Hi Ried. Another tale.
Went to the guy's house to try this stuff.
Followed instructions received from BT (ISP) to download & reinstall software. No luck (error extracting cab file). Tried from disk he had. Same result.
Disabled Modem Lock in msconfig but it still alerts that it's disabled. That's 1 SOB piece of software.
Ran SpySweeper and as you'll see from log more dodgy stuff showing. 1 of which (Winantispyware) he told me he'd clicked on as he thought it was something I'd put on !
While I was trying to install the BT stuff from disk spysweeper alerted me to hyjk, so I'm posting the log that includes that alert as well as HJT log.
VundoFix found nothing.
Thanks for your patience.
********
21:18: | Start of Session, 27 February 2006 |
21:18: Spy Sweeper started
21:18: Sweep initiated using definitions version 622
21:18: Starting Memory Sweep
21:22: Memory Sweep Complete, Elapsed Time: 00:03:55
21:22: Starting Registry Sweep
21:22: Found Adware: exact cashback/bargain buddy
21:22: HKLM\software\microsoft\windows\currentversion\app management\arpcache\bargain buddy\ (2 subtraces) (ID = 104023)
21:22: Found Adware: blazefind
21:22: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\bridge.dll (ID = 104541)
21:22: Found Adware: seekseek.com hijacker
21:22: HKLM\software\microsoft\internet explorer\search\ || search assistant (ID = 141574)
21:22: Found Adware: searchsail
21:22: HKCR\kwpopper.application\ (3 subtraces) (ID = 1139487)
21:22: HKCR\clsid\{9d0505fd-6e32-497c-a2f1-8b9d5241e2c9}\ (7 subtraces) (ID = 1139491)
21:22: HKLM\software\classes\kwpopper.application\ (3 subtraces) (ID = 1139499)
21:22: HKLM\software\classes\clsid\{9d0505fd-6e32-497c-a2f1-8b9d5241e2c9}\ (7 subtraces) (ID = 1139503)
21:23: Registry Sweep Complete, Elapsed Time:00:00:55
21:23: Starting Cookie Sweep
21:23: Found Spy Cookie: touchclarity cookie
21:23: owner@btow.touchclarity[1].txt (ID = 3566)
21:23: Found Spy Cookie: reliablestats cookie
21:23: owner@stats1.reliablestats[2].txt (ID = 3254)
21:23: owner@btow.touchclarity[1].txt (ID = 3566)
21:23: Found Spy Cookie: tribalfusion cookie
21:23: owner@tribalfusion[1].txt (ID = 3589)
21:23: Cookie Sweep Complete, Elapsed Time: 00:00:01
21:23: Starting File Sweep
21:24: Found Adware: 180search assistant/zango
21:24: c:\documents and settings\owner\local settings\temp\fleok (1 subtraces) (ID = -2147480558)
21:24: Found Adware: seekseek
21:24: c:\program files\common files\slmss (ID = -2147481537)
21:26: Found Adware: tvmedia
21:26: tvmknwrd.dll (ID = 81726)
21:38: Found Adware: winantispyware 2005
21:38: setup.exe (ID = 162517)
21:38: setup.exe (ID = 122245)
21:39: tvm.upd (ID = 81653)
21:40: Found Adware: adlogix
21:40: sp32.xml (ID = 49240)
21:41: dfd.sys (ID = 162513)
21:42: Found Adware: directrevenue-abetterinternet
21:42: alchem.inf (ID = 83109)
21:42: Found Adware: twain-tech
21:42: polmx.inf (ID = 81856)
21:42: mxtarget.inf (ID = 81843)
21:42: trial.updates.winsoftware[1].txt (ID = 149943)
21:45: File Sweep Complete, Elapsed Time: 00:21:56
21:45: Full Sweep has completed. Elapsed time 00:26:57
21:45: Traces Found: 46
21:45: Removal process initiated
21:45: Quarantining All Traces: 180search assistant/zango
21:45: Quarantining All Traces: adlogix
21:45: Quarantining All Traces: directrevenue-abetterinternet
21:45: Quarantining All Traces: blazefind
21:45: Quarantining All Traces: exact cashback/bargain buddy
21:45: Quarantining All Traces: searchsail
21:45: Quarantining All Traces: seekseek.com hijacker
21:45: Quarantining All Traces: seekseek
21:45: Quarantining All Traces: tvmedia
21:46: Quarantining All Traces: twain-tech
21:46: Quarantining All Traces: reliablestats cookie
21:46: Quarantining All Traces: touchclarity cookie
21:46: Quarantining All Traces: tribalfusion cookie
21:46: Quarantining All Traces: winantispyware 2005
21:47: Removal process completed. Elapsed time 00:01:22
22:07: Processing Startup Alerts
22:07: Removed Startup entry: hyjk
22:15: BHO Shield: found: ysidebarIE.dll-- BHO installation denied at user request
22:16: BHO Shield: found: YPager.exe-- BHO installation denied at user request
********
21:09: | Start of Session, 27 February 2006 |
21:09: Spy Sweeper started
21:17: Your spyware definitions have been updated.
21:18: | End of Session, 27 February 2006 |
Logfile of HijackThis v1.99.1
Scan saved at 21:53:24, on 27/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\BT Yahoo! Internet\ModemLock.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctxsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\HJT\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://gb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://srch-gb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.btopenworld.com/searchpane
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://bt.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://gb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.btopenworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [controlkids] C:\Program Files\Control Kids\controlkids.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ctxsvc] C:\WINDOWS\System32\ctxsvc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsof...?1137416512640
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} -
http://www.quikshield.com/qshsetup.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} -
http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) -
http://register.btinternet.com/templ...control023.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BT Modem Lock - British Telecommunications plc - C:\Program Files\BT Yahoo! Internet\ModemLock.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe