(ID = 3113)
16:55: Found Spy Cookie: passion cookie
16:55: c:\documents and settings\g kelly\cookies\g kelly@yadro[2].txt (ID
= 3743)
16:55: c:\documents and settings\g kelly\cookies\g kelly@customer[2].txt
(ID = 2481)
16:55: c:\documents and settings\g kelly\cookies\g kelly@h.starware[1].txt
(ID = 3442)
16:55: c:\documents and settings\g kelly\cookies\g
kelly@try.starware[1].txt (ID = 3442)
16:55: Found Spy Cookie: starware.com cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@rotator.adjuggler[1].txt (ID = 2071)
16:55: Found Spy Cookie: adjuggler cookie
16:55: c:\documents and settings\g kelly\cookies\g kelly@www.mrskin[1].txt
(ID = 3021)
16:55: Found Spy Cookie: mrskin cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@free.wegcash[3].txt (ID = 3682)
16:55: c:\documents and settings\g kelly\cookies\g
kelly@www.monstermarketplace[2].txt (ID = 3007)
16:55: c:\documents and settings\g kelly\cookies\g
kelly@monstermarketplace[1].txt (ID = 3006)
16:55: Found Spy Cookie: monstermarketplace cookie
16:55: c:\documents and settings\g kelly\cookies\g kelly@kinghost[1].txt
(ID = 2903)
16:55: c:\documents and settings\g kelly\cookies\g
kelly@www.myaffiliateprogram[1].txt (ID = 3032)
16:55: Found Spy Cookie: myaffiliateprogram.com cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@ford.touchclarity[3].txt (ID = 3566)
16:55: c:\documents and settings\g kelly\cookies\g kelly@infospace[1].txt
(ID = 2865)
16:55: c:\documents and settings\g kelly\cookies\g
kelly@promo.moviemonster[3].txt (ID = 3011)
16:55: c:\documents and settings\g kelly\cookies\g kelly@ccbill[2].txt (ID
= 2369)
16:55: c:\documents and settings\g kelly\cookies\g kelly@123count[2].txt
(ID = 1927)
16:55: Found Spy Cookie: 123count cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@bs.serving-sys[1].txt (ID = 2330)
16:55: Found Spy Cookie: bs.serving-sys cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@tradedoubler[2].txt (ID = 3575)
16:55: Found Spy Cookie: tradedoubler cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@digitalclarity.112.2o7[1].txt (ID = 1958)
16:55: c:\documents and settings\g kelly\cookies\g kelly@adtech[2].txt (ID
= 2155)
16:55: Found Spy Cookie: adtech cookie
16:55: c:\documents and settings\g kelly\cookies\g kelly@overture[2].txt
(ID = 3105)
16:55: c:\documents and settings\g kelly\cookies\g
kelly@metals.about[1].txt (ID = 2038)
16:55: Found Spy Cookie: about cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@goldenpalace[1].txt (ID = 2734)
16:55: Found Spy Cookie: goldenpalace cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@aoleusearch.122.2o7[1].txt (ID = 1958)
16:55: c:\documents and settings\g kelly\cookies\g
kelly@aol.touchclarity[1].txt (ID = 3566)
16:55: c:\documents and settings\g kelly\cookies\g
kelly@data3.perf.overture[2].txt (ID = 3106)
16:55: c:\documents and settings\g kelly\cookies\g
kelly@data2.perf.overture[1].txt (ID = 3106)
16:55: Found Spy Cookie: overture cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@btow.touchclarity[1].txt (ID = 3566)
16:55: c:\documents and settings\g kelly\cookies\g
kelly@tour.splash.sexsearch[1].txt (ID = 3358)
16:55: Found Spy Cookie: sexsearch cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@advertising[1].txt (ID = 2175)
16:55: Found Spy Cookie: advertising cookie
16:55: c:\documents and settings\g kelly\cookies\g kelly@a[3].txt (ID =
2027)
16:55: Found Spy Cookie: a cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@ad.yieldmanager[1].txt (ID = 3751)
16:55: Found Spy Cookie: yieldmanager cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@free.wegcash[1].txt (ID = 3682)
16:55: Found Spy Cookie: wegcash cookie
16:55: c:\documents and settings\g kelly\cookies\g kelly@xren_cj[3].txt
(ID = 3723)
16:55: c:\documents and settings\g kelly\cookies\g
kelly@serving-sys[1].txt (ID = 3343)
16:55: Found Spy Cookie: serving-sys cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@stats1.reliablestats[3].txt (ID = 3254)
16:55: c:\documents and settings\g kelly\cookies\g kelly@xren_cj[1].txt
(ID = 3723)
