Jump to content


Photo
- - - - -

Can't get rid of viruses


  • This topic is locked This topic is locked
76 replies to this topic

#41 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 11 January 2006 - 10:06 PM

You have several unidentified files

Can you go to this site please
Give this site time to load
Jotti's Online Malware scan

Use the browse button and navigate to this file on your hard disk
C:\WINDOWS\browser.exe <--this file

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Do the same for files please

C:\WINDOWS\n_arfalz.txt
C:\WINDOWS\n_bswlzp.dat
C:\WINDOWS\n_clearc.log

Did you try the repair installation?

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#42 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 11 January 2006 - 11:27 PM

here are the results from the scan. not sure if the 4th file is infected or not. i did not try the repair installation yet. it seems like it will take a while and i do not want to start it until i'm sure i will have the time to sit here and finish it.
File: browser.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 c675c46b9f4ba87de9da6551368945d6
Packers detected: UPX, AUTOIT
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
File: n_arfalz.txt
Status: OK
MD5 83843f2135064dcccc664a5175a5e390
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
File: n_bswlzp.dat
Status: OK
MD5 072ccc7c4a28924d1581792957bc34ef
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
File: n_clearc.log
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5 25f7e1994c6defe706bfe82186e8b533
Packers detected: -
Scanner results
AntiVir Found Trojan/Dldr.Agent.bi.3
ArcaVir Found nothing
Avast Found Win32:Trojano-1654
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

#43 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 11 January 2006 - 11:49 PM

One of those files were found bad

Can you do the following, just to be safe
On your desktop, right click an empty spot and left click NEW>>Folder
Name it backups

Open the C:\WINDOWS folder

Can you right click on each of these files and CUT and PASTE them to the Backup folder
Don't just copy and paste them, we want to remove them from the Windows folder

FILES
n_arfalz.txt>>rename to n_arfalz.tx_
n_bswlzp.dat>>rename to n_bswlzp.da_
And so on
n_eruqgb.dat
n_furjxm.txt
n_futyio.log
n_gflvby.dat
n_ilpoey.txt
n_ituoof.log
n_jstpjt.log
n_orapuf.dat
n_prkmor.log
n_rlwnld.txt
n_rxofin.txt
n_szbnfi.log
n_uczkbl.dat
n_wpbduc.dat
n_wzdzzl.txt
n_yjikbf.log
n_ypnbvy.dat
n_zoyzcd.txt

You can delete n_clearc.log

Can you right click on any of the files in the backup folder and left click properties
Any info what there related too?
browser.exe, right click on it also, and click properties
Is there a version tab, do you know what's it's related too?

Additionally, can you scan these 2 files and Jotti's please
C:\WINDOWS\SYSTEM32\_003788_.tmp.dll
C:\WINDOWS\SYSTEM32\_004055_.tmp.dll

If found bad delete them
Reboot the computer

I'm confused about this
HKLM\software\microsoft\windows\currentversion\run,\'tabletwizard\'. 5: access is denied" it then gave me the option to abort, retry or ignore. i chose to ignore. i then got the same message except with 'bluetoothauthenticationagent"

Associated with BlueTooth software, designed to allow bluetooth mobile devices to authenticate to the computer, when connecting a PDA to your computer - necessary for the computer and the PDA to communicate.

tabletwizard

Microsoft Tablet PC Component


They don't appear in the log's or may be corrupt, do you have them installed and can you uninstall the device software for now

I would still opt to try a Repair install after the above
Afterwards, go directly and try and install SP1 for now from this link
Use the manual download
http://www.microsoft...1/expresso.mspx

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#44 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 19 January 2006 - 04:00 AM

hey, i'm back. sorry, it took so long for me to reply. really busy lately. i still havent been able to install SP2. i went to the windows xp repair install web site where they say to use the XP CD which i do not have. i have to go to my parents house and see if i can find it. i did install SP1 though.
I created the backups folder on the desktop and cut and pasted the unidentified files that you listed. not all of the files that you listed where in the windows folder. it was missing 4 of them. i also deleted the infected file. there is really no information on them when i go to properties. all but 2 (33KB) are 83 KB in size. there is also the created and modified dates.
the browser.exe file has this information: version 2.64.0.0 Description: Compiled Autolt Script Comments: third party compiled autolt script. I dont know what it is related to.
I scanned these 2 files: C:\WINDOWS\SYSTEM32\_003788_.tmp.dll
C:\WINDOWS\SYSTEM32\_004055_.tmp.dll with Jotti's. they came up clean.
About the 2 errors i get when installing SP2 i do not know what software the devices are related to.

