New Spyware or Something

callie3274 · 07-24-2006, 05:49 PM

My spysweeper has detected this same thing called CLKOPTIMIZER when i do a spy scan, its quarentines it but then it comes back. I have tried cwblaster, spysweeper, stinger, avast, avg and ewido and no luck. Any suggestions? Here is my hijack log
Logfile of HijackThis v1.99.1
Scan saved at 7:33:03 PM, on 7/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\WindowsXP\My Documents\Spyware Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [08mc0oxg.dll] "RUNDLL32.EXE" 08mc0oxg.dll,b 25518312
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139438832\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\oocqrc.exe reg_run
O4 - HKLM\..\RunOnce: [stampsregk] C:\PROGRA~1\STAMPS~1.COM\regall.exe -k -s
O4 - HKLM\..\RunOnce: [stampsrego] C:\PROGRA~1\STAMPS~1.COM\regall.exe -o -s
O4 - HKLM\..\RunOnce: [stampsreg] C:\PROGRA~1\STAMPS~1.COM\RegAll.exe -s
O4 - HKLM\..\RunOnce: [Run IPH] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02a.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117807355358
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Secure MSVS (MicroService32) - Unknown owner - C:\WINDOWS\msvcrs.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Any help would be great!

tetonbob · 07-27-2006, 10:22 AM

Hello and Welcome. Sorry for the delay.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

I see you have more than one Anti-Virus program installed, Avast and AVG. While this may seem like greater protection, it can cause problems including slowdowns and system hangs. Choose one to keep and uninstall the other.

Any antivirus program must be removed via add/remove program.
For any program that doesn't have an add/remove entry, you will have to do this:

re-install the program -> reboot -> uninstall

-----------------------------------------------------------------------

I see you have Ewido already. Please update it's definitions, and run a scan where I have placed it in this fix.

Run Ewido

From the main ewido screen, click on update, then click the Start
update button.
After the update finishes (the status bar at the bottom will display "Update
successful")
select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Exit Ewido. DO NOT scan yet.

-----------------------------------------------------------------------

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

Click Start->Run - type SERVICES.MSC & then click on the OK button

Locate the service - Secure MSVS
Double-click on it to open the Properties dialog.
Under the General tab:
Stop the service by using the Stop button.
Change the Startup type to Disabled & then click on the OK button
Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, copy/paste MicroService32 Click on the OK button

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKLM\..\Run: [08mc0oxg.dll] "RUNDLL32.EXE" 08mc0oxg.dll,b 25518312
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\oocqrc.exe reg_run
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02a.cab

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Delete the following if they exist:

C:\WINDOWS\msvcrs.exe
C:\WINDOWS\system32\oocqrc.exe
08mc0oxg.dll<<<find via Start>Search

---------------------------------------------------------------------------------------------

Run Cleanup! using the following configuration:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users
Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program.. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Create an uninstall list:

Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Open Uninstall Manager"
Click on the button "Save list"
Copy and past the List from the notepad file into your post

Please return with results from:

Ewido
Panda
HijackThis
Uninstall List

callie3274 · 07-27-2006, 07:19 PM

Ok I did everything you instructed me to do as follows:
Ewido report
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:40:43 PM 7/27/2006

+ Scan result:

Nothing found.

::Report end

Panda Report
Incident Status Location

Adware:adware/dollarrevenue Not disinfected c:\windows\timessquare1.dat
Adware:adware/sqwire Not disinfected Windows Registry
Adware:adware/sidestep Not disinfected Windows Registry
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\WindowsXP\Application Data\Webroot\Spy Sweeper\Logs\060624100508.ses
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\WindowsXP\My Documents\VirtumundoBeGone.exe[²ƒÇ]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\WindowsXP\My Documents\VundoFix\VundoFix\process.exe
HijackThis Report
Logfile of HijackThis v1.99.1
Scan saved at 9:11:40 PM, on 7/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Documents and Settings\WindowsXP\My Documents\Spyware Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117807355358
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Secure MSVS (MicroService32) - Unknown owner - C:\WINDOWS\msvcrs.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Uninstaller List report
Ad-aware 6 Personal
Ad-Aware SE Personal
Adobe Reader 6.0.1
AOL Instant Messenger
AVG Free Edition
CleanUp!
Contextual Tool
ewido anti-spyware 4.0
Google Desktop
Google Earth
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
ImageShack QuickLoad
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_04
LimeWire 4.9.29
Logitech Desktop Messenger
Logitech Print Service
Logitech QuickCam Software
Logitech® Camera Driver
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft AntiSpyware
Microsoft Office Professional Edition 2003
MyDataBase
Nero 6 Ultra Edition
Panda ActiveScan
Picasa 2
PowerDVD
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
SoundMAX
Spy Sweeper
Spybot - Search & Destroy 1.4
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Yahoo! Messenger

Please let me know what to do next and thank you so much for your help.

tetonbob · 07-27-2006, 10:29 PM

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

We need to update your Java as it is out of date. The older version is a security risk, as malware writers exploit the weaknesses in it's code.

Updating Java:

Go to Start > Control Panel double-click on the Software icon, Add or Remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select it and click Remove.
Then Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp
After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked
- Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Contextual Tool

This Add or Remove Programs entry corresponds to a program that is either malware, installs malware, or is bundled with malware.

It is advised that you uninstall this program from your computer due to the above reasons. If this program gave you the option to not install the malware or adware during setup, and you chose that option, then it should be safe to leave the program installed. Please note that not all programs listed here will actually be uninstalled when you attempt to do so

---------------------------------------------------------------------------------------------

Delete the following if they exist:

c:\windows\timessquare1.dat
C:\Documents and Settings\WindowsXP\Application Data\Webroot\Spy Sweeper\Logs\060624100508.ses

If they resist deletion, boot to safe mode and delete them from there.

---------------------------------------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please post logs from:

Kaspersky
HJT

How is your system behaving? If Spysweeper is finding CLKOPTIMIZER still, please note the exact location it does find.

callie3274 · 07-28-2006, 07:43 PM

ok Here are the 2 post logs as follows:

Kaspersky

Friday, July 28, 2006 9:40:16 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 29/07/2006
Kaspersky Anti-Virus database records: 209742

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 29227
Number of viruses found 2
Number of infected objects 5
Number of suspicious objects 0
Duration of the scan process 00:34:44

Infected Object Name Virus Name Last Action
C:\Documents and Settings\WindowsXP\My Documents\Spyware Programs\backups\backup-20051231-082119-305.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\WindowsXP\Shared\Top of Charts - 2005 (scrappin).wm Infected: Trojan-Downloader.WMA.Wimad.c skipped

C:\WINDOWS\system32\ddccd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\WINDOWS\system32\pmkjj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\WINDOWS\system32\pmnnk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

Scan process completed.

HiJAckTHis

Logfile of HijackThis v1.99.1
Scan saved at 9:41:37 PM, on 7/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\WindowsXP\My Documents\Spyware Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117807355358
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Secure MSVS (MicroService32) - Unknown owner - C:\WINDOWS\msvcrs.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Thanks for your help and I will wait for your reply

tetonbob · 07-28-2006, 08:51 PM

Quote:

How is your system behaving? If Spysweeper is finding CLKOPTIMIZER still, please note the exact location it does find.

Looks like you've been battling infections prior to this...as I see vundo files, VundoFix and VirtumondeBegone. How long ago was this battle?

---------------------------------------------------------------------------------------------

Go to Start->Run Then copy and paste the following into the run box, then press Enter.

sc stop MicroService32

Repeat the process for next command. Go to Start->Run Then copy and paste the following into the run box, then press Enter.

sc delete MicroService32

Restart your system.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Delete the following if they exist:

C:\Documents and Settings\WindowsXP\My Documents\Spyware Programs\backups\backup-20051231-082119-305.dll
C:\Documents and Settings\WindowsXP\Shared\Top of Charts - 2005 (scrappin).wm
C:\WINDOWS\system32\ddccd.dll.vir
C:\WINDOWS\system32\pmkjj.dll.vir
C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\msvcrs.exe

If they resist deletion, boot to safe mode and deleted them from there. Let me know if you cannot find any, or delete them.

---------------------------------------------------------------------------------------------

Download combofix from one of these locations:
- http://www.techsupportforum.com/sectools/combofix.exe
- http://download.bleepingcomputer.com/sUBs/combofix.exe
Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

Also post a new HJT log.

How is your system behaving now, please?

callie3274 · 07-29-2006, 06:13 AM

Ok I had the virtumonde virus or whatever on my computer back in november and i used fixvundo.exe to get rid of it, but i dont think it truly was ever fixed, then when i started having this clkoptimizer show up, which spysweeper finds it everytime i scan and i cant find where it is located, i get start up errors, such as the rundll32 error which i dont not get anymore, that is fixed, but i keep getting this message 3 times when i boot up :
C:\Progra1\stamps~1.com\regall.exe - this exact message pops up and i have to ok 3 times to bypass it, also I have gone into my start up by going to run then typing msconfig and delete aim & spysweeper from being in the start up and they keep coming back. Here are the post you asked for and my computer runs ok, i do not get pop ups when im online, but i hear my computer always scrolling,even when im not using it. The files in the last reply you told me to delete, i deleted and they gave me no problem.

Combofix

Start Time= Sat 07/29/2006 7:58:08.56
Running from: C:\Documents and Settings\WindowsXP\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

7:58:41.79

* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

2006-07-07 17:16:10 8,704 "C:\WINDOWS\system32\ssiefr.EXE"
2006-07-07 17:16:10 20,992 "C:\WINDOWS\system32\wrlzma.dll"

* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO

* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

2006-07-07 17:16:10 8,704 "C:\WINDOWS\system32\ssiefr.EXE"
2006-07-07 17:16:10 20,992 "C:\WINDOWS\system32\wrlzma.dll"

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-07-28 18:35:34 ( .D... ) "C:\Program Files\Java"
2006-07-28 18:34:58 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-25 12:33:14 ( .D... ) "C:\Program Files\PC MightyMax"
2006-07-21 17:23:06 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-18 16:28:46 ( .D... ) "C:\Documents and Settings\WindowsXP\Application Data\AVG7"
2006-07-18 16:28:32 ( .D... ) "C:\Program Files\Grisoft"
2006-07-18 07:17:16 ( .D... ) "C:\Documents and Settings\WindowsXP\Application Data\Lavasoft"
2006-07-18 06:45:38 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-07 17:16:28 252928 ( A.... ) "C:\WINDOWS\WRUninstall.dll"
2006-07-07 17:16:12 208896 ( A.... ) "C:\WINDOWS\system32\WRLogonNtf.dll"
2006-07-07 17:16:12 208896 ( A.... ) "C:\WINDOWS\system32\WRLogonNtf(2)(2).dll"
2006-07-07 17:16:10 20992 ( A.... ) "C:\WINDOWS\system32\wrlzma.dll"
2006-07-07 17:16:10 8704 ( A.... ) "C:\WINDOWS\system32\ssiefr.EXE"
2006-05-11 10:31:58 2560 ( A.... ) "C:\WINDOWS\_MSRSTRT.EXE"

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

2006-07-28 18:36 49,250 C:\WINDOWS\system32\javaw.exe
2006-07-28 18:36 49,248 C:\WINDOWS\system32\java.exe
2006-07-28 18:36 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-27 20:47 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-27 20:47 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-25 19:43 86,016 C:\WINDOWS\system32\mdmxsdk.dll
2006-07-08 12:24 5,632 C:\WINDOWS\system32\ptpusb.dll
2006-07-08 12:24 159,232 C:\WINDOWS\system32\ptpusd.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1139438832\\ee\\AOLSoftware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"PlaxoUpdate"="C:\\Program Files\\Plaxo\\2.6.2.9\\PlaxoHelper.exe -a"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"stampsregk"="C:\\PROGRA~1\\STAMPS~1.COM\\regall.exe -k -s"
"stampsrego"="C:\\PROGRA~1\\STAMPS~1.COM\\regall.exe -o -s"
"stampsreg"="C:\\PROGRA~1\\STAMPS~1.COM\\RegAll.exe -s"
"Run IPH"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"mofk"="C:\\Program Files\\Common Files\\mofk\\mofkm.exe"
"Otss"="C:\\Program Files\\alwd\\waue.exe -vt yazr"
"Njtycqd"="C:\\WINDOWS\\system32\\ssembly\\svchost.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"mofk"="C:\\Program Files\\Common Files\\mofk\\mofkm.exe"
"Otss"="C:\\Program Files\\alwd\\waue.exe -vt yazr"
"Njtycqd"="C:\\WINDOWS\\system32\\ssembly\\svchost.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ashDisp"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"inimapping"="0"
"command"="C:\\Program Files\\Common Files\\AOL\\1139438832\\ee\\AOLSoftware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Logitech\\Video\\ISStart.exe\" "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogiTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Logitech\\Video\\LogiTray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWFX5RS_0001_0808]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WFXScanR[1]"
"hkey"="HKLM"
"command"="\"C:\\Documents and Settings\\WindowsXP\\Local Settings\\Temporary Internet Files\\Content.IE5\\WZ7NASHD\\WFXScanR[1].exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PlaxoHelper"
"hkey"="HKCU"
"inimapping"="0"
"command"="C:\\Program Files\\Plaxo\\2.6.2.9\\PlaxoHelper.exe -a"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RoboTaskBarIcon"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySweeperUI"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VTTimer"
"hkey"="HKLM"
"command"="VTTimer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=dword:00000002
"wscsvc"=dword:00000002
"SENS"=dword:00000002
"ERSvc"=dword:00000002
"Browser"=dword:00000002
"BITS"=dword:00000002

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\svcWRSSSDK
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\XoftSpy.job

Completion time: Sat 07/29/2006 8:00:22.06
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-29.075808.txt

Hijack this

Logfile of HijackThis v1.99.1
Scan saved at 08:03:01, on 7/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\WindowsXP\My Documents\Spyware Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139438832\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\oocqrc.exe reg_run
O4 - HKLM\..\RunOnce: [stampsregk] C:\PROGRA~1\STAMPS~1.COM\regall.exe -k -s
O4 - HKLM\..\RunOnce: [stampsrego] C:\PROGRA~1\STAMPS~1.COM\regall.exe -o -s
O4 - HKLM\..\RunOnce: [stampsreg] C:\PROGRA~1\STAMPS~1.COM\RegAll.exe -s
O4 - HKLM\..\RunOnce: [Run IPH] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM\aim.exe" -cnetwait.odl
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117807355358
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

I have also gone into hijack this and checked the boxes that contain aol software, because i only use Aim, not aol, and also the 3 files that contain stamps and they keep coming back.
I hope i have posted all the information you needed.

Again many thanks for the help.

tetonbob · 07-29-2006, 08:54 AM

Please don't fix anything on your own while we're working together. Also, don't disable anything through msconfig for now, as it will hinder my ability to see everything and help you.

Do you have an online stamp download program installed?

---------------------------------------------------------------------------------------------

Webroot SpySweeper

Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.

To disable Webroot SpySweeper:

Go to the Options>Program Options
Uncheck Load at Windows Startup
Click Shields on the left.
Click Internet Explorer and uncheck all items.
Click Windows System and uncheck all items.
Click Startup Programs and uncheck all items.
Click Browser Add-Ons and uncheck all items.
Exit Spysweeper.

---------------------------------------------------------------------------------------------

I have attached a file to this post - callie.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\oocqrc.exe reg_run

---------------------------------------------------------------------------------------------

Delete the following if it exists:

C:\WINDOWS\system32\oocqrc.exe

If it resists deletion, boot to safe mode and delete it from there. Don't worry if you cannot find it.

---------------------------------------------------------------------------------------------

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

---------------------------------------------------------------------------------------------

Create an uninstall list:

Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Open Uninstall Manager"
Click on the button "Save list"
Copy and past the List from the notepad file into your post

---------------------------------------------------------------------------------------------

Run a new scan with HijackThis. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Right click on this link http://www.greyknight17.com/spy/RegSrch.vbs and choose 'Save As'. Save it somewhere. Now run that program and do a search for these files (if more than one, make sure to search and save them separately):

clkoptimizer

Save the file/files and post the results in the forum.

Please return with results from:

DrWeb
Uninstall list
HijackThis
regsearch

callie3274 · 07-29-2006, 06:55 PM

Ok
I installed a program a while back called mysoft, which contains a program i use called my database, which i have used for 3 years on my work computer and never had a problem, when it installs it installs a postage program which i have removed months ago. I disabled spysweeper. I tried to unzip the callie.zip you posted and got this message :
cannot impart c:\Docume~1window~1\locals~1\temp\temporary\directory1 for callie.reg. The specified file is not a registry script

I deleted the 04 - HKLM\..Run: [winsync] C:\windows\system32\oocqrc.exe

I did a search for clkoptimizer with regsrch.vbs and i got
"No instances of clkoptimizer found"

Here are the list you requested

DrWed

setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.1.3;Probably BACKDOOR.Trojan;Incurable.Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.6.1;Probably BACKDOOR.Trojan;Incurable.Moved.;
process.exe;C:\Documents and Settings\WindowsXP\My Documents\VundoFix\VundoFix;Tool.Prockill;Incurable.Moved.;
WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;Incurable.Moved.;
ddayy.dll;C:\WINDOWS\system32;Adware.Virtumonde;Incurable.Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.1.3;Probably BACKDOOR.Trojan;Deleted.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.6.1;Probably BACKDOOR.Trojan;Deleted.;
process.exe;C:\Documents and Settings\WindowsXP\My Documents\VundoFix\VundoFix;Tool.Prockill;Deleted.;
WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;;

uninstall list
Ad-aware 6 Personal
Ad-Aware SE Personal
Adobe Reader 6.0.1
AOL Instant Messenger
AVG Free Edition
CleanUp!
ewido anti-spyware 4.0
Google Desktop
Google Earth
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
ImageShack QuickLoad
J2SE Runtime Environment 5.0 Update 6
Kaspersky On-line Scanner
LimeWire 4.9.29
Logitech Desktop Messenger
Logitech Print Service
Logitech QuickCam Software
Logitech® Camera Driver
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft AntiSpyware
Microsoft Office Professional Edition 2003
MyDataBase
Nero 6 Ultra Edition
Panda ActiveScan
Picasa 2
PowerDVD
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
SoundMAX
Spy Sweeper
Spybot - Search & Destroy 1.4
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Yahoo! Messenger

hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 08:03:01, on 7/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\WindowsXP\My Documents\Spyware Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139438832\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\oocqrc.exe reg_run
O4 - HKLM\..\RunOnce: [stampsregk] C:\PROGRA~1\STAMPS~1.COM\regall.exe -k -s
O4 - HKLM\..\RunOnce: [stampsrego] C:\PROGRA~1\STAMPS~1.COM\regall.exe -o -s
O4 - HKLM\..\RunOnce: [stampsreg] C:\PROGRA~1\STAMPS~1.COM\RegAll.exe -s
O4 - HKLM\..\RunOnce: [Run IPH] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM\aim.exe" -cnetwait.odl
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117807355358
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

and regsearch i could not get a report, it couldnt find clkoptimizer.

tetonbob · 07-29-2006, 07:36 PM

I've corrected the attached regfix. Discard the one you already downloaded, and download the newly uploaded zip file in the previous post. There's no need to unzip it, you can run it from within the zip folder, as long as you download the zip file to your desktop.

Please do so now using the previous instructions.

Spysweeper still appears to be active on your machine, and it is this program's protection which I think is preventing some HJT entries from staying fixed.

Is this a paid version of Spysweeper, or a trial?

While this program is still enabled, it may prevent us from fixing HJT entries.

We can try again:

Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.

To disable Webroot SpySweeper:

Go to the Options>Program Options
Uncheck Load at Windows Startup
Click Shields on the left.
Click Internet Explorer and uncheck all items.
Click Windows System and uncheck all items.
Click Startup Programs and uncheck all items.
Click Browser Add-Ons and uncheck all items.
Exit Spysweeper.

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\oocqrc.exe reg_run
O4 - HKLM\..\RunOnce: [stampsregk] C:\PROGRA~1\STAMPS~1.COM\regall.exe -k -s
O4 - HKLM\..\RunOnce: [stampsrego] C:\PROGRA~1\STAMPS~1.COM\regall.exe -o -s
O4 - HKLM\..\RunOnce: [stampsreg] C:\PROGRA~1\STAMPS~1.COM\RegAll.exe -s

---------------------------------------------------------------------------------------------

Then run another HJT scan, save the log and post it.

Right click on http://www.silentrunners.org/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Double click on 'Silent Runners' to run it. Choose 'No' at the prompt. It will create a file called 'Startup Programs' (followed by your computer name and current date) on your desktop. Do NOT open it yet. Wait until you get the prompt 'All Done'. Then open up that file and post all the contents here in your next post. If you receive a warning message about scripts, choose to allow it to run.

callie3274 · 07-30-2006, 12:10 PM

Ok when i started up my computer today before reading your post, I did not get the stamp errors like i usually do, and then i opened you post and did the following, I double checked spysweeper and it is completely disabled, and yes it is a paid for version, so i have the disk for it. I opened Hijack this and the files you stated to mark fix checked are not there, I havent done anything to my computer since the last post. and here are myu 2 scans you requested

Hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 14:02:22, on 7/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Documents and Settings\WindowsXP\My Documents\Spyware Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139438832\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117807355358
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Silent runners

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"PlaxoUpdate" = "C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe -a" [file not found]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Google Desktop Search" = ""C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup" ["Google"]
"AVG7_CC" = ""C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP" ["GRISOFT, s.r.o."]
"HostManager" = "C:\Program Files\Common Files\AOL\1139438832\ee\AOLSoftware.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{724d43a9-0d85-11d4-9908-00400523e39a}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\roboform.dll" ["Siber Systems"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{0f0a4d40-adf0-4e8f-98d8-7208b98be01e}" = "ImageShack QuickLoad Image Uploader"
-> {HKLM...CLSID} = "QuickLoad.QuickLoadContextMenu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\mscoree.DLL" [MS]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {HKLM...CLSID} = "My Logitech Pictures"
\InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {HKLM...CLSID} = "Microsoft.AntiSpyware.ShellExecuteHook.1"
\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL" ["Google"]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e" [file not found], [MS], [file not found], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
QuickLoad\(Default) = "{0f0a4d40-adf0-4e8f-98d8-7208b98be01e}"
-> {HKLM...CLSID} = "QuickLoad.QuickLoadContextMenu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\mscoree.DLL" [MS]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\WindowsXP\Local Settings\Application Data\Microsoft\Wallpaper2.bmp"

Enabled Scheduled Tasks:
------------------------

"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" [file not found]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{724D43A0-0D85-11D4-9908-00400523E39A}"
-> {HKLM...CLSID} = "&RoboForm"
\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\roboform.dll" ["Siber Systems"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{724D43A0-0D85-11D4-9908-00400523E39A}"
-> {HKLM...CLSID} = "&RoboForm"
\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\roboform.dll" ["Siber Systems"]
"{40D41A8B-D79B-43D7-99A7-9EE0F344C385}"
-> {HKLM...CLSID} = "AIM Search"
\InProcServer32\(Default) = "C:\Program Files\AIM Toolbar\AIMBar.dll" ["America Online, Inc"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{724D43A0-0D85-11D4-9908-00400523E39A}" = (no title provided)
-> {HKLM...CLSID} = "&RoboForm"
\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\roboform.dll" ["Siber Systems"]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{21569614-B795-46B1-85F4-E737A8DC09AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{320AF880-6646-11D3-ABEE-C5DBF3571F46}\
"ButtonText" = "Fill Forms"
"MenuText" = "Fill Forms"
"Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html" [file not found]

{320AF880-6646-11D3-ABEE-C5DBF3571F49}\
"ButtonText" = "Save"
"MenuText" = "Save Forms"
"Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html" [file not found]

{724D43AA-0D85-11D4-9908-00400523E39A}\
"ButtonText" = "RoboForm"
"MenuText" = "RoboForm Toolbar"
"Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html" [file not found]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" ["Yahoo! Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Webroot Spy Sweeper Engine, WebrootSpySweeperService, ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe"" ["Webroot Software, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 31 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 25 seconds.
---------- (total run time: 97 seconds)

I will wait to hear back from you and thanks very much for your help.

tetonbob · 07-30-2006, 01:11 PM

I see where we erred...

The HJT logs in post #7 and post #9 are the same.

Logfile of HijackThis v1.99.1
Scan saved at 08:03:01, on 7/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Logfile of HijackThis v1.99.1
Scan saved at 08:03:01, on 7/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

So, the items I wanted fixed, and the Stamps items you fixed, were. Which your latest log shows.

Let's try one more attempt at locating clkoptimizer

Download & extract this file to it's own folder - Registry Search

Launch Registry Search
In the search box, enter

clkoptimizer

& click "Ok".
Notepad will open with some text in it (the file will also be saved in the program's folder as well).
Post this text in your next reply.

callie3274 · 07-30-2006, 02:37 PM

ok here is what i got from registry search
REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 7/30/2006 4:35:19 PM for strings:
; 'clkoptimizer '
; Strings excluded from search:
; 'clkoptimizer '
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

; End Of The Log...

Now for some reason, my time is in military time? lol It is just my luck!

tetonbob · 07-30-2006, 03:13 PM

Ummm...not sure about the military time thing, as far as why or how it happened, but I can help you get that back if you can't simply reset your clock.

Go to Start>ControlPanel (Using Classic View)>Regional and Language Options>Regional Options tab>Customize Button>Time tab

In the Time format line, it should look like this:

h:mm:ss:tt

See the attached thumbnail.

Now, about the regsearch results...it appears as though you entered the clkoptimizer in both the upper search string area and the lower exclusion area, or just the lower area.

This is how a negative result for the string search would look:

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 2006-07-30 3:13:02 PM for strings:
; 'clkoptimizer '
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

; End Of The Log...

Note that your results show this:

; Strings excluded from search:
; 'clkoptimizer '

So we haven't looked for it yet....

Please see the second thumbnail for the correct location to place clkoptimizer. Then run the search again.

callie3274 · 07-30-2006, 03:49 PM

ok here is the new log, sorry bout that one! The time thing didnt work so i dont know what else to do for that.

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 7/30/2006 17:46:37 for strings:
; 'clkoptimizer'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

; End Of The Log...

Let me know what comes next. Thanks!

tetonbob · 07-30-2006, 11:13 PM

Well, we can't seem to find any instances of clkoptimizer. I'm not sure what Spysweeper is hitting on. Reenable it, and run a full system scan, using these settings:

Enable Webroot SpySweeper:

Go to the Options>Program Options
Check Load at Windows Startup
Click Shields on the left.
Click Internet Explorer and Check all items.
Click Windows System and Check all items.
Click Startup Programs and Check all items.
Click Browser Add-Ons and Check all items.
Exit Spysweeper.

First, update it's definitions.

On the Home screen, Click on the Check for Definition Update link on the right side of the screen.
Once the definitions are installed, disconnect from the internet.
Click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
- Sweep for Rootkits
- Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

Also post a new HJT log, and let me know how your system is behaving.

About the time settings, did you click Apply>OK>Apply on the way out of the screens? Try it once more, please, as I've done this before on my own system in error....

callie3274 · 07-31-2006, 06:29 AM

Ok here are the 2 post from spysweeper and hijack this, i also noticed that in the hijack log, those 3 stamp file are there again so i have no idea how that happened unless there a gremlin living in my computer....lol...ok back to business