16:55: Found Spy Cookie: xren_cj cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@ws1.topfivesearch[1].txt (ID = 3556)
16:55: Found Spy Cookie: topfivesearch cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@ford.touchclarity[1].txt (ID = 3566)
16:55: c:\documents and settings\g kelly\cookies\g
kelly@theaa.touchclarity[1].txt (ID = 3566)
16:55: c:\documents and settings\g kelly\cookies\g
kelly@cz8.clickzs[1].txt (ID = 2413)
16:55: c:\documents and settings\g kelly\cookies\g
kelly@cz4.clickzs[2].txt (ID = 2413)
16:55: c:\documents and settings\g kelly\cookies\g kelly@lp.zango[1].txt
(ID = 3761)
16:55: Found Spy Cookie: zango cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@questionmarket[1].txt (ID = 3217)
16:55: Found Spy Cookie: questionmarket cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@promo.moviemonster[2].txt (ID = 3011)
16:55: Found Spy Cookie: moviemonster cookie
16:55: c:\documents and settings\g kelly\cookies\g kelly@cassava[1].txt
(ID = 2362)
16:55: Found Spy Cookie: cassava cookie
16:55: c:\documents and settings\g kelly\cookies\g kelly@atdmt[2].txt (ID
= 2253)
16:55: Found Spy Cookie: atlas dmt cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@www.web-stat[2].txt (ID = 3649)
16:55: c:\documents and settings\g kelly\cookies\g kelly@mediaplex[1].txt
(ID = 6442)
16:55: Found Spy Cookie: mediaplex cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@apps.webservicehosts[1].txt (ID = 3663)
16:55: Found Spy Cookie: webservicehosts cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@stats.clicktracks[1].txt (ID = 2407)
16:55: Found Spy Cookie: clicktracks cookie
16:55: c:\documents and settings\g kelly\cookies\g kelly@metareward[2].txt
(ID = 2990)
16:55: Found Spy Cookie: metareward.com cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@searchportal.domainsponsor[1].txt (ID = 2534)
16:55: Found Spy Cookie: domain sponsor cookie
16:55: c:\documents and settings\g kelly\cookies\g kelly@nuker[1].txt (ID
= 3085)
16:55: Found Spy Cookie: nuker cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@www.esurance[1].txt (ID = 2626)
16:55: Found Spy Cookie: esurance cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@stats1.reliablestats[2].txt (ID = 3254)
16:55: Found Spy Cookie: reliablestats cookie
16:55: c:\documents and settings\g kelly\cookies\g kelly@tracking[1].txt
(ID = 3571)
16:55: Found Spy Cookie: tracking cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@www.eroticy[2].txt (ID = 2624)
16:55: c:\documents and settings\g kelly\cookies\g
kelly@aflmanager.eroticy[1].txt (ID = 2624)
16:55: Found Spy Cookie: eroticy cookie
16:55: c:\documents and settings\g kelly\cookies\g kelly@yadro[1].txt (ID
= 3743)
16:55: Found Spy Cookie: yadro cookie
16:55: c:\documents and settings\g kelly\cookies\g kelly@customer[1].txt
(ID = 2481)
16:55: Found Spy Cookie: customer cookie
16:55: c:\documents and settings\g kelly\cookies\g kelly@ccbill[1].txt (ID
= 2369)
16:55: Found Spy Cookie: ccbill cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@msnportal.112.2o7[1].txt (ID = 1958)
16:55: c:\documents and settings\g kelly\cookies\g
kelly@cz9.clickzs[1].txt (ID = 2413)
16:55: Found Spy Cookie: clickzs cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@herfirstlesbiansex[2].txt (ID = 2771)
16:55: Found Spy Cookie: herfirstlesbiansex cookie
16:55: c:\documents and settings\g kelly\cookies\g kelly@kinghost[2].txt
(ID = 2903)
16:55: Found Spy Cookie: kinghost cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@server3.web-stat[1].txt (ID = 3649)
16:55: Found Spy Cookie: web-stat cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@ads18.bpath[1].txt (ID = 2321)
16:55: Found Spy Cookie: bpath cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@www.searchadnetwork[2].txt (ID = 3312)
16:55: c:\documents and settings\g kelly\cookies\g
kelly@searchadnetwork[2].txt (ID = 3311)
16:55: Found Spy Cookie: searchadnetwork cookie
16:55: c:\documents and settings\g kelly\cookies\g kelly@search123[1].txt
(ID = 3305)
16:55: Found Spy Cookie: search123 cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@www.adshooter[1].txt (ID = 2150)
16:55: Found Spy Cookie: adshooter cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@partypoker.touchclarity[1].txt (ID = 3567)
16:55: Found Spy Cookie: touchclarity cookie
16:55: c:\documents and settings\g kelly\cookies\g kelly@www.epilot[1].txt
(ID = 2622)
16:55: Found Spy Cookie: epilot cookie
16:55: c:\documents and settings\g kelly\cookies\g kelly@infospace[2].txt
(ID = 2865)
16:55: Found Spy Cookie: infospace cookie
16:55: c:\documents and settings\g kelly\cookies\g kelly@ic-live[1].txt
(ID = 2821)
16:55: Found Spy Cookie: ic-live cookie
16:55: c:\documents and settings\g kelly\cookies\g
kelly@aoluk.122.2o7[1].txt (ID = 1958)
16:55: Found Spy Cookie: 2o7.net cookie
16:55: c:\documents and settings\g kelly\cookies\g kelly@anm.co[1].txt (ID
= 2223)
16:55: Found Spy Cookie: associated new media cookie
16:55: Starting Cookie Sweep
16:55: Registry Sweep Complete, Elapsed Time:00:00:27
16:55:
HKU\S-1-5-21-1444379218-3236771260-3160248370-1006\software\microsoft\windows\currentversion\ext\stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6}\
(ID = 1922744)
16:55: Found Adware: coolwebsearch (cws)
16:55:
HKU\S-1-5-21-1444379218-3236771260-3160248370-1006\software\microsoft\windows\currentversion\run\
|| license manager (ID = 1329789)
16:55: Found Adware: mediapipe
16:55:
HKU\S-1-5-21-1444379218-3236771260-3160248370-1006\software\microsoft\internet
explorer\main\ || search page_bak (ID = 774883)
16:55: HKU\S-1-5-21-1444379218-3236771260-3160248370-1006\software\_gwss\
(ID = 639269)
16:55: Found Adware: begin2search
16:55: HKU\S-1-5-21-1444379218-3236771260-3160248370-1006\eeennn\ (ID =
124993)
16:55: Found Adware: desktoptraffic
16:55:
HKU\S-1-5-21-1444379218-3236771260-3160248370-1006\software\microsoft\internet
explorer\main\ || search page_bak (ID = 115925)
16:55:
HKU\S-1-5-21-1444379218-3236771260-3160248370-1006\software\microsoft\internet
explorer\main\ || search bar_bak (ID = 115924)
16:55: Found Adware: cws-aboutblank
16:55: HKLM\software\topmoxie\topsearch\ (ID = 1180367)
16:55: Found Adware: topsearch
16:55: HKLM\software\classes\clsid\{ba749bc1-143e-430d-b1da-1d2af67a3658}\
(ID = 1030417)
16:55: HKCR\clsid\{ba749bc1-143e-430d-b1da-1d2af67a3658}\ (ID = 1030412)
16:55: HKLM\software\classes\clsid\{b2b0aedf-7cdf-4792-bb67-7654ad1e1b13}\
(ID = 888971)
16:55: HKCR\clsid\{b2b0aedf-7cdf-4792-bb67-7654ad1e1b13}\ (ID = 888967)
16:55: HKLM\software\searchrelevancy\ (ID = 141300)
16:55: HKLM\software\microsoft\windows\currentversion\uninstall\search
relevancy\ (ID = 141299)
16:55: Found Adware: searchrelevancy
16:55: HKLM\software\classes\clsid\{31ddc1fd-cea3-4837-a6dc-87e67015adc9}\
(ID = 128730)
16:55: HKCR\clsid\{31ddc1fd-cea3-4837-a6dc-87e67015adc9}\ (ID = 128678)
16:55: Found Adware: instant access
16:55: HKLM\software\classes\fastvideoplayer.fastvideoplayerctrl\ (ID =
126423)
16:55: HKLM\software\classes\fastvideoplayer.fastvideoplayerctrl.1\ (ID =
126422)
16:55: HKCR\fastvideoplayer.fastvideoplayerctrl\ (ID = 126416)
16:55: HKCR\fastvideoplayer.fastvideoplayerctrl.1\ (ID = 126415)
16:55: Found Trojan Horse: fastvideoplayer
16:55: HKLM\software\microsoft\windows\currentversion\shareddlls\ ||
c:\windows\downloaded program files\admanctlx.dll (ID = 104583)
16:55:
HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded
program files/admanctlx.dll\ (ID = 104581)
16:55: Found Adware: blazefind_adman
16:55: Starting Registry Sweep
16:55: Memory Sweep Complete, Elapsed Time: 00:03:47
16:51: Starting Memory Sweep
16:51: Start Full Sweep
16:51: Sweep initiated using definitions version 894
16:49: ApplicationMinimized - EXIT
16:49: ApplicationMinimized - ENTER
16:49: ApplicationMinimized - EXIT
16:49: ApplicationMinimized - ENTER
16:49: ApplicationMinimized - EXIT
16:49: ApplicationMinimized - ENTER
Keylogger: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: Off
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
16:47: Shield States
16:47: Spyware Definitions: 894
16:47: Spy Sweeper 5.3.2.2361 started
16:47: Spy Sweeper 5.3.2.2361 started
16:47: | Start of Session, 11 April 2007 |
***************





Kaspersky:



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, April 12, 2007 12:19:50 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 12/04/2007
Kaspersky Anti-Virus database records: 296174
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 73171
Number of viruses found: 9
Number of infected objects: 17 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:11:53

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\Agent.dll Infected: Trojan.Win32.Agent.qg skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\storage\stdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\storage\stderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\storage\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\storage\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0d\idb\main.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0d\idb\sap.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0d\idb\sysnews.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0d\idb\STYLE.LST Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0d\idb\Toolbar.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0d\idb\Apps.Lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0d\idb\spool.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0d\idb\Diction.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0d\organize\kwbltdu5b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0d\organize\CACHE\kwbltdu01 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0d\organize\kwbltdu5b.aby Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0d\organize\kwbltdu5b.abi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0d\ShopAssist\DataStore\users\Kwbltdu5b.adb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0d\ShopAssist\DataStore\global\clientcache.adb Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\G Kelly\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\G Kelly\Local Settings\Temp\temp.fr212B\license_manager.exe Infected: Trojan.Win32.Agent.qg skipped
C:\Documents and Settings\G Kelly\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\G Kelly\Local Settings\History\History.IE5\MSHist012007041220070413\index.dat Object is locked skipped
C:\Documents and Settings\G Kelly\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\G Kelly\Local Settings\Temporary Internet Files\Content.IE5\AN3J8RO5\WinAntiVirusPro2007FreeInstall[1].cab/UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\G Kelly\Local Settings\Temporary Internet Files\Content.IE5\AN3J8RO5\WinAntiVirusPro2007FreeInstall[1].cab CAB: infected - 1 skipped
C:\Documents and Settings\G Kelly\Local Settings\Temporary Internet Files\Content.IE5\J5V8QY4L\WinAntiVirusPro2007FreeInstall[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\G Kelly\Local Settings\Temporary Internet Files\Content.IE5\J5V8QY4L\Install-Errorprotector-Free[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped
C:\Documents and Settings\G Kelly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\G Kelly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\G Kelly\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\G Kelly\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\G Kelly\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\G Kelly\ntuser.dat Object is locked skipped
C:\Program Files\RebateNation4\RebateNation.exe Infected: not-a-virus:AdTool.Win32.WebRebates.r skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP678\A0146613.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.gen skipped
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP719\A0156107.exe/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.e skipped
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP719\A0156107.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP719\A0156108.dll Infected: Trojan.Win32.P2E.ce skipped
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP719\A0156109.dll Infected: Trojan.Win32.P2E.ce skipped
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP707\A0154326.exe Infected: Trojan.Win32.Agent.qg skipped
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP708\A0154454.exe/data0002 Infected: not-a-virus:AdWare.Win32.Comet.ac skipped
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP708\A0154454.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP709\A0154607.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.gen skipped
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP720\change.log Object is locked skipped

Scan process completed.


Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 12:23:02, on 12/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\1133206603\ee\AOLSoftware.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\AOL 9.0d\aoltray.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
c:\program files\common files\aol\1133206603\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\program files\common files\aol\1133206603\ee\aolsoftware.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index.php?tp...44&ttid=104
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [Omnipage] "C:\Program Files\ScanSoft\OmniPageSE\opware32.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] "C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe" icon
O4 - HKLM\..\Run: [DSLAGENTEXE] "C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe"
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [as4Sb] C:\WINDOWS\qsyhpv.exe
O4 - HKLM\..\Run: [Á³#  L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\qsyhpv.exe
O4 - HKLM\..\Run: [clwjuhsj] C:\WINDOWS\clwjuhsj.exe
O4 - HKLM\..\Run: [RebateNation] "C:\Program Files\RebateNation4\RebateNation.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1133206603\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kwzr] C:\PROGRA~1\COMMON~1\kwzr\kwzrm.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0d\aoltray.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Rebate Nation. - file://C:\Program Files\RebateNation4\rebatesnation\rebatetnation\rebnC0.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molbin/sha...84/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145640398375
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-p...-en/FlashAX.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe




Cheers !
rridgely
Apr 14 2007, 01:14 AM
Find and delete the following file:
C:\WINDOWS\system32\Agent.dll

Next look in add remove programs for something called rebate nation. If you see it uninstall it. If you don't see it listed then delete the following file:
C:\Program Files\RebateNation4\RebateNation.exe

If you do get to uninstall it delete the following folder:
C:\Program Files\RebateNation4

---------

Next we will need to clear all your temp files. Please use CCleaner to do this. If you don't have CCleaner please download it here:
http://www.filehippo.com/download_ccleaner/ (pay attention during installation. You can choose not to install the yahoo toolbar)

Once the program is installed open it up and press "run cleaner".

-------

Run the below scan:

Download AVG Anti-Spyware
  1. Load AVG antispyware and then click the Update tab at the top. Under Manual Update click Start update.
  2. After the update finishes (the status bar at the bottom will display "Update successful")
  3. Click on the Scanner tab at the top and then click on Complete System Scan
  4. Ewido will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG antispyware will then display "All actions have been applied" on the right.
  5. Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back
Note that this is not AVG antivirus but the program formally known as Ewido.

Come back with an AVG antispyware log, and a new hijackthis log.
de_spy_ser
Apr 17 2007, 11:26 AM

Unfortuantely Mr R the popups are still happening after they steps sad.gif

Heres the 2 logs requested :-



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 13:17:41 16/04/2007

+ Scan result:



C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP708\A0154454.exe -> Adware.Comet : Ignored.
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP723\A0156702.exe -> Adware.Rebates : Ignored.
C:\Program Files\SearchRelevancy -> Adware.Relevance : Ignored.
C:\Documents and Settings\G Kelly\Cookies\g kelly@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\G Kelly\Cookies\g kelly@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP723\A0156699.dll -> Trojan.Agent.qg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP719\A0156108.dll -> Trojan.P2E.cb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP719\A0156109.dll -> Trojan.P2E.cb : Cleaned with backup (quarantined).


::Report end


Hijack this :-

Logfile of HijackThis v1.99.1
Scan saved at 13:20:43, on 16/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\AOL\1133206603\ee\AOLSoftware.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\windows\system32\fkxozl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\AOL 9.0d\aoltray.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\program files\common files\aol\1133206603\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\program files\common files\aol\1133206603\ee\aolsoftware.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\AOL 9.0d\waol.exe
C:\Program Files\AOL 9.0d\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index.php?tp...44&ttid=104
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [Omnipage] "C:\Program Files\ScanSoft\OmniPageSE\opware32.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] "C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe" icon
O4 - HKLM\..\Run: [DSLAGENTEXE] "C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe"
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [as4Sb] C:\WINDOWS\qsyhpv.exe
O4 - HKLM\..\Run: [Á³#  L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\qsyhpv.exe
O4 - HKLM\..\Run: [clwjuhsj] C:\WINDOWS\clwjuhsj.exe
O4 - HKLM\..\Run: [RebateNation] "C:\Program Files\RebateNation4\RebateNation.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133206603\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kwzr] C:\PROGRA~1\COMMON~1\kwzr\kwzrm.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0d\aoltray.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Rebate Nation. - file://C:\Program Files\RebateNation4\rebatesnation\rebatetnation\rebnC0.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molbin/sha...84/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145640398375
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-p...-en/FlashAX.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F456EBA-4D03-4B82-A7B0-64C1B60C6182}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{1F456EBA-4D03-4B82-A7B0-64C1B60C6182}: NameServer = 205.188.146.145
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe




Cheers !
rridgely
Apr 18 2007, 12:06 AM
Find and delete this folder:
C:\Program Files\SearchRelevancy

---------

Download Killbox from Here

Click killbox.exe

Select the option "Delete on reboot".

Click the button: All Files (Important!)
Now it should flash green.

Next copy the contents of the code box to clipboard by left clicking and covering the text then right click inside the highlighted area and choose Copy:

CODE
C:\PROGRA~1\COMMON~1\kwzr\kwzrm.exe
C:\WINDOWS\clwjuhsj.exe
C:\WINDOWS\qsyhpv.exe
C:\Program Files\RebateNation4\RebateNation.exe


After copying the above text to Clipboard click File on the killbox menu bar and choose Paste From Clipboard

Then press the Delete File button (Red Circle with a White X).
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer should reboot now.

Once your computer is back up post a new hijackthis log.
de_spy_ser
Apr 19 2007, 02:17 PM
Hi Mr R.

The Killbox link is dead I'm afraid. Downloaded the Beta version but it doesn't work properly sad.gif

I manually deleted the first file C::\PROGRA~1\COMMON~1\kwzr\kwzrm.exe

The other files are not there. That Rebatenation rubbish is defo. not there, the whole folder was deleted when we add/removed it days ago. I notice it still shows up in the hijack log though unsure.gif

Is there something else we can try ?

Heres a new hijack log just incase it helps...................

Logfile of HijackThis v1.99.1
Scan saved at 15:01:49, on 19/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\AOL\1133206603\ee\AOLSoftware.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\common files\aol\1133206603\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\program files\common files\aol\1133206603\ee\aolsoftware.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\AOL 9.0d\aoltray.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\PROGRA~1\AOL9~1.0D\waol.exe
C:\PROGRA~1\AOL9~1.0D\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index.php?tp...44&ttid=104
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [Omnipage] "C:\Program Files\ScanSoft\OmniPageSE\opware32.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] "C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe" icon
O4 - HKLM\..\Run: [DSLAGENTEXE] "C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe"
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [as4Sb] C:\WINDOWS\qsyhpv.exe
O4 - HKLM\..\Run: [Á³#  L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\qsyhpv.exe
O4 - HKLM\..\Run: [clwjuhsj] C:\WINDOWS\clwjuhsj.exe
O4 - HKLM\..\Run: [RebateNation] "C:\Program Files\RebateNation4\RebateNation.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133206603\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kwzr] C:\PROGRA~1\COMMON~1\kwzr\kwzrm.exe
O4 - Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0d\aoltray.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Rebate Nation. - file://C:\Program Files\RebateNation4\rebatesnation\rebatetnation\rebnC0.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {201B9B37-848F-40BD-90EA-7B8F0AA89D6A} - http://es6-scripts.dlv4.com/binaries/egacc..._1071_em_XP.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molbin/sha...84/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145640398375
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-p...-en/FlashAX.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F456EBA-4D03-4B82-A7B0-64C1B60C6182}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{1F456EBA-4D03-4B82-A7B0-64C1B60C6182}: NameServer = 205.188.146.145
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

rridgely
Apr 19 2007, 08:42 PM
Sorry about the rebate nation thing, I forgot we deleted that already. tongue.gif

Open hijackthis and run a system scan only. Then check off the following entries:

O4 - HKLM\..\Run: [as4Sb] C:\WINDOWS\qsyhpv.exe
O4 - HKLM\..\Run: [Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\qsyhpv.exe
O4 - HKLM\..\Run: [clwjuhsj] C:\WINDOWS\clwjuhsj.exe
O4 - HKLM\..\Run: [RebateNation] "C:\Program Files\RebateNation4\RebateNation.exe"
O4 - HKCU\..\Run: [kwzr] C:\PROGRA~1\COMMON~1\kwzr\kwzrm.exe
O8 - Extra context menu item: Rebate Nation. - file://C:\Program Files\RebateNation4\rebatesnation\rebatetnation\rebnC0.htm

Next press "fix checked" and exit hijackthis.

Reboot your computer.
-----------------

Download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.

Run Panda Activescan from Here.

Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.


Post a blacklight log, a panda log, and a new hijackthis log take after everything else.
de_spy_ser
Apr 24 2007, 07:59 AM
Hi Mr R,

Sorry for the delay - Had a problem getting the panda scan to work with AOL's crappy browser.
Anyway, heres the 3 logs you were after..........

Backlight:-

04/20/07 09:58:41 [Info]: BlackLight Engine 1.0.61 initialized
04/20/07 09:58:41 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/20/07 09:58:42 [Note]: 7019 4
04/20/07 09:58:42 [Note]: 7005 0
04/20/07 09:58:43 [Note]: 7006 0
04/20/07 09:58:43 [Note]: 7011 332
04/20/07 09:58:44 [Note]: 7026 0
04/20/07 09:58:44 [Note]: 7026 0
04/20/07 09:58:44 [Note]: 7024 3
04/20/07 09:58:44 [Info]: Hidden process: C:\windows\system32\fkxozl.exe
04/20/07 09:58:51 [Note]: FSRAW library version 1.7.1021
04/20/07 10:00:00 [Info]: Hidden file: C:\windows\system32\fkxozl.exe
04/20/07 10:00:02 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\FKXOZL.DAT
04/20/07 10:00:03 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\MSPLOC~1.DLL
04/20/07 10:00:03 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\FKXOZL~2.DAT
04/20/07 10:00:04 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\FKXOZL~1.DAT
04/20/07 10:00:09 [Note]: 2000 1012
04/20/07 10:00:09 [Note]: 2000 1012
04/20/07 10:00:09 [Note]: 2000 1012
04/20/07 11:12:53 [Note]: 7007 0


Panadscan:


Incident
Status Location

Adware:Adware/InstantAccess
Not disinfected C:\WINDOWS\SYSTEM32\LINKPRD.EXE
Adware:Adware/NaviPromo
Not disinfected C:\WINDOWS\SYSTEM32\msplock32.dll
Potentially unwanted tool:Application/Processor
Not disinfected C:\WINDOWS\SYSTEM32\Process.exe
Potentially unwanted tool:Application/DriveCleaner
Not disinfected C:\Documents and Settings\G Kelly\Local
Settings\Temporary Internet
Files\Content.IE5\OXA3KDUZ\installdrivecleanerstart[1].exe
Adware:Adware/InstantAccess
Not disinfected C:\Documents and Settings\G Kelly\Local
Settings\Temporary Internet
Files\Content.IE5\80R7QB1E\egaccess4_1071_em_XP[1].cab[IaLdr32.exe]
Potentially unwanted tool:Application/Winantivirus2006
Not disinfected C:\Documents and Settings\G Kelly\Local
Settings\Temporary Internet
Files\Content.IE5\C3UWOIUB\WinAntiVirusPro2007FreeInstall[1].cab[UWA7P_0001_N91M0809NetInstaller.exe]
Potentially unwanted tool:Application/Processor
Not disinfected C:\Documents and Settings\G
Kelly\Desktop\SmitfraudFix\Process.exe
Virus:Trj/Shutdown.Z
Disinfected C:\Documents and Settings\G
Kelly\Desktop\SmitfraudFix\RESTART.EXE
Spyware:Cookie/DriveCleaner
Not disinfected C:\Documents and Settings\G
Kelly\Cookies\g kelly@drivecleaner[1].txt
Spyware:Cookie/Atlas DMT
Not disinfected C:\Documents and Settings\G
Kelly\Cookies\g kelly@atdmt[1].txt
Spyware:Cookie/Overture
Not disinfected C:\Documents and Settings\G
Kelly\Cookies\g kelly@overture[1].txt
Spyware:Cookie/DriveCleaner
Not disinfected C:\Documents and Settings\G
Kelly\Cookies\g kelly@stats.drivecleaner[1].txt
Spyware:Cookie/Advertising
Not disinfected C:\Documents and Settings\G
Kelly\Cookies\g kelly@advertising[2].txt
Spyware:Cookie/Casinotropez
Not disinfected C:\Documents and Settings\G
Kelly\Cookies\g kelly@casinotropez[1].txt
Spyware:Cookie/Server.iad.Liveperson
Not disinfected C:\Documents and Settings\G
Kelly\Cookies\g kelly@server.iad.liveperson[2].txt
Spyware:Cookie/Mediaplex
Not disinfected C:\Documents and Settings\G
Kelly\Cookies\g kelly@mediaplex[1].txt
Spyware:Cookie/Tradedoubler
Not disinfected C:\Documents and Settings\G
Kelly\Cookies\g kelly@tradedoubler[1].txt
Spyware:Cookie/Doubleclick
Not disinfected C:\Documents and Settings\G
Kelly\Cookies\g kelly@doubleclick[2].txt
Spyware:Cookie/DriveCleaner
Not disinfected C:\Documents and Settings\G
Kelly\Cookies\g kelly@www.drivecleaner[2].txt
Spyware:Cookie/Reliablestats
Not disinfected C:\Documents and Settings\G
Kelly\Cookies\g kelly@stats1.reliablestats[1].txt
Spyware:Cookie/Winantivirus
Not disinfected C:\Documents and Settings\G
Kelly\Cookies\g kelly@winantivirus[2].txt
Adware:Adware/Itbill
Not disinfected C:\Program Files\FSUPPORT\NOTIFIER.EXE