here is a fresh HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 3:57:59 AM, on 1/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1136010394515
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

#45 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 19 January 2006 - 10:22 AM

I found some more info on your problem
Can you follow the instructions posted by Microsoft
It should be of some help
http://support.micro...ct=windowsxpsp2

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#46 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 19 January 2006 - 01:27 PM

I installed SP2 with the help from your link. there are a few problems with it though. first is when i restart the computer i get a message stating "error loading AUNPS2.DLL The specific module could not be found." then i also get "error loading c:\programfiles\wildtangent\apps\CDA\CDAengine0400.dll. The specific module could not be found." i just press OK at the prompts.
Also, when i go the windows firewall in the controll panel it states "Due to an unidentified problem, windows cannot display firewall settings."

#47 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 19 January 2006 - 01:43 PM

Can I see a new hijackthis log please
I want to get caught back up on this thread
Also,
Can you go to START>>Run>>Type in
services.msc

Look for this service name
Windows Firewall/Internet Connection Sharing (ICS)

Double click on it and start the service
In the drop down menu set to Automatic

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#48 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 20 January 2006 - 02:50 AM

went to services.msc and Windows Firewall/Internet Connection Sharing (ICS) was not on the list.

here is a fresh HJT log.


Logfile of HijackThis v1.99.1
Scan saved at 2:43:47 AM, on 1/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [sysqk32.exe] C:\WINDOWS\sysqk32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [Rcv6UMxQ] C:\documents and settings\owner\local settings\temp\Rcv6UMxQ.exe
O4 - HKLM\..\Run: [b78b327add10] C:\WINDOWS\System32\catsrvut.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\WhoUP8s0.exe
O4 - HKLM\..\Run: [TizzleTalk] C:\Program Files\TizzleTalk\TizzleTalk.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,[email protected]
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [66og7v3s] C:\Program Files\66og7v3s\66og7v3s.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rvkkln.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [zbkyybvo] c:\windows\system32\zbkyybvo.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Hrgfjg.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Wwutsu.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteovy32.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1136010394515
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

#49 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 20 January 2006 - 07:43 AM

This looks like a completely different log
What happened?
Some more cleaning, but we're just about there
Don't worry about the errors on startup right now, we'll fix that in a bit
Good thing is I don't see anything bad in the running processes

EDIT>>I need you to do this also, if you haven't started already
From the bottom of this reply box, download>>Save and then UNZIP to desktop share.zip
so you now have share.reg extracted to the desktop
We'll need this in a bit

Can you make sure you do updates with Ad-Aware
Run a full scan and fix all Criticals as instructed before

==Double click on share.reg and allow to add/merge to the registry
Restart the computer afterwards

Back in Windows
Check to see if the firewall is running and enabled
Go to services.msc>>Ensure it's set to Auto and started
Access the windows Control panel and double click to open Windows Firewall
Ensure it's ON

Check for updates with Spybot 1.4
Fix everything in RED
Reboot the computer if anything in Red was fixed

Check for updates with Ewido and do a complete system scan
Save a report when done do the desktop

Back in Windows
Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [sysqk32.exe] C:\WINDOWS\sysqk32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [Rcv6UMxQ] C:\documents and settings\owner\local settings\temp\Rcv6UMxQ.exe
O4 - HKLM\..\Run: [b78b327add10] C:\WINDOWS\System32\catsrvut.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\WhoUP8s0.exe
O4 - HKLM\..\Run: [TizzleTalk] C:\Program Files\TizzleTalk\TizzleTalk.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,[email protected]
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [66og7v3s] C:\Program Files\66og7v3s\66og7v3s.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rvkkln.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [zbkyybvo] c:\windows\system32\zbkyybvo.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Hrgfjg.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Wwutsu.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteovy32.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE


After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow up to "Standard CleanUp!"

Click OK
Press the CleanUp! button to start the program.
Reboot the computer when it's done

Come back here and post a fresh hijackthis log and the new report from Ewido's

Also, do the following again
open Hijackthis>>Open Misc tools section>>Open uninstaller manager
Click the SAVE LIST button>>Save the list to desktop and then copy and paste the info back here

I edited some of my above instructions right after I posted, take another look and do what you missed, if you started before I edited please

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#50 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 21 January 2006 - 01:31 AM

ran share.reg. also spybot, cleanup and ewido. here's the HJT log, uninstall list along with ewido report. also the firewall is up and running.

Logfile of HijackThis v1.99.1
Scan saved at 1:22:15 AM, on 1/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1136010394515
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:09:35 AM, 1/21/2006
+ Report-Checksum: FA770021

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2C4E6D22-B71F-491F-AAD3-B6972A650D50} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{310CC549-4541-46A9-940F-52B342A6E682} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{BBF122A7-8A4D-45B5-9E00-0F68BC87C904} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{CAE0999F-78C5-49DC-9F30-13142AAAABA4} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\Interface\{365B9A54-E613-46E5-9DB1-4F91A9DE80BD} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\Interface\{618BE527-B7F5-417C-BC51-98FDC2D6DE61} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\Interface\{66C22569-F05C-4A70-A142-763B337E1002} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\Interface\{7B8BD940-B1EF-460C-85A2-9ACAAF7F9303} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\Interface\{99AA88D1-D9D3-410A-BE9E-044F94C183DA} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\Interface\{C380566D-F343-42AB-987B-6B38A1A35747} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\Interface\{D1951679-1D52-43FC-9585-0737143585F5} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\Interface\{F273D4EA-2025-4410-8408-251A0CD46BE7} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginConfig -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginDown -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginDownAdd -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginEvents -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginInst -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginServer -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.ToolbarScript -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TypeLib\{B23B3ADD-84B1-414A-92B9-0CABE5A781F4} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Toolbar -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Files -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Install -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\PlugIns -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Server -> Spyware.WebSearch : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\TBPSSvc -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\kerry and colleen\Cookies\kerry and [email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup


::Report End

Ad-Aware SE Personal
Adobe Reader 6.0.1
Agere Systems PCI Soft Modem
avast! Antivirus
CleanUp!
Compaq Connections
EPSON Printer Software
ewido anti-malware
Google Toolbar for Internet Explorer
HijackThis 1.99.1
HP Memories Disc
HP Photo and Imaging 2.0 - Photosmart Cameras
I.E. Host
iPod for Windows 2005-09-06
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Lavasoft VX2 Cleaner
Microsoft .NET Framework 1.1
Microsoft Office Standard Edition 2003
Microsoft Word Viewer 97
Microsoft Works 7.0
Napster
Napster Burn Engine
QuickTime
RecordNow!
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912919)
Sonic Update Manager
Spy Sweeper
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Tweakui Powertoy for Windows XP
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
USB Storage Driver
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2

#51 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 21 January 2006 - 02:43 PM

Access your add/remove programs via controll panel
Remove I.E. Host
You can also remove
Java 2 Runtime Environment, SE v1.4.2_03
as you have the latest version installed
Reboot the computer

Can you do the following again, I want to see if this will add to the registry now
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to include REGEDIT4 and below in the code box
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\AVAST4\\ashDisp.exe"

Double click on fix.reg and allow to add to the registry

Not sure why Ewido keeps pegging spyware IBIS and Websearch

The tool from Symantec's should clean of cleaned out most/all of it
Can you run FxWebsch.exe from Symantec's and see if it finds anything please

Additionally, I see you have Spysweeper installed
Is it still capable of updating?
Or did you try uninstalling it?
Can you do the following please only if Spysweeper is still installed
In SpySweeper
Click on Options > Sweep Options and check Sweep all Folders on Selected drives
Ensure Local Disk C is checked
Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

When prompted, allow Spy Sweeper to restart your computer
or Restart the computer anyways

Back in Windows

I need to see these 2 logs
Copy and paste the SpySweeper log together with a fresh hijackthis log into this thread.