Spysweeper scan

8:12 AM: Removal process completed. Elapsed time 00:00:10
8:12 AM: Quarantining All Traces: clkoptimizer
8:12 AM: Removal process initiated
8:09 AM: Traces Found: 1
8:09 AM: Full Sweep has completed. Elapsed time 00:12:41
8:09 AM: File Sweep Complete, Elapsed Time: 00:08:20
8:09 AM: Warning: Failed to open file "c:\windows\system32\spool\printers\fp00000.shd". The operation completed successfully
8:09 AM: Warning: Failed to open file "c:\windows\system32\spool\printers\fp00000.spl". The operation completed successfully
08:01: Access to Hosts file allowed for C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGW.EXE
08:01: Starting File Sweep
08:01: Cookie Sweep Complete, Elapsed Time: 00:00:00
08:01: Starting Cookie Sweep
08:01: Registry Sweep Complete, Elapsed Time:00:00:25
08:01: HKLM\software\microsoft\windows\currentversion\run\ || winsync (ID = 601545)
08:01: Found Adware: clkoptimizer
08:00: Starting Registry Sweep
08:00: Memory Sweep Complete, Elapsed Time: 00:03:39
Operation: File Access
Target:
Source: C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGW.EXE
08:00: Tamper Detection
07:57: Starting Memory Sweep
07:56: Sweep initiated using definitions version 729
07:56: Spy Sweeper 5.0.5.1286 started
07:56: | Start of Session, July 31, 2006 |
********
07:56: | End of Session, July 31, 2006 |
07:50: Your definitions are up to date.
07:50: Your definitions are up to date.
07:49: Startup Shield: On
07:49: Common Ad Sites Shield: On
07:49: Hosts File Shield: On
07:49: Keylogger Shield: On
07:49: Spy Communication Shield: On
07:49: Spy Installation Shield: On
07:49: Memory Shield: On
07:49: Windows Messenger Service Shield: On
07:49: Alternate Data Stream (ADS) Execution Shield: On
07:49: ActiveX Shield: On
07:49: IE Hijack Shield: On
07:49: BHO Shield: On
07:49: IE Tracking Cookies Shield: Removed tribalfusion cookie
07:49: IE Tracking Cookies Shield: Removed trafficmp cookie
07:49: IE Tracking Cookies Shield: Removed statcounter cookie
07:49: IE Tracking Cookies Shield: Removed serving-sys cookie
07:49: IE Tracking Cookies Shield: Removed server.iad.liveperson cookie
07:49: IE Tracking Cookies Shield: Removed realmedia cookie
07:49: IE Tracking Cookies Shield: Removed questionmarket cookie
07:49: IE Tracking Cookies Shield: Removed mediaplex cookie
07:49: IE Tracking Cookies Shield: Removed fastclick cookie
07:49: IE Tracking Cookies Shield: Removed casalemedia cookie
07:49: IE Tracking Cookies Shield: Removed bluestreak cookie
07:49: IE Tracking Cookies Shield: Removed atwola cookie
07:49: IE Security Shield: On
07:49: IE Tracking Cookies Shield: Removed atlas dmt cookie
07:49: IE Tracking Cookies Shield: Removed advertising cookie
07:49: IE Tracking Cookies Shield: Removed adrevolver cookie
07:49: IE Tracking Cookies Shield: Removed adrevolver cookie
07:49: IE Tracking Cookies Shield: Removed yieldmanager cookie
07:49: IE Tracking Cookies Shield: Removed 2o7.net cookie
07:49: IE Favorites Shield: On
07:49: IE Tracking Cookies Shield: On
Keylogger Shield: Off
BHO Shield: Off
IE Security Shield: Off
Alternate Data Stream (ADS) Execution Shield: Off
Startup Shield: Off
Common Ad Sites Shield: Off
Hosts File Shield: Off
Spy Communication Shield: Off
ActiveX Shield: Off
Windows Messenger Service Shield: Off
IE Favorites Shield: Off
Spy Installation Shield: Off
Memory Shield: Off
IE Hijack Shield: Off
IE Tracking Cookies Shield: Off
07:48: Shield States
07:48: Spyware Definitions: 729
07:48: Spy Sweeper 5.0.5.1286 started
1:58 PM: Your definitions are up to date.
1:58 PM: Automated check for program update in progress.
Keylogger Shield: Off
BHO Shield: Off
IE Security Shield: Off
Alternate Data Stream (ADS) Execution Shield: Off
Startup Shield: Off
Common Ad Sites Shield: Off
Hosts File Shield: Off
Spy Communication Shield: Off
ActiveX Shield: Off
Windows Messenger Service Shield: Off
IE Favorites Shield: Off
Spy Installation Shield: Off
Memory Shield: Off
IE Hijack Shield: Off
IE Tracking Cookies Shield: Off
1:57 PM: Shield States
1:57 PM: Spyware Definitions: 729
1:57 PM: Spy Sweeper 5.0.5.1286 started
3:44 PM: Hosts File Shield: Off
3:44 PM: Startup Shield: Off
3:44 PM: Keylogger Shield: Off
3:44 PM: Spy Communication Shield: Off
3:44 PM: Spy Installation Shield: Off
3:44 PM: Memory Shield: Off
3:44 PM: Windows Messenger Service Shield: Off
3:44 PM: Alternate Data Stream (ADS) Execution Shield: Off
3:44 PM: ActiveX Shield: Off
3:44 PM: IE Hijack Shield: Off
3:44 PM: BHO Shield: Off
3:44 PM: IE Security Shield: Off
3:44 PM: IE Favorites Shield: Off
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
8:01 AM: Shield States
8:01 AM: Spyware Definitions: 729
8:01 AM: Spy Sweeper 5.0.5.1286 started
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
7:56 AM: Shield States
7:56 AM: Spyware Definitions: 729
7:56 AM: Spy Sweeper 5.0.5.1286 started
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
7:49 AM: Shield States
7:49 AM: Spyware Definitions: 729
7:49 AM: Spy Sweeper 5.0.5.1286 started
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
7:38 AM: Shield States
7:38 AM: Spyware Definitions: 729
7:38 AM: Spy Sweeper 5.0.5.1286 started
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
7:35 AM: Tamper Detection
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
7:35 AM: Tamper Detection
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
7:20 AM: Shield States
7:20 AM: Spyware Definitions: 729
7:19 AM: Spy Sweeper 5.0.5.1286 started
11:11 PM: Removal process completed. Elapsed time 00:00:19
11:11 PM: Quarantining All Traces: yieldmanager cookie
11:11 PM: Quarantining All Traces: tribalfusion cookie
11:11 PM: Quarantining All Traces: trafficmp cookie
11:11 PM: Quarantining All Traces: serving-sys cookie
11:11 PM: Quarantining All Traces: realmedia cookie
11:11 PM: Quarantining All Traces: questionmarket cookie
11:11 PM: Quarantining All Traces: qksrv cookie
11:11 PM: Quarantining All Traces: pointroll cookie
11:11 PM: Quarantining All Traces: mediaplex cookie
11:11 PM: Quarantining All Traces: fastclick cookie
11:11 PM: Quarantining All Traces: falkag cookie
11:11 PM: Quarantining All Traces: clkoptimizer
11:11 PM: Quarantining All Traces: casalemedia cookie
11:11 PM: Quarantining All Traces: bluestreak cookie
11:11 PM: Quarantining All Traces: atlas dmt cookie
11:11 PM: Quarantining All Traces: apmebf cookie
11:11 PM: Quarantining All Traces: advertising cookie
11:11 PM: Quarantining All Traces: 2o7.net cookie
11:11 PM: Removal process initiated
10:09 PM: Traces Found: 18
10:09 PM: Full Sweep has completed. Elapsed time 00:08:45
10:09 PM: File Sweep Complete, Elapsed Time: 00:04:58
10:04 PM: Starting File Sweep
10:03 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
10:03 PM: c:\documents and settings\windowsxp\cookies\windowsxp@tribalfusion[1].txt (ID = 3589)
10:03 PM: Found Spy Cookie: tribalfusion cookie
10:03 PM: c:\documents and settings\windowsxp\cookies\windowsxp@trafficmp[1].txt (ID = 3581)
10:03 PM: Found Spy Cookie: trafficmp cookie
10:03 PM: c:\documents and settings\windowsxp\cookies\windowsxp@serving-sys[2].txt (ID = 3343)
10:03 PM: Found Spy Cookie: serving-sys cookie
10:03 PM: c:\documents and settings\windowsxp\cookies\windowsxp@realmedia[1].txt (ID = 3235)
10:03 PM: Found Spy Cookie: realmedia cookie
10:03 PM: c:\documents and settings\windowsxp\cookies\windowsxp@questionmarket[2].txt (ID = 3217)
10:03 PM: Found Spy Cookie: questionmarket cookie
10:03 PM: c:\documents and settings\windowsxp\cookies\windowsxp@qksrv[2].txt (ID = 3213)
10:03 PM: Found Spy Cookie: qksrv cookie
10:03 PM: c:\documents and settings\windowsxp\cookies\windowsxp@mediaplex[1].txt (ID = 6442)
10:03 PM: Found Spy Cookie: mediaplex cookie
10:03 PM: c:\documents and settings\windowsxp\cookies\windowsxp@fastclick[1].txt (ID = 2651)
10:03 PM: Found Spy Cookie: fastclick cookie
10:03 PM: c:\documents and settings\windowsxp\cookies\windowsxp@casalemedia[2].txt (ID = 2354)
10:03 PM: Found Spy Cookie: casalemedia cookie
10:03 PM: c:\documents and settings\windowsxp\cookies\windowsxp@bluestreak[2].txt (ID = 2314)
10:03 PM: Found Spy Cookie: bluestreak cookie
10:03 PM: c:\documents and settings\windowsxp\cookies\windowsxp@atdmt[2].txt (ID = 2253)
10:03 PM: Found Spy Cookie: atlas dmt cookie
10:03 PM: c:\documents and settings\windowsxp\cookies\windowsxp@as-us.falkag[1].txt (ID = 2650)
10:03 PM: Found Spy Cookie: falkag cookie
10:03 PM: c:\documents and settings\windowsxp\cookies\windowsxp@apmebf[2].txt (ID = 2229)
10:03 PM: Found Spy Cookie: apmebf cookie
10:03 PM: c:\documents and settings\windowsxp\cookies\windowsxp@advertising[2].txt (ID = 2175)
10:03 PM: Found Spy Cookie: advertising cookie
10:03 PM: c:\documents and settings\windowsxp\cookies\windowsxp@ads.pointroll[2].txt (ID = 3148)
10:03 PM: Found Spy Cookie: pointroll cookie
10:03 PM: c:\documents and settings\windowsxp\cookies\windowsxp@ad.yieldmanager[1].txt (ID = 3751)
10:03 PM: Found Spy Cookie: yieldmanager cookie
10:03 PM: c:\documents and settings\windowsxp\cookies\windowsxp@2o7[1].txt (ID = 1957)
10:03 PM: Found Spy Cookie: 2o7.net cookie
10:03 PM: Starting Cookie Sweep
10:03 PM: Registry Sweep Complete, Elapsed Time:00:00:29
10:03 PM: HKLM\software\microsoft\windows\currentversion\run\ || winsync (ID = 601545)
10:03 PM: Found Adware: clkoptimizer
10:03 PM: Starting Registry Sweep
10:03 PM: Memory Sweep Complete, Elapsed Time: 00:02:53
10:00 PM: Starting Memory Sweep
10:00 PM: Sweep initiated using definitions version 729
10:00 PM: Spy Sweeper 5.0.5.1286 started
10:00 PM: | Start of Session, Friday, July 28, 2006 |
********
10:00 PM: | End of Session, Friday, July 28, 2006 |
Operation: File Access
Target:
Source: C:\PROGRAM FILES\GOOGLE\GOOGLE DESKTOP SEARCH\GOOGLEDESKTOPCRAWL.EXE
10:00 PM: Tamper Detection
10:00 PM: Your spyware definitions have been updated.
9:59 PM: Deleted error log without sending: C:\Documents and Settings\WindowsXP\Application Data\Webroot\Spy Sweeper\Logs\bugreport.txt
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
9:59 PM: Shield States
9:59 PM: Spyware Definitions: 724
9:58 PM: Spy Sweeper 5.0.5.1286 started
12:17 PM: Spy Sweeper 5.0.5.1286 started
12:10 PM: Spy Sweeper 5.0.5.1286 started
8:00 AM: Access to Hosts file allowed for C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGW.EXE
Operation: File Access
Target:
Source: C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGW.EXE
8:00 AM: Tamper Detection
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
7:40 AM: Shield States
7:39 AM: Spyware Definitions: 724
7:39 AM: Spy Sweeper 5.0.5.1286 started
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
11:07 PM: Shield States
11:07 PM: Spyware Definitions: 724
11:07 PM: Spy Sweeper 5.0.5.1286 started
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
10:26 PM: Shield States
10:26 PM: Spyware Definitions: 724
10:25 PM: Spy Sweeper 5.0.5.1286 started
Operation: File Access
Target:
Source: C:\DOCUMENTS AND SETTINGS\WINDOWSXP\DESKTOP\FIXSIRC.COM
10:14 PM: Tamper Detection
9:04 PM: Access to Hosts file allowed for C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGWB.DAT
Operation: File Access
Target:
Source: C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGWB.DAT
9:03 PM: Tamper Detection
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
8:59 PM: Shield States
8:59 PM: Spyware Definitions: 724
8:59 PM: Spy Sweeper 5.0.5.1286 started
7:16 PM: Your definitions are up to date.
7:16 PM: Automated check for program update in progress.
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
7:15 PM: Warning: The handle is invalid
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
7:15 PM: Shield States
7:15 PM: Spyware Definitions: 724
7:14 PM: Spy Sweeper 5.0.5.1286 started
11:07 PM: Removal process completed. Elapsed time 00:00:11
11:07 PM: Quarantining All Traces: clkoptimizer
11:06 PM: Removal process initiated
9:02 PM: Traces Found: 1
9:02 PM: Full Sweep has completed. Elapsed time 00:09:08
9:02 PM: File Sweep Complete, Elapsed Time: 00:05:10
8:57 PM: Starting File Sweep
8:57 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:57 PM: Starting Cookie Sweep
8:57 PM: Registry Sweep Complete, Elapsed Time:00:00:27
8:57 PM: HKLM\software\microsoft\windows\currentversion\run\ || winsync (ID = 601545)
8:57 PM: Found Adware: clkoptimizer
8:56 PM: Starting Registry Sweep
8:56 PM: Memory Sweep Complete, Elapsed Time: 00:03:06
8:53 PM: Starting Memory Sweep
8:53 PM: Sweep initiated using definitions version 724
8:53 PM: Spy Sweeper 5.0.5.1286 started
8:53 PM: | Start of Session, Sunday, July 23, 2006 |
********
8:53 PM: | End of Session, Sunday, July 23, 2006 |
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
10:05 AM: Shield States
10:04 AM: Spyware Definitions: 724
10:04 AM: Spy Sweeper 5.0.5.1286 started
A system shutdown is in progress
7:43 AM: Warning: System Error. Code: 1115.
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
7:42 AM: Tamper Detection
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
7:42 AM: Tamper Detection
Operation: File Access
Target:
Source: C:\PROGRAM FILES\EWIDO ANTI-SPYWARE 4.0\EWIDO.EXE
7:15 AM: Tamper Detection
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
6:53 AM: Shield States
6:53 AM: Spyware Definitions: 724
6:52 AM: Spy Sweeper 5.0.5.1286 started
11:57 PM: Your definitions are up to date.
11:57 PM: Automated check for program update in progress.
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
11:57 PM: Shield States
11:57 PM: Spyware Definitions: 724
11:56 PM: Spy Sweeper 5.0.5.1286 started
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
10:02 AM: Shield States
10:01 AM: Spyware Definitions: 724
10:00 AM: Spy Sweeper 5.0.5.1286 started
9:57 AM: Spy Sweeper 5.0.5.1286 started
9:00 PM: Spy Sweeper 5.0.5.1286 started
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
8:55 PM: Shield States
8:55 PM: Spyware Definitions: 724
8:55 PM: Spy Sweeper 5.0.5.1286 started
6:21 PM: Your spyware definitions have been updated.
Operation: File Access
Target:
Source: C:\PROGRAM FILES\GOOGLE\GOOGLE DESKTOP SEARCH\GOOGLEDESKTOPCRAWL.EXE
6:20 PM: Tamper Detection
Operation: File Access
Target:
Source: C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
6:20 PM: Tamper Detection
6:20 PM: Automated check for program update in progress.
Operation: File Access
Target:
Source: C:\PROGRAM FILES\EWIDO ANTI-SPYWARE 4.0\EWIDO.EXE
5:41 PM: Tamper Detection
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
5:03 PM: Shield States
5:03 PM: Spyware Definitions: 723
5:03 PM: Spy Sweeper 5.0.5.1286 started
5:00 PM: Removal process completed. Elapsed time 00:00:14
5:00 PM: Quarantining All Traces: tribalfusion cookie
5:00 PM: Quarantining All Traces: trafficmp cookie
5:00 PM: Quarantining All Traces: tradedoubler cookie
5:00 PM: Quarantining All Traces: realmedia cookie
5:00 PM: Quarantining All Traces: questionmarket cookie
5:00 PM: Quarantining All Traces: mediaplex cookie
5:00 PM: Quarantining All Traces: fastclick cookie
5:00 PM: Quarantining All Traces: sextracker cookie
5:00 PM: Quarantining All Traces: casalemedia cookie
5:00 PM: Quarantining All Traces: bluestreak cookie
5:00 PM: Quarantining All Traces: atwola cookie
5:00 PM: Quarantining All Traces: atlas dmt cookie
5:00 PM: Quarantining All Traces: advertising cookie
5:00 PM: Quarantining All Traces: yieldmanager cookie
4:59 PM: Quarantining All Traces: clkoptimizer
4:59 PM: Removal process initiated
4:59 PM: Traces Found: 16
4:59 PM: Full Sweep has completed. Elapsed time 00:03:55
4:59 PM: File Sweep Complete, Elapsed Time: 00:02:35
4:57 PM: Starting File Sweep
4:57 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
4:57 PM: windowsxp@tribalfusion[2].txt (ID = 3589)
4:57 PM: Found Spy Cookie: tribalfusion cookie
4:57 PM: windowsxp@trafficmp[2].txt (ID = 3581)
4:57 PM: Found Spy Cookie: trafficmp cookie
4:57 PM: windowsxp@tradedoubler[1].txt (ID = 3575)
4:57 PM: Found Spy Cookie: tradedoubler cookie
4:57 PM: windowsxp@sextracker[2].txt (ID = 3361)
4:57 PM: windowsxp@realmedia[1].txt (ID = 3235)
4:57 PM: Found Spy Cookie: realmedia cookie
4:57 PM: windowsxp@questionmarket[2].txt (ID = 3217)
4:57 PM: Found Spy Cookie: questionmarket cookie
4:57 PM: windowsxp@mediaplex[1].txt (ID = 6442)
4:57 PM: Found Spy Cookie: mediaplex cookie
4:57 PM: windowsxp@fastclick[2].txt (ID = 2651)
4:57 PM: Found Spy Cookie: fastclick cookie
4:57 PM: windowsxp@counter14.sextracker[1].txt (ID = 3362)
4:57 PM: Found Spy Cookie: sextracker cookie
4:57 PM: windowsxp@casalemedia[2].txt (ID = 2354)
4:57 PM: Found Spy Cookie: casalemedia cookie
4:57 PM: windowsxp@bluestreak[1].txt (ID = 2314)
4:57 PM: Found Spy Cookie: bluestreak cookie
4:57 PM: windowsxp@atwola[1].txt (ID = 2255)
4:57 PM: Found Spy Cookie: atwola cookie
4:57 PM: windowsxp@atdmt[2].txt (ID = 2253)
4:57 PM: Found Spy Cookie: atlas dmt cookie
4:57 PM: windowsxp@advertising[2].txt (ID = 2175)
4:57 PM: Found Spy Cookie: advertising cookie
4:57 PM: windowsxp@ad.yieldmanager[2].txt (ID = 3751)
4:57 PM: Found Spy Cookie: yieldmanager cookie
4:57 PM: Starting Cookie Sweep
4:57 PM: Registry Sweep Complete, Elapsed Time:00:00:10
4:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || winsync (ID = 601545)
4:56 PM: Found Adware: clkoptimizer
4:56 PM: Starting Registry Sweep
4:56 PM: Memory Sweep Complete, Elapsed Time: 00:01:02
4:55 PM: Warning: A required privilege is not held by the client
4:55 PM: Starting Memory Sweep
4:55 PM: Sweep initiated using definitions version 723
4:55 PM: Spy Sweeper 5.0.5.1286 started
4:55 PM: | Start of Session, Friday, July 21, 2006 |
********
4:55 PM: | End of Session, Friday, July 21, 2006 |
4:55 PM: Program Version 5.0.5.1286 Using Spyware Definitions 723
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
3:16 PM: Shield States
3:16 PM: Spyware Definitions: 723
3:16 PM: Spy Sweeper 5.0.5.1286 started
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
10:44 PM: Shield States
10:44 PM: Spyware Definitions: 723
10:44 PM: Spy Sweeper 5.0.5.1286 started
9:30 PM: Access to Hosts file blocked for C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGWB.DAT
Operation: File Access
Target:
Source: C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGWB.DAT
9:29 PM: Tamper Detection
9:29 PM: Access to Hosts file blocked for C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGWB.DAT
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
9:00 PM: Shield States
9:00 PM: Spyware Definitions: 723
9:00 PM: Spy Sweeper 5.0.5.1286 started
8:20 PM: | End of Session, Thursday, July 20, 2006 |
8:20 PM: Deletion from quarantine completed. Elapsed time 00:00:00
8:20 PM: Processing: 2o7.net cookie
8:20 PM: Processing: ccbill cookie
8:20 PM: Processing: webtrends cookie
8:20 PM: Processing: yieldmanager cookie
8:20 PM: Processing: clkoptimizer
8:20 PM: Processing: atwola cookie
8:20 PM: Processing: realmedia cookie
8:20 PM: Deletion from quarantine initiated
8:19 PM: Removal process completed. Elapsed time 00:00:05
8:19 PM: Quarantining All Traces: clkoptimizer
8:19 PM: Removal process initiated
8:06 PM: Traces Found: 1
8:06 PM: Full Sweep has completed. Elapsed time 00:08:19
8:06 PM: File Sweep Complete, Elapsed Time: 00:07:02
7:59 PM: Starting File Sweep
7:59 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:59 PM: Starting Cookie Sweep
7:59 PM: Registry Sweep Complete, Elapsed Time:00:00:11
7:59 PM: HKLM\software\microsoft\windows\currentversion\run\ || winsync (ID = 601545)
7:59 PM: Found Adware: clkoptimizer
7:59 PM: Starting Registry Sweep
7:59 PM: Memory Sweep Complete, Elapsed Time: 00:00:55
7:58 PM: Starting Memory Sweep
7:58 PM: Sweep initiated using definitions version 723
7:58 PM: Spy Sweeper 5.0.5.1286 started
7:58 PM: | Start of Session, Thursday, July 20, 2006 |
********
8:28 PM: Traces Found: 0
8:28 PM: Full Sweep has completed. Elapsed time 00:08:08
8:28 PM: File Sweep Complete, Elapsed Time: 00:07:00
8:21 PM: Starting File Sweep
8:21 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:21 PM: Starting Cookie Sweep
8:21 PM: Registry Sweep Complete, Elapsed Time:00:00:11
8:21 PM: Starting Registry Sweep
8:21 PM: Memory Sweep Complete, Elapsed Time: 00:00:51
8:20 PM: Starting Memory Sweep
8:20 PM: Sweep initiated using definitions version 723
8:20 PM: Spy Sweeper 5.0.5.1286 started
8:20 PM: | Start of Session, Thursday, July 20, 2006 |
********
7:58 PM: | End of Session, Thursday, July 20, 2006 |
7:58 PM: Program Version 5.0.5.1286 Using Spyware Definitions 723
6:20 PM: Your spyware definitions have been updated.
Operation: File Access
Target:
Source: C:\PROGRAM FILES\GOOGLE\GOOGLE DESKTOP SEARCH\GOOGLEDESKTOPCRAWL.EXE
6:20 PM: Tamper Detection
Operation: File Access
Target:
Source: C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
6:20 PM: Tamper Detection
6:19 PM: Automated check for program update in progress.
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
5:10 PM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST2E.tmp". Reason: The process cannot access the file because it is being used by another process
5:10 PM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST2E.tmp.log". Reason: The process cannot access the file because it is being used by another process
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
5:10 PM: Warning: S-1-5-21-583907252-854245398-682003330-500 could not be unmapped. Error Code 87
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
5:10 PM: Shield States
5:10 PM: Spyware Definitions: 722
5:10 PM: Spy Sweeper 5.0.5.1286 started
Operation: File Access
Target:
Source: C:\PROGRAM FILES\GOOGLE\GOOGLE DESKTOP SEARCH\GOOGLEDESKTOPCRAWL.EXE
6:19 PM: Tamper Detection
6:19 PM: Your spyware definitions have been updated.
Operation: File Access
Target:
Source: C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
6:19 PM: Tamper Detection
6:19 PM: Automated check for program update in progress.
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
6:19 PM: Warning: The handle is invalid
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
6:18 PM: Shield States
6:18 PM: Spyware Definitions: 721
6:18 PM: Spy Sweeper 5.0.5.1286 started
A system shutdown is in progress
11:47 PM: Warning: System Error. Code: 1115.
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
11:47 PM: Tamper Detection
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
11:47 PM: Tamper Detection
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
5:52 PM: Shield States
5:52 PM: Spyware Definitions: 721
5:52 PM: Spy Sweeper 5.0.5.1286 started
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
5:50 PM: Tamper Detection
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
5:49 PM: Tamper Detection
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
5:43 PM: Shield States
5:43 PM: Spyware Definitions: 721
5:42 PM: Spy Sweeper 5.0.5.1286 started
5:40 PM: Deleted error log without sending: C:\Documents and Settings\WindowsXP\Application Data\Webroot\Spy Sweeper\Logs\bugreport.txt
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
5:39 PM: Warning: Access is denied
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
5:39 PM: Shield States
5:39 PM: Spyware Definitions: 721
5:39 PM: Spy Sweeper 5.0.5.1286 started
5:01 PM: Removal process completed. Elapsed time 00:00:51
5:01 PM: Quarantining All Traces: realmedia cookie
5:01 PM: Quarantining All Traces: 2o7.net cookie
5:01 PM: Quarantining All Traces: webtrends cookie
5:01 PM: Quarantining All Traces: ccbill cookie
5:01 PM: Quarantining All Traces: atwola cookie
5:01 PM: Quarantining All Traces: yieldmanager cookie
5:01 PM: Quarantining All Traces: clkoptimizer
5:00 PM: Removal process initiated
4:45 PM: Traces Found: 7
4:45 PM: Full Sweep has completed. Elapsed time 00:07:13
4:45 PM: File Sweep Complete, Elapsed Time: 00:04:14
4:45 PM: Warning: Failed to open file "c:\windows\temp\_avast4_\webshlock.txt". The operation completed successfully
4:40 PM: Starting File Sweep
4:40 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
4:40 PM: c:\documents and settings\windowsxp\cookies\windowsxp@network.realmedia[1].txt (ID = 3236)
4:40 PM: Found Spy Cookie: realmedia cookie
4:40 PM: c:\documents and settings\windowsxp\cookies\windowsxp@microsoftwga.112.2o7[1].txt (ID = 1958)
4:40 PM: Found Spy Cookie: 2o7.net cookie
4:40 PM: c:\documents and settings\windowsxp\cookies\windowsxp@m.webtrends[2].txt (ID = 3669)
4:40 PM: Found Spy Cookie: webtrends cookie
4:40 PM: c:\documents and settings\windowsxp\cookies\windowsxp@ccbill[1].txt (ID = 2369)
4:40 PM: Found Spy Cookie: ccbill cookie
4:40 PM: c:\documents and settings\windowsxp\cookies\windowsxp@atwola[1].txt (ID = 2255)
4:40 PM: Found Spy Cookie: atwola cookie
4:40 PM: c:\documents and settings\windowsxp\cookies\windowsxp@ad.yieldmanager[1].txt (ID = 3751)
4:40 PM: Found Spy Cookie: yieldmanager cookie
4:40 PM: Starting Cookie Sweep
4:40 PM: Registry Sweep Complete, Elapsed Time:00:00:27
4:40 PM: HKLM\software\microsoft\windows\currentversion\run\ || winsync (ID = 601545)
4:40 PM: Found Adware: clkoptimizer
4:40 PM: Starting Registry Sweep
4:40 PM: Memory Sweep Complete, Elapsed Time: 00:02:13
4:38 PM: Starting Memory Sweep
4:37 PM: Sweep initiated using definitions version 721
4:37 PM: Spy Sweeper 5.0.5.1286 started
4:37 PM: | Start of Session, Tuesday, July 18, 2006 |
********
4:37 PM: | End of Session, Tuesday, July 18, 2006 |
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
4:37 PM: Shield States
4:37 PM: Spyware Definitions: 721
4:36 PM: Spy Sweeper 5.0.5.1286 started
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
4:27 PM: Tamper Detection
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
4:27 PM: Tamper Detection
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
4:18 PM: Shield States
4:18 PM: Spyware Definitions: 720
4:18 PM: Spy Sweeper 5.0.5.1286 started
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
7:31 AM: Shield States
7:31 AM: Spyware Definitions: 720
7:31 AM: Spy Sweeper 5.0.5.1286 started
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
7:26 AM: Shield States
7:26 AM: Spyware Definitions: 720
7:26 AM: Spy Sweeper 5.0.5.1286 started
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
7:16 AM: Shield States
7:16 AM: Spyware Definitions: 720
7:15 AM: Spy Sweeper 5.0.5.1286 started
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
7:02 AM: Tamper Detection
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
7:02 AM: Tamper Detection
6:33 AM: Warning: The handle is invalid
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
6:32 AM: Shield States
6:32 AM: Spyware Definitions: 720
6:32 AM: Spy Sweeper 5.0.5.1286 started
10:08 PM: Your spyware definitions have been updated.
Operation: File Access
Target:
Source: C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
10:08 PM: Tamper Detection
10:08 PM: Automated check for program update in progress.
Operation: File Access
Target:
Source: C:\PROGRAM FILES\GOOGLE\GOOGLE DESKTOP SEARCH\GOOGLEDESKTOPCRAWL.EXE
6:57 PM: Tamper Detection
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
6:38 PM: Shield States
6:38 PM: Spyware Definitions: 719
6:38 PM: Spy Sweeper 5.0.5.1286 started
A system shutdown is in progress
6:36 PM: Warning: System Error. Code: 1115.
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
6:36 PM: Tamper Detection
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
6:36 PM: Tamper Detection
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
6:30 PM: Shield States
6:30 PM: Spyware Definitions: 719
6:29 PM: Spy Sweeper 5.0.5.1286 started
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
10:47 PM: Tamper Detection
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
10:47 PM: Tamper Detection
10:07 PM: Your definitions are up to date.
10:07 PM: Automated check for program update in progress.
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
10:06 PM: Warning: Access is denied
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
10:06 PM: Shield States
10:06 PM: Spyware Definitions: 719
10:06 PM: Spy Sweeper 5.0.5.1286 started
2:07 PM: | End of Session, Sunday, July 16, 2006 |
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
10:29 AM: Warning: The handle is invalid
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
10:29 AM: Shield States
10:29 AM: Spyware Definitions: 719
10:29 AM: Spy Sweeper 5.0.5.1286 started
7:20 AM: | End of Session, Sunday, July 16, 2006 |
7:20 AM: Removal process completed. Elapsed time 00:00:22
7:20 AM: Quarantining All Traces: tribalfusion cookie
7:20 AM: Quarantining All Traces: trafficmp cookie
7:20 AM: Quarantining All Traces: realmedia cookie
7:20 AM: Quarantining All Traces: fastclick cookie
7:20 AM: Quarantining All Traces: casalemedia cookie
7:20 AM: Quarantining All Traces: bluestreak cookie
7:20 AM: Quarantining All Traces: atwola cookie
7:20 AM: Quarantining All Traces: atlas dmt cookie
7:20 AM: Quarantining All Traces: ask cookie
7:20 AM: Quarantining All Traces: advertising cookie
7:20 AM: Quarantining All Traces: pointroll cookie
7:20 AM: Quarantining All Traces: yieldmanager cookie
7:20 AM: Quarantining All Traces: clkoptimizer
7:20 AM: Removal process initiated
7:13 AM: Traces Found: 14
7:13 AM: Full Sweep has completed. Elapsed time 00:07:09
7:13 AM: File Sweep Complete, Elapsed Time: 00:04:23
7:13 AM: Warning: Failed to open file "c:\windows\temp\_avast4_\webshlock.txt". The operation completed successfully
7:09 AM: Starting File Sweep
7:09 AM: Cookie Sweep Complete, Elapsed Time: 00:00:01
7:09 AM: c:\documents and settings\windowsxp\cookies\windowsxp@tribalfusion[1].txt (ID = 3589)
7:09 AM: Found Spy Cookie: tribalfusion cookie
7:09 AM: c:\documents and settings\windowsxp\cookies\windowsxp@trafficmp[2].txt (ID = 3581)
7:09 AM: Found Spy Cookie: trafficmp cookie
7:09 AM: c:\documents and settings\windowsxp\cookies\windowsxp@realmedia[1].txt (ID = 3235)
7:09 AM: c:\documents and settings\windowsxp\cookies\windowsxp@network.realmedia[1].txt (ID = 3236)
7:09 AM: Found Spy Cookie: realmedia cookie
7:09 AM: c:\documents and settings\windowsxp\cookies\windowsxp@fastclick[2].txt (ID = 2651)
7:09 AM: Found Spy Cookie: fastclick cookie
7:09 AM: c:\documents and settings\windowsxp\cookies\windowsxp@casalemedia[1].txt (ID = 2354)
7:09 AM: Found Spy Cookie: casalemedia cookie
7:09 AM: c:\documents and settings\windowsxp\cookies\windowsxp@bluestreak[1].txt (ID = 2314)
7:09 AM: Found Spy Cookie: bluestreak cookie
7:09 AM: c:\documents and settings\windowsxp\cookies\windowsxp@atwola[1].txt (ID = 2255)
7:09 AM: Found Spy Cookie: atwola cookie
7:09 AM: c:\documents and settings\windowsxp\cookies\windowsxp@atdmt[2].txt (ID = 2253)
7:09 AM: Found Spy Cookie: atlas dmt cookie
7:09 AM: c:\documents and settings\windowsxp\cookies\windowsxp@ask[1].txt (ID = 2245)
7:09 AM: Found Spy Cookie: ask cookie
7:09 AM: c:\documents and settings\windowsxp\cookies\windowsxp@advertising[1].txt (ID = 2175)
7:09 AM: Found Spy Cookie: advertising cookie
7:09 AM: c:\documents and settings\windowsxp\cookies\windowsxp@ads.pointroll[2].txt (ID = 3148)
7:09 AM: Found Spy Cookie: pointroll cookie
7:09 AM: c:\documents and settings\windowsxp\cookies\windowsxp@ad.yieldmanager[2].txt (ID = 3751)
7:09 AM: Found Spy Cookie: yieldmanager cookie
7:09 AM: Starting Cookie Sweep
7:09 AM: Registry Sweep Complete, Elapsed Time:00:00:25
7:09 AM: HKLM\software\microsoft\windows\currentversion\run\ || winsync (ID = 601545)
7:09 AM: Found Adware: clkoptimizer
7:08 AM: Starting Registry Sweep
7:08 AM: Memory Sweep Complete, Elapsed Time: 00:02:07
7:06 AM: Starting Memory Sweep
7:06 AM: Sweep initiated using definitions version 719
7:06 AM: Spy Sweeper 5.0.5.1286 started
7:06 AM: | Start of Session, Sunday, July 16, 2006 |
********
7:27 AM: None
7:27 AM: Traces Found: 0
7:27 AM: Full Sweep has completed. Elapsed time 00

53
7:27 AM: File Sweep Complete, Elapsed Time: 00:03:45
7:27 AM: Warning: Failed to open file "c:\windows\temp\_avast4_\webshlock.txt". The operation completed successfully
7:24 AM: Starting File Sweep
7:23 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:23 AM: Starting Cookie Sweep
7:23 AM: Registry Sweep Complete, Elapsed Time:00:00:24
7:23 AM: Starting Registry Sweep
7:23 AM: Memory Sweep Complete, Elapsed Time: 00:02:29
7:21 AM: Starting Memory Sweep
7:20 AM: Sweep initiated using definitions version 719
7:20 AM: Spy Sweeper 5.0.5.1286 started
7:20 AM: | Start of Session, Sunday, July 16, 2006 |
********
3:01 PM: | End of Session, Sunday, July 16, 2006 |
2:58 PM: Deletion from quarantine completed. Elapsed time 00:00:00
2:58 PM: Processing: bluestreak cookie
2:58 PM: Processing: atlas dmt cookie
2:58 PM: Processing: tribalfusion cookie
2:58 PM: Processing: trafficmp cookie
2:58 PM: Processing: yieldmanager cookie
2:58 PM: Processing: casalemedia cookie
2:58 PM: Processing: pointroll cookie
2:58 PM: Processing: atwola cookie
2:58 PM: Processing: ask cookie
2:58 PM: Processing: advertising cookie
2:58 PM: Processing: fastclick cookie
2:58 PM: Processing: realmedia cookie
2:58 PM: Processing: realmedia cookie
2:58 PM: Processing: clkoptimizer
2:58 PM: Processing: clkoptimizer
2:58 PM: Processing: clkoptimizer
2:58 PM: Deletion from quarantine initiated
2:58 PM: Removal process completed. Elapsed time 00:00:19
2:58 PM: Quarantining All Traces: clkoptimizer
2:58 PM: Removal process initiated
2:15 PM: Traces Found: 1
2:15 PM: Full Sweep has completed. Elapsed time 00:07:12
2:14 PM: File Sweep Complete, Elapsed Time: 00:03:47
2:14 PM: Warning: Failed to open file "c:\windows\temp\_avast4_\webshlock.txt". The operation completed successfully
2:11 PM: Starting File Sweep
2:11 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
2:11 PM: Starting Cookie Sweep
2:11 PM: Registry Sweep Complete, Elapsed Time:00:00:28
2:10 PM: HKLM\software\microsoft\windows\currentversion\run\ || winsync (ID = 601545)
2:10 PM: Found Adware: clkoptimizer
2:10 PM: Starting Registry Sweep
2:10 PM: Memory Sweep Complete, Elapsed Time: 00:02:39
2:07 PM: Starting Memory Sweep
2:07 PM: Sweep initiated using definitions version 719
2:07 PM: Spy Sweeper 5.0.5.1286 started
2:07 PM: | Start of Session, Sunday, July 16, 2006 |
********
4:31 PM: Error: lzma: Compressed data is corrupted (7).
3:01 PM: None
3:01 PM: Traces Found: 0
3:01 PM: Explorer Sweep has completed. Elapsed time 00:00:05
3:01 PM: File Sweep Complete, Elapsed Time: 00:00:00
3:01 PM: Starting File Sweep
3:01 PM: Sweep initiated using definitions version 719
3:01 PM: Spy Sweeper 5.0.5.1286 started
3:01 PM: | Start of Session, Sunday, July 16, 2006 |
********
7:06 AM: | End of Session, Sunday, July 16, 2006 |
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
6:50 AM: Shield States
6:50 AM: Spyware Definitions: 719
6:50 AM: Spy Sweeper 5.0.5.1286 started
8:14 PM: | End of Session, Saturday, July 15, 2006 |
8:13 PM: Your definitions are up to date.
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
8:13 PM: Warning: The handle is invalid
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
8:13 PM: Shield States
8:13 PM: Spyware Definitions: 719
8:13 PM: Spy Sweeper 5.0.5.1286 started
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
8:09 PM: Shield States
8:08 PM: Spyware Definitions: 719
8:08 PM: Spy Sweeper 5.0.5.1286 started
7:16 PM: | End of Session, Saturday, July 15, 2006 |
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
7:12 PM: Shield States
7:12 PM: Spyware Definitions: 719
7:11 PM: Spy Sweeper 5.0.5.1286 started
7:07 PM: Error: lzma: Compressed data is corrupted (7).
7:07 PM: Error: lzma: Compressed data is corrupted (7).
7:07 PM: Error: lzma: Compressed data is corrupted (7).
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
7:02 PM: Shield States
7:02 PM: Spyware Definitions: 719
7:02 PM: Spy Sweeper 5.0.5.1286 started
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
7:00 PM: Tamper Detection
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
6:59 PM: Tamper Detection
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
6:58 PM: Shield States
6:57 PM: Spyware Definitions: 719
6:57 PM: Spy Sweeper 5.0.5.1286 started
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
6:34 PM: Shield States
6:34 PM: Spyware Definitions: 719
6:34 PM: Spy Sweeper 5.0.5.1286 started
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
4:53 PM: Tamper Detection
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
4:52 PM: Tamper Detection
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
1:25 PM: Shield States
1:25 PM: Spyware Definitions: 719
1:24 PM: Spy Sweeper 5.0.5.1286 started
Operation: File Access
Target:
Source: C:\PROGRAM FILES\CLEANUP!\CLEANUP.EXE
1:00 PM: Tamper Detection
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
12:45 PM: Shield States
12:45 PM: Spyware Definitions: 719
12:44 PM: Spy Sweeper 5.0.5.1286 started
11:26 AM: Traces Found: 1
11:26 AM: Full Sweep has completed. Elapsed time 00:10:02
11:26 AM: File Sweep Complete, Elapsed Time: 00:05:35
11:26 AM: Warning: Failed to open file "c:\windows\temp\_avast4_\webshlock.txt". The operation completed successfully
11:20 AM: Starting File Sweep
11:20 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:20 AM: Starting Cookie Sweep
11:20 AM: Registry Sweep Complete, Elapsed Time:00:00:27
11:20 AM: HKLM\software\microsoft\windows\currentversion\run\ || winsync (ID = 601545)
11:20 AM: Found Adware: clkoptimizer
11:20 AM: Starting Registry Sweep
11:20 AM: Memory Sweep Complete, Elapsed Time: 00:03:41
11:16 AM: Starting Memory Sweep
11:16 AM: Sweep initiated using definitions version 719
11:16 AM: Spy Sweeper 5.0.5.1286 started
11:16 AM: | Start of Session, Saturday, July 15, 2006 |
********
7:20 PM: None
7:20 PM: Traces Found: 0
7:20 PM: Memory Sweep Complete, Elapsed Time: 00:03:45
7:20 PM: Sweep Canceled
7:16 PM: Starting Memory Sweep
7:16 PM: Sweep initiated using definitions version 719
7:16 PM: Spy Sweeper 5.0.5.1286 started
7:16 PM: | Start of Session, Saturday, July 15, 2006 |
********
Operation: File Access
Target:
Source: C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSIMPL.EXE
10:10 PM: Tamper Detection
8:24 PM: Deleted error log without sending: C:\Documents and Settings\WindowsXP\Application Data\Webroot\Spy Sweeper\Logs\bugreport.txt
8:24 PM: Removal process completed. Elapsed time 00:00:28
8:24 PM: Quarantining All Traces: clkoptimizer
8:24 PM: Removal process initiated
8:21 PM: Traces Found: 1
8:21 PM: Full Sweep has completed. Elapsed time 00