Hijack this:


Logfile of HijackThis v1.99.1
Scan saved at 14:05:31, on 23/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\AOL\1133206603\ee\AOLSoftware.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\AOL 9.0d\aoltray.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\program files\common files\aol\1133206603\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\program files\common files\aol\1133206603\ee\aolsoftware.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [Omnipage] "C:\Program Files\ScanSoft\OmniPageSE\opware32.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] "C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe" icon
O4 - HKLM\..\Run: [DSLAGENTEXE] "C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe"
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133206603\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0d\aoltray.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {201B9B37-848F-40BD-90EA-7B8F0AA89D6A} - http://es6-scripts.dlv4.com/binaries/egacc..._1071_em_XP.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molbin/sha...84/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145640398375
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-p...-en/FlashAX.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe



Cheers!
rridgely
Apr 24 2007, 08:38 PM
Download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall
de_spy_ser
Apr 25 2007, 11:23 AM
OK Mr R. It spat out 2 log files - here they are..........


Combofix:


"G Kelly" - 07-04-25 11:53:03 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\G Kelly\My
Documents\INTERSERVE- SSPS\INTERSERVE- SSPS Stair\Issued drawings 02-02-07\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\linkprd.exe
C:\install.log
C:\WINDOWS\system32\oxjtay_navps.dat
C:\WINDOWS\system32\oxjtay.exe
C:\WINDOWS\system32\oxjtay.dat


((((((((((((((((((((((((((((((( Files Created from 2007-03-25 to
2007-04-25 ))))))))))))))))))))))))))))))))))


2007-04-23 10:17 <DIR> d-------- C:\DOCUME~1\GKELLY~1\APPLIC~1\Talkback
2007-04-21 14:19 241,066 --a------ C:\WINDOWS\system32\oxjtay_nav.dat
2007-04-20 11:20 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-19 14:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\U3
2007-04-18 14:40 <DIR> d-------- C:\!KillBox
2007-04-16 11:13 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-16 11:07 <DIR> d-------- C:\Program Files\CCleaner
2007-04-13 15:10 <DIR> d-------- C:\DOCUME~1\GKELLY~1\APPLIC~1\U3
2007-04-12 08:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-04-11 16:35 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-04-11 16:35 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-04-11 16:35 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-04-11 16:35 144,960 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-04-11 16:35 <DIR> d-------- C:\Program Files\Webroot
2007-04-11 16:35 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-04-11 16:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-04-11 16:33 164 --a------ C:\install.dat
2007-04-11 16:32 <DIR> d-------- C:\DOCUME~1\GKELLY~1\APPLIC~1\Webroot
2007-04-10
18:00 <DIR> d-------- C:\DOCUME~1\GKELLY~1\APPLIC~1\SUPERAntiSpyware.com
2007-04-10 15:36 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-04-09 14:51 4,012 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-09 14:50 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-09 14:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-09 14:50 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-09 13:34 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-04-09 13:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-04-09
13:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-04-04 21:28 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-04-04 21:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot -
Search & Destroy
2007-04-04 20:29 <DIR> d-------- C:\DOCUME~1\GKELLY~1\APPLIC~1\Lavasoft
2007-04-04 20:28 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-04 20:28 <DIR> d-------- C:\Program Files\Common Files\Wise
Installation Wizard
2007-04-04 20:21 <DIR> d-------- C:\WINDOWS\pss
2007-04-02 11:56 <DIR> d--hs---- C:\FOUND.000
2007-03-29 19:49 65,536 --a------ C:\WINDOWS\wanmpsvc.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report
)))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-24 16:23 28256 --a------ C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-03-17 14:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 16:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 16:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 14:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-05 21:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat
5.0\Reader\ActiveX\AcroIEHelper.ocx
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search &
Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="\"nwiz.exe\" /install"
"NvMediaCenter"="\"RUNDLL32.EXE\"
C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"CARPService"="carpserv.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"AOLDialer"="\"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe\""
"Omnipage"="\"C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe\""
"DSLSTATEXE"="\"C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe\"
icon"
"DSLAGENTEXE"="\"C:\\Program Files\\BT Voyager 105 ADSL
Modem\\dslagent.exe\""
"%FP%Friendly fts.exe"="\"C:\\Program Files\\VoyagerTest\\fts.exe\""
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"HostManager"="C:\\Program Files\\Common
Files\\AOL\\1133206603\\ee\\AOLSoftware.exe"
"Share-to-Web Namespace Daemon"="\"C:\\Program Files\\Hewlett-Packard\\HP
Share-to-Web\\hpgs2wnd.exe\""
"MPFExe"="C:\\PROGRA~1\\MCAFEE.COM\\PERSON~1\\MPFTRAY.EXE"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware
7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\
Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\
Notification Packages REG_MULTI_SZ scecli\