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#52 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 22 January 2006 - 05:39 PM

I removed I.E. host along with Java 2. i also merged fix.reg into the registry. Fxwebsearch found nothing. i ran spysweeper. it was unable to update though. here are the logs that you requested.

05:11 PM: |иии Start of Session, Sunday, 22 January 2006 иии|
05:11 PM: Spy Sweeper 3.0.0 (Build 129) started
05:22 PM: Sweep initiated using definitions version 507
05:22 PM: Sweeping memory for active spyware.
05:22 PM: Memory sweep has completed. Elapsed time 00:00:05
05:22 PM: Registry sweep initiated.
05:22 PM: Found: 18 Agent.ay Downloader registry traces.
05:22 PM: Found: 6 CWS_Hotoffers_DesktopHijacker registry traces.
05:22 PM: Found: 36 IEPlugin registry traces.
05:22 PM: Found: 28 Trojan-Downloader-BQAdSearch registry traces.
05:22 PM: Found: 6 Trojan-Downloader-WinShow registry traces.
05:22 PM: Found: 12 Trojan_Downloader_Tibser registry traces.
05:22 PM: Found: 1 CWS_youriskalka.com Hijack registry traces.
05:22 PM: Found: 18 TvMedia registry traces.
05:22 PM: Found: 1 www.oneclicksearches.com Hijack registry traces.
05:22 PM: Found: 27 WebSearch Toolbar registry traces.
05:22 PM: Found: 20 CWS_NS3 registry traces.
05:22 PM: Found: 6 CWS_TINY0 registry traces.
05:22 PM: Registry sweep completed. Elapsed time 00:00:11
05:22 PM: Full sweep on all local drives initiated.
05:22 PM: Now sweeping drive C:
05:23 PM: Found Cookie: DomainSponsor Cookie, version 1, c:\documents and settings\kerry and colleen\cookies\kerry and [email protected][1].txt
05:25 PM: Found Adware: Security iGuard, version 1, c:\windows\help\chmhelp.chm
05:29 PM: Found: 2 file traces.
05:29 PM: Full Sweep has completed. Elapsed time 00:07:29
38,549 files swept
181 spyware traces located
05:30 PM: Removal process initiated
05:30 PM: Quarantining: Agent.ay Downloader
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\inprocserver32
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data\md
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\inprocserver32||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\inprocserver32||threadingmodel
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data\md||data3
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\inprocserver32
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data\md
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\inprocserver32||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\inprocserver32||threadingmodel
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data\md||data3
05:33 PM: Quarantining: CWS_Hotoffers_DesktopHijacker
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{646e0cf3-7459-b02d-6848-af1a15ea194e}
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{646e0cf3-7459-b02d-6848-af1a15ea194e}
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{646e0cf3-7459-b02d-6848-af1a15ea194e}\data
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{646e0cf3-7459-b02d-6848-af1a15ea194e}\data||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{646e0cf3-7459-b02d-6848-af1a15ea194e}\data
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{646e0cf3-7459-b02d-6848-af1a15ea194e}\data||(-default-)
05:33 PM: Quarantining: DomainSponsor Cookie
05:33 PM: Cookie: c:\documents and settings\kerry and colleen\cookies\kerry and [email protected][1].txt
05:33 PM: Quarantining: IEPlugin
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\inprocserver32
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data\md
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\inprocserver32||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\inprocserver32||threadingmodel
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data\md||data3
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\data
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\inprocserver32
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\data\md
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\data||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\inprocserver32||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\inprocserver32||threadingmodel
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\data\md||data3
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\data
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\inprocserver32
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\data\md
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\data||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\inprocserver32||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\inprocserver32||threadingmodel
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\data\md||data3
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\inprocserver32
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data\md
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\inprocserver32||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\inprocserver32||threadingmodel
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data\md||data3
05:33 PM: Quarantining: Security iGuard
05:33 PM: File: c:\windows\help\chmhelp.chm
05:33 PM: Quarantining: Trojan-Downloader-BQAdSearch
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\data
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\localserver32
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\data||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\localserver32||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\inprocserver32
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data\md
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\inprocserver32||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\inprocserver32||threadingmodel
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data\md||data3
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\data
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\localserver32
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\data||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\localserver32||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\inprocserver32
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data\md
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\inprocserver32||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\inprocserver32||threadingmodel
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data\md||data3
05:33 PM: Quarantining: Trojan-Downloader-WinShow
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}\data
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}\data||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}\data
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}\data||(-default-)
05:33 PM: Quarantining: Trojan_Downloader_Tibser
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}\data
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}\data||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}\data
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}\data||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}\data
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}\data||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}\data
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}\data||(-default-)
05:33 PM: Quarantining: CWS_youriskalka.com Hijack
05:33 PM: Registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\searchurl||provider
05:33 PM: Quarantining: TvMedia
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\inprocserver32
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data\md
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\inprocserver32||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\inprocserver32||threadingmodel
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data\md||data3
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\inprocserver32
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data\md
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\inprocserver32||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\inprocserver32||threadingmodel
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data\md||data3
05:33 PM: Quarantining: www.oneclicksearches.com Hijack
05:33 PM: Registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\main||use search asst
05:33 PM: Quarantining: WebSearch Toolbar
05:33 PM: Registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\toolbar
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.pluginconfig\clsid
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.plugindown\clsid
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.plugindownadd\clsid
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.pluginevents\clsid
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.plugininst\clsid
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.pluginserver\clsid
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.toolbarscript\clsid
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\localserver32
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\localserver32||threadingmodel
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\progid
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\typelib
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\version
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\version||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\typelib||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\progid||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\localserver32||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.toolbarscript\clsid||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.pluginserver\clsid||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.plugininst\clsid||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.pluginevents\clsid||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.plugindownadd\clsid||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.plugindown\clsid||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.pluginconfig\clsid||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc\0000
05:33 PM: Registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc||nextinstance
05:33 PM: Quarantining: CWS_NS3
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{0cf849ed-e455-35c5-d9ad-0d802e5904a1}\inprocserver32
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{38d49e75-22ad-792c-2e36-24f44a9a7e2d}\data\md
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{38d49e75-22ad-792c-2e36-24f44a9a7e2d}\inprocserver32
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{e631a3af-2375-8d4c-66b1-aab77c548825}\inprocserver32
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{ff731508-cd28-e0b0-3e85-0cf55fde9fba}\inprocserver32
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{0cf849ed-e455-35c5-d9ad-0d802e5904a1}\inprocserver32
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ff731508-cd28-e0b0-3e85-0cf55fde9fba}\inprocserver32
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ff731508-cd28-e0b0-3e85-0cf55fde9fba}\inprocserver32||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ff731508-cd28-e0b0-3e85-0cf55fde9fba}\inprocserver32||threadingmodel
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{0cf849ed-e455-35c5-d9ad-0d802e5904a1}\inprocserver32||(-default-)
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{0cf849ed-e455-35c5-d9ad-0d802e5904a1}\inprocserver32||threadingmodel
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{ff731508-cd28-e0b0-3e85-0cf55fde9fba}\inprocserver32||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{ff731508-cd28-e0b0-3e85-0cf55fde9fba}\inprocserver32||threadingmodel
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{e631a3af-2375-8d4c-66b1-aab77c548825}\inprocserver32||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{e631a3af-2375-8d4c-66b1-aab77c548825}\inprocserver32||threadingmodel
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{38d49e75-22ad-792c-2e36-24f44a9a7e2d}\inprocserver32||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{38d49e75-22ad-792c-2e36-24f44a9a7e2d}\inprocserver32||threadingmodel
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{38d49e75-22ad-792c-2e36-24f44a9a7e2d}\data\md||data3
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{0cf849ed-e455-35c5-d9ad-0d802e5904a1}\inprocserver32||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{0cf849ed-e455-35c5-d9ad-0d802e5904a1}\inprocserver32||threadingmodel
05:33 PM: Quarantining: CWS_TINY0
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}\data
05:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}\data||(-default-)
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}\data
05:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}\data||(-default-)
05:33 PM: Cleaning Traces
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{ff731508-cd28-e0b0-3e85-0cf55fde9fba}\inprocserver32|| (threadingmodel)
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{ff731508-cd28-e0b0-3e85-0cf55fde9fba}\inprocserver32
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}\data
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\localserver32
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\data
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{e631a3af-2375-8d4c-66b1-aab77c548825}\inprocserver32|| (threadingmodel)
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{e631a3af-2375-8d4c-66b1-aab77c548825}\inprocserver32
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}\data
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}\data
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\inprocserver32|| (threadingmodel)
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\inprocserver32
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data\md|| (data3)
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data\md
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\inprocserver32|| (threadingmodel)
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\inprocserver32
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\data\md|| (data3)
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\data\md
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\data
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{646e0cf3-7459-b02d-6848-af1a15ea194e}\data
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{646e0cf3-7459-b02d-6848-af1a15ea194e}
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{38d49e75-22ad-792c-2e36-24f44a9a7e2d}\inprocserver32|| (threadingmodel)
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{38d49e75-22ad-792c-2e36-24f44a9a7e2d}\inprocserver32
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{38d49e75-22ad-792c-2e36-24f44a9a7e2d}\data\md|| (data3)
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{38d49e75-22ad-792c-2e36-24f44a9a7e2d}\data\md
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}\data
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\inprocserver32|| (threadingmodel)
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\inprocserver32
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\data\md|| (data3)
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\data\md
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\data
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\inprocserver32|| (threadingmodel)
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\inprocserver32
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data\md|| (data3)
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data\md
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\inprocserver32|| (threadingmodel)
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\inprocserver32
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data\md|| (data3)
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data\md
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\inprocserver32|| (threadingmodel)
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\inprocserver32
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data\md|| (data3)
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data\md
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{0cf849ed-e455-35c5-d9ad-0d802e5904a1}\inprocserver32|| (threadingmodel)
05:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{0cf849ed-e455-35c5-d9ad-0d802e5904a1}\inprocserver32
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc|| (nextinstance)
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc
05:33 PM: Blasting registry: HKEY_LOCAL_MACHINE\software\toolbar
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\tbps.toolbarscript\clsid
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\tbps.pluginserver\clsid
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\tbps.plugininst\clsid
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\tbps.pluginevents\clsid
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\tbps.plugindownadd\clsid
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\tbps.plugindown\clsid
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\tbps.pluginconfig\clsid
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ff731508-cd28-e0b0-3e85-0cf55fde9fba}\inprocserver32|| (threadingmodel)
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ff731508-cd28-e0b0-3e85-0cf55fde9fba}\inprocserver32
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}\data
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\localserver32
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\data
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}\data
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\version
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\typelib
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\progid
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\localserver32|| (threadingmodel)
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\localserver32
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}\data
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\inprocserver32|| (threadingmodel)
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\inprocserver32
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data\md|| (data3)
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data\md
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{646e0cf3-7459-b02d-6848-af1a15ea194e}\data
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{646e0cf3-7459-b02d-6848-af1a15ea194e}
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}\data
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\inprocserver32|| (threadingmodel)
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\inprocserver32
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data\md|| (data3)
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data\md
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\inprocserver32|| (threadingmodel)
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\inprocserver32
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data\md|| (data3)
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data\md
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\inprocserver32|| (threadingmodel)
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\inprocserver32
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data\md|| (data3)
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data\md
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{0cf849ed-e455-35c5-d9ad-0d802e5904a1}\inprocserver32|| (threadingmodel)
05:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{0cf849ed-e455-35c5-d9ad-0d802e5904a1}\inprocserver32
05:33 PM: Replacing registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\searchurl|| (provider) || ()
05:33 PM: Removing registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\main|| (use search asst)
05:33 PM: Removing file: c:\windows\help\chmhelp.chm
05:33 PM: Removing file: c:\documents and settings\kerry and colleen\cookies\kerry and [email protected][1].txt
05:33 PM: Removal process completed. Elapsed time 00:02:11
14 items (179 traces) quarantined.