54
8:21 PM: File Sweep Complete, Elapsed Time: 00:04:09
8:21 PM: Warning: Failed to open file "c:\windows\temp\_avast4_\webshlock.txt". The operation completed successfully
8:17 PM: Starting File Sweep
8:17 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:17 PM: Starting Cookie Sweep
8:17 PM: Registry Sweep Complete, Elapsed Time:00:00:25
8:16 PM: HKLM\software\microsoft\windows\currentversion\run\ || winsync (ID = 601545)
8:16 PM: Found Adware: clkoptimizer
8:16 PM: Starting Registry Sweep
8:16 PM: Memory Sweep Complete, Elapsed Time: 00:02:09
8:14 PM: Starting Memory Sweep
8:14 PM: Sweep initiated using definitions version 719
8:14 PM: Spy Sweeper 5.0.5.1286 started
8:14 PM: | Start of Session, Saturday, July 15, 2006 |
********
11:16 AM: | End of Session, Saturday, July 15, 2006 |
Operation: File Access
Target:
Source: C:\PROGRAM FILES\CLEANUP!\CLEANUP.EXE
10:23 AM: Tamper Detection
9:24 AM: The Spy Communication shield has blocked access to: WWW.AV3.NET
9:24 AM: The Spy Communication shield has blocked access to: WWW.AV3.NET
9:24 AM: The Spy Communication shield has blocked access to: WWW.AV3.NET
9:24 AM: The Spy Communication shield has blocked access to: WWW.AV3.NET
9:17 AM: The Spy Communication shield has blocked access to: WWW.LYRICSDOWNLOAD.COM
9:17 AM: The Spy Communication shield has blocked access to: WWW.LYRICSDOWNLOAD.COM
9:17 AM: The Spy Communication shield has blocked access to: WWW.LYRICSDOWNLOAD.COM
9:17 AM: The Spy Communication shield has blocked access to: WWW.LYRICSDOWNLOAD.COM
9:13 AM: The Spy Communication shield has blocked access to: WWW.AV3.NET
9:13 AM: The Spy Communication shield has blocked access to: WWW.AV3.NET
9:13 AM: The Spy Communication shield has blocked access to: WWW.AV3.NET
9:13 AM: The Spy Communication shield has blocked access to: WWW.AV3.NET
9:05 AM: The Spy Communication shield has blocked access to: WWW.AV3.NET
9:05 AM: The Spy Communication shield has blocked access to: WWW.AV3.NET
9:05 AM: The Spy Communication shield has blocked access to: WWW.AV3.NET
9:05 AM: The Spy Communication shield has blocked access to: WWW.AV3.NET
9:03 AM: The Spy Communication shield has blocked access to: WWW.AV3.NET
9:03 AM: The Spy Communication shield has blocked access to: WWW.AV3.NET
9:03 AM: The Spy Communication shield has blocked access to: WWW.AV3.NET
9:03 AM: The Spy Communication shield has blocked access to: WWW.AV3.NET
8:00 AM: Access to Hosts file blocked for C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGW.EXE
Operation: File Access
Target:
Source: C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGW.EXE
8:00 AM: Tamper Detection
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
7:39 AM: Shield States
7:39 AM: Spyware Definitions: 719
7:39 AM: Spy Sweeper 5.0.5.1286 started
7:35 AM: Removed Startup entry: wextract_cleanup0
7:35 AM: Processing Startup Alerts
7:12 PM: Your spyware definitions have been updated.
9:54 PM: Your spyware definitions have been updated.
9:54 PM: Your spyware definitions have been updated.
8:57 PM: Removed Startup entry: AVG7_Run
8:57 PM: Removed Startup entry: AVG7_CC
8:57 PM: Processing Startup Alerts
9:52 PM: Your spyware definitions have been updated.
9:52 PM: Your spyware definitions have been updated.
11:46 PM: The Spy Communication shield has blocked access to: cyber-search.biz
11:46 PM: The Spy Communication shield has blocked access to: cyber-search.biz
11:46 PM: The Spy Communication shield has blocked access to: cyber-search.biz
11:46 PM: The Spy Communication shield has blocked access to: cyber-search.biz
11:46 PM: The Spy Communication shield has blocked access to: cyber-search.biz
11:46 PM: The Spy Communication shield has blocked access to: cyber-search.biz
11:46 PM: The Spy Communication shield has blocked access to: cyber-search.biz
11:46 PM: The Spy Communication shield has blocked access to: cyber-search.biz
11:45 PM: The Spy Communication shield has blocked access to: cyber-search.biz
11:45 PM: The Spy Communication shield has blocked access to: cyber-search.biz
11:45 PM: The Spy Communication shield has blocked access to: cyber-search.biz
11:45 PM: The Spy Communication shield has blocked access to: cyber-search.biz
6:16 PM: Your definitions are up to date.
9:30 AM: Your spyware definitions have been updated.
11:56 PM: Your spyware definitions have been updated.
11:55 PM: Your spyware definitions have been updated.
11:54 PM: Your spyware definitions have been updated.
9:32 PM: The Spy Communication shield has blocked access to: www.mt-download.com
9:32 PM: The Spy Communication shield has blocked access to: www.mt-download.com
9:32 PM: The Spy Communication shield has blocked access to: mmm.media-motor.net
9:32 PM: The Spy Communication shield has blocked access to: mmm.media-motor.net
9:32 PM: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
9:32 PM: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
9:32 PM: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
9:32 PM: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
8:40 PM: The Spy Communication shield has blocked access to: searchportal.information.com
8:40 PM: The Spy Communication shield has blocked access to: searchportal.information.com
8:40 PM: The Spy Communication shield has blocked access to: searchportal.information.com
8:40 PM: The Spy Communication shield has blocked access to: searchportal.information.com
8:40 PM: The Spy Communication shield has blocked access to: searchportal.information.com
8:40 PM: The Spy Communication shield has blocked access to: searchportal.information.com
8:40 PM: The Spy Communication shield has blocked access to: searchportal.information.com
8:40 PM: The Spy Communication shield has blocked access to: searchportal.information.com
10:25 AM: Traces Found: 0
10:25 AM: Full Sweep has completed. Elapsed time 00:20:11
10:25 AM: File Sweep Complete, Elapsed Time: 00:13:49
10:11 AM: Starting File Sweep
10:11 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:11 AM: Starting Cookie Sweep
10:11 AM: Registry Sweep Complete, Elapsed Time:00:00:32
10:10 AM: Starting Registry Sweep
10:10 AM: Memory Sweep Complete, Elapsed Time: 00:05:39
10:05 AM: Starting Memory Sweep
10:05 AM: Sweep initiated using definitions version 706
10:05 AM: Spy Sweeper started
10:05 AM: | Start of Session, Saturday, June 24, 2006 |
********
11:29 AM: | End of Session, Thursday, May 18, 2006 |
11:29 AM: Traces Found: 0
11:29 AM: File Sweep Complete, Elapsed Time: 00:01:33
11:29 AM: Sweep Canceled
11:27 AM: Starting File Sweep
11:27 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:27 AM: Starting Cookie Sweep
11:27 AM: Registry Sweep Complete, Elapsed Time:00:01:00
11:26 AM: Starting Registry Sweep
11:26 AM: Memory Sweep Complete, Elapsed Time: 00:05:11
11:21 AM: Starting Memory Sweep
11:21 AM: Sweep initiated using definitions version 680
11:21 AM: Spy Sweeper started
11:21 AM: | Start of Session, Thursday, May 18, 2006 |
********
10:05 AM: | End of Session, Saturday, June 24, 2006 |
9:33 AM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:32 AM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:48 PM: Your spyware definitions have been updated.
6:48 PM: Your spyware definitions have been updated.
5:56 PM: Your spyware definitions have been updated.
5:55 PM: Your spyware definitions have been updated.
5:55 PM: Your spyware definitions have been updated.
9:26 PM: Your spyware definitions have been updated.
9:26 PM: Your spyware definitions have been updated.
9:25 PM: Your spyware definitions have been updated.
9:25 PM: Your spyware definitions have been updated.
9:24 PM: Your spyware definitions have been updated.
9:50 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:50 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:34 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:34 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:34 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:34 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:23 PM: Your spyware definitions have been updated.
9:22 PM: Your spyware definitions have been updated.
9:21 PM: Your spyware definitions have been updated.
9:20 PM: Your spyware definitions have been updated.
9:19 PM: Your spyware definitions have been updated.
3:01 PM: Your spyware definitions have been updated.
10:00 PM: Your spyware definitions have been updated.
7:58 AM: The Spy Communication shield has blocked access to: download.movieland.com
7:58 AM: The Spy Communication shield has blocked access to: download.movieland.com
9:59 PM: Your spyware definitions have been updated.
10:45 AM: The Spy Communication shield has blocked access to: prompt.zangocash.com
10:45 AM: The Spy Communication shield has blocked access to: prompt.zangocash.com
10:45 AM: The Spy Communication shield has blocked access to: prompt.zangocash.com
10:45 AM: The Spy Communication shield has blocked access to: prompt.zangocash.com
10:45 AM: The Spy Communication shield has blocked access to: prompt.zangocash.com
10:45 AM: The Spy Communication shield has blocked access to: prompt.zangocash.com
10:45 AM: The Spy Communication shield has blocked access to: prompt.zangocash.com
10:45 AM: The Spy Communication shield has blocked access to: prompt.zangocash.com
10:44 AM: The Spy Communication shield has blocked access to: prompt.zangocash.com
10:44 AM: The Spy Communication shield has blocked access to: prompt.zangocash.com
10:44 AM: The Spy Communication shield has blocked access to: prompt.zangocash.com
10:44 AM: The Spy Communication shield has blocked access to: prompt.zangocash.com
10:44 AM: The Spy Communication shield has blocked access to: prompt.zangocash.com
10:44 AM: The Spy Communication shield has blocked access to: prompt.zangocash.com
10:44 AM: The Spy Communication shield has blocked access to: prompt.zangocash.com
10:44 AM: The Spy Communication shield has blocked access to: prompt.zangocash.com
5:35 PM: Your spyware definitions have been updated.
5:29 PM: Allowed Startup entry: Google Desktop Search
5:29 PM: Allowed Startup entry: avast!
5:29 PM: Allowed Startup entry: ctfmon.exe
5:29 PM: Processing Startup Alerts
5:34 PM: Your spyware definitions have been updated.
9:45 AM: Allowed Startup entry: MSConfig
9:45 AM: Processing Startup Alerts
3:10 PM: Your spyware definitions have been updated.
10:31 AM: Removed IE Favorite: SideStep
10:31 AM: Removed IE Favorite: Windows Marketplace
10:31 AM: Removed IE Favorite: Customize Links
10:31 AM: Removed IE Favorite: Free Hotmail
10:31 AM: Removed IE Favorite: Windows Media
10:31 AM: Removed IE Favorite: Windows
10:31 AM: Processing Internet Explorer Favorites Alerts
10:27 AM: Allowed Startup entry: Google Desktop Search
10:27 AM: Processing Startup Alerts
12:31 PM: Your spyware definitions have been updated.
10:03 