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^AudioDeck.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start
Menu\\Programs\\Startup\\AudioDeck.lnk"
"backup"="C:\\WINDOWS\\pss\\AudioDeck.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\VIATEC~1\\VIAAUD~1\\AUDIOD~1\\AUDIOD~1.EXE -min"
"item"="AudioDeck"

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^QuickTV.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start
Menu\\Programs\\Startup\\QuickTV.lnk"
"backup"="C:\\WINDOWS\\pss\\QuickTV.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AVerTV\\QuickTV.exe "
"item"="QuickTV"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"command"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe
SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ
AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\
HTTPFilter REG_MULTI_SZ HTTPFilter\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
Shell\AutoRun\command F:\LaunchU3.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J]
Shell\AutoRun\command J:\LaunchU3.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1ad8902e-e126-11db-b267-0011f508e793}]
Shell\AutoRun\command F:\LaunchU3.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Update Check (YOUR-AMJB43IJ11-G Kelly).job
C:\WINDOWS\tasks\HPFRU Task #Hewlett-Packard#hp officejet 7100
series#1141727592.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer,
http://www.gmer.net
Rootkit scan 2007-04-25 12:03:47
Windows 5.1.2600 Service Pack 2 FAT

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-25 12:04:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-25 12:04



Combofix quarantined files:

06-08-10 08:11 1292 --a------
C:\Qoobox\Quarantine\C\INSTALL.LOG.vir
07-04-11 12:08 144104 --a------
C:\Qoobox\Quarantine\C\WINDOWS\system32\linkprd.exe.vir
07-04-21 14:19 378880 --a------
C:\Qoobox\Quarantine\C\WINDOWS\system32\oxjtay.exe.vir
07-04-25 11:56 7414 --a------
C:\Qoobox\Quarantine\C\WINDOWS\system32\oxjtay.dat.vir
07-04-25 11:56 849 --a------
C:\Qoobox\Quarantine\C\WINDOWS\system32\oxjtay_navps.dat.vir


Folder PATH listing for volume TCM24-T4
Volume serial number is 50AC-646E
C:\QOOBOX
\---Quarantine
+---Registry_backups
\---C
| INSTALL.LOG.vir
|
\---WINDOWS
\---system32
linkprd.exe.vir
oxjtay_navps.dat.vir
oxjtay.exe.vir
oxjtay.dat.vir


Unfortunately the pops up are still coming thick and fast.

Cheers!
rridgely
Apr 26 2007, 03:03 AM
Please run Blacklight again. After the scan is complete, click Next.

Highlight these files and choose rename.

c:\windows\system32\fkxozl.exe
c:\WINDOWS\SYSTEM32\FKXOZL.DAT
c:\WINDOWS\SYSTEM32\MSPLOC~1.DLL
c:\WINDOWS\SYSTEM32\FKXOZL~2.DAT
c:\WINDOWS\SYSTEM32\FKXOZL~1.DAT

Then Reboot when prompted, after reboot in your c:\WINDOWS\system32 folder you should then see those files with a .ren extension:

c:\windows\system32\fkxozl.exe.ren
c:\WINDOWS\SYSTEM32\FKXOZL.DAT.ren
c:\WINDOWS\SYSTEM32\MSPLOC~1.DLL.ren
c:\WINDOWS\SYSTEM32\FKXOZL~2.DAT.ren
c:\WINDOWS\SYSTEM32\FKXOZL~1.DAT.ren

Please delete those files then post a new HijackThis log and a new Blacklight log
de_spy_ser
Apr 27 2007, 08:32 AM
Hi Mr R,

Slight Problem, Backlight doesn't find anything.

Of the files you mention below only 1 is visible: c:\WINDOWS\SYSTEM32\MSPLOC~1.DLL

Should I try and rename / delet that one manually ?

Hers the backlight log if its any good :-


04/26/07 10:52:37 [Info]: BlackLight Engine 1.0.61 initialized
04/26/07 10:52:37 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/26/07 10:52:37 [Note]: 7019 4
04/26/07 10:52:37 [Note]: 7005 0
04/26/07 10:53:01 [Note]: 7006 0
04/26/07 10:53:01 [Note]: 7011 1448
04/26/07 10:53:02 [Note]: 7026 0
04/26/07 10:53:02 [Note]: 7026 0
04/26/07 10:53:07 [Note]: FSRAW library version 1.7.1021
04/26/07 10:53:43 [Note]: 2000 1012
04/26/07 10:53:43 [Note]: 2000 1012
04/26/07 10:53:43 [Note]: 2000 1012
04/26/07 10:54:58 [Note]: 7007 0


cheers


rridgely
Apr 28 2007, 04:03 AM
Sorry about that. I missed the quarantine part of the combofix log. sad.gif
Just delete that file if you can.

Let me know how it goes. smile.gif
de_spy_ser
May 2 2007, 08:05 AM
Hi Mr Ridgley,

Pop-ups seem to be stopped after deleting that file biggrin.gif

You are a Gentleman and a Scholar, thanks for all your patience and help biggrin.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.