Logfile of HijackThis v1.99.1
Scan saved at 5:39:01 PM, on 1/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\AVAST4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\AVAST4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1136010394515
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

#53 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 22 January 2006 - 11:01 PM

It seems we're having better luck cleaning the registry now

I would do the following, SpySweeper appears to of cleaned out some reg. entries
But it is terribly out of date
I suggest that you access your add/remove programs and remove it
Reboot later
This may be the reason for our interference

We have updated tools on your computer,
Can you post a fresh hijackthis log after you uninstall it please
Let me know how things are running

Just some minor cleanup to do

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#54 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 23 January 2006 - 03:43 AM

spysweeper will not uninstall. when i go to add/remove programs is says that the uninstaller does not exist. so i went to the spysweeper program in the webroot folder to try and use the uninstaller icon but it still will not work. the icon is there but it says that it does not exist. here is a fresh HJT log.


Logfile of HijackThis v1.99.1
Scan saved at 3:42:09 AM, on 1/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\AVAST4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\AVAST4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1136010394515
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

#55 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 24 January 2006 - 08:51 PM

Very sorry for the delay
I don't even think you can download that version of SpySweeper to replace the uninstaller

Can you try the following
Download and UNZIP this free registry cleaner
RegSeeker 1.45
http://www.hoverdesk.net/freeware.htm

Open SpySweeper
Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".

Open your taskmanager and end the process on
SpySweeper.exe


Open the RegSeeker Folder and double click on RegSeeker.exe
Click on "Install Applications" in the left menu
Highlight SpySweeper and choose Delete
See if it will uninstall

If not, we could try to manually uninstall Spysweeper, but this may leave lot's behind
We could try installing the newer trial version over top of your old version and then try uninstalling it
But if we go this route, we won't uninstall it yet, may as well use it first

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#56 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 25 January 2006 - 12:54 AM

Tried using regseeker to uninstall spysweeper. would not work. i ran housecall earlier today and it found a few more viruses. i still have my old defender Pro antivirus CD. i don't use it b/c a friend of mine says it takes up too much space on a computer. should i install it if i can?

#57 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 25 January 2006 - 06:21 AM

Not sure if this is related to what we are trying to do here but i hope it is. I ran ad aware a little while ago to see what it would find and an avast screen pops up saying that a virus was found. so i delete the file and i restart the computer. i run ad aware again and up pops the same avast screen with another virus in the same location deep within my C drive. it is in a file called AAWTMP. i select delete again and restart my computer. i go to my computer to where this file is supposedly located and find nothing. so i run ad aware again and i get a virus in the same location again. i dont do anyhting, but i go back to my computer to look for the file again and there it is, where i just looked! i scan the AAWTMP folder with avast and a virus is found. i press delete and a screen pops up saying virus cannot be found. so i start killbox and select the AAWTMP file to be deleted. it deletes the file and i restart. but the virus is still present. it changes to a different name everytime and is hidden until found by avast. what can i do about this? i hate computers.



here is a fresh HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 6:15:38 AM, on 1/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\AVAST4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\AVAST4\ashDisp.exe
O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1136010394515
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

#58 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 25 January 2006 - 10:12 PM

It sounds like something is residing in the temp folders
Can you give me the location please?
Before you do, please do the following

RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Standard CleanUp!"

Click OK
Press the CleanUp! button to start the program.
When it's done reboot back to Normal mode

Download and install Spy Sweeper 4.5
Ensure to install to the old directory of
C:\Program Files\Webroot

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

In SpySweeper
Click on Options > Sweep Options and check Sweep all Folders on Selected drives
Ensure Local Disk C is checked
Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

When prompted, allow Spy Sweeper to restart your computer
or Restart the computer anyways

Back in Windows

Please post the new SpySweeper log

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#59 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 26 January 2006 - 12:34 AM

the location of the file is c:\documentsandsettings\kerryandcolleen\localsettings\temp\AAWTMP
here is the spysweeper log.

********
12:04 AM: | Start of Session, Thursday, January 26, 2006 |
12:04 AM: Spy Sweeper started
12:04 AM: Sweep initiated using definitions version 605
12:04 AM: Starting Memory Sweep
12:06 AM: Memory Sweep Complete, Elapsed Time: 00:02:10
12:06 AM: Starting Registry Sweep
12:06 AM: Found Adware: websearch toolbar
12:06 AM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (7 subtraces) (ID = 146518)
12:06 AM: HKLM\software\toolbar\ (4 subtraces) (ID = 646240)
12:06 AM: Found Adware: cws_ns3
12:06 AM: HKCR\clsid\{ee60feae-009f-5e4a-fb06-eb54ef18c29e}\ (2 subtraces) (ID = 888308)
12:06 AM: Found Adware: cws_tiny0
12:06 AM: HKCR\clsid\{9adc5b7c-f0fa-a733-e146-85ce8933dc68}\ (2 subtraces) (ID = 980881)
12:06 AM: HKLM\software\classes\clsid\{9adc5b7c-f0fa-a733-e146-85ce8933dc68}\ (2 subtraces) (ID = 980889)
12:06 AM: HKCR\clsid\{60fc6862-9261-c47d-0f11-1c5e5c1b1dd6}\ (2 subtraces) (ID = 1107842)
12:06 AM: HKLM\software\classes\clsid\{60fc6862-9261-c47d-0f11-1c5e5c1b1dd6}\ (2 subtraces) (ID = 1107846)
12:06 AM: Registry Sweep Complete, Elapsed Time:00:00:07
12:06 AM: Starting Cookie Sweep
12:06 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:06 AM: Starting File Sweep
12:06 AM: alcxmntr.exe:qebzeu (ID = 56287)
12:07 AM: Warning: Failed to open file "c:\windows\". The system cannot find the path specified
12:07 AM: agrsmdel.exe:yejtkj (ID = 56601)
12:12 AM: Warning: Failed to open file "c:\windows\". The system cannot find the path specified
12:19 AM: Found Adware: webhancer
12:19 AM: ntsautodial.ini (ID = 188794)
12:19 AM: Warning: Unhandled Archive Type
12:23 AM: Warning: Invalid Stream
12:23 AM: Warning: Invalid Stream
12:23 AM: Warning: Invalid Stream
12:23 AM: Warning: Invalid Stream
12:23 AM: Warning: Invalid Stream
12:23 AM: Warning: Invalid Stream
12:23 AM: Warning: Invalid Stream
12:23 AM: Warning: Invalid Stream
12:23 AM: Warning: Invalid Stream
12:23 AM: Warning: Invalid Stream
12:24 AM: Warning: Invalid Stream
12:24 AM: File Sweep Complete, Elapsed Time: 00:17:44
12:24 AM: Full Sweep has completed. Elapsed time 00:20:04
12:24 AM: Traces Found: 31
12:25 AM: Removal process initiated
12:25 AM: Quarantining All Traces: cws_ns3
12:25 AM: Quarantining All Traces: websearch toolbar
12:25 AM: websearch toolbar is in use. It will be removed on reboot.
12:25 AM: HKLM: software\toolbar\ is in use. It will be removed on reboot.
12:25 AM: Quarantining All Traces: cws_tiny0
12:25 AM: Quarantining All Traces: webhancer
12:25 AM: Removal process completed. Elapsed time 00:00:33
********
12:02 AM: | Start of Session, Thursday, January 26, 2006 |
12:02 AM: Spy Sweeper started
12:03 AM: Your spyware definitions have been updated.
12:04 AM: | End of Session, Thursday, January 26, 2006 |

#60 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 26 January 2006 - 12:43 AM

the location of the file is c:\documentsandsettings\kerryandcolleen\localsettings\temp\AAWTMP

If you ran CleanUp! with the instructions I supplied earlier, the file should be gone now

I'm just on my way to bed
Can you do the additional please

Delete About:Buster and it's folder

Re-Download About:Buster.zip
and UNZIP the contents too desktop

Again, I would check for updates with both Ewido and Ad-Aware
Reboot to safe mode

Try running About:Buster.exe again
Also run the updated scans with Ewido and ad-Aware

Reboot back to Normal mode

Post back a fresh hijackthis log
Let me know how things are running

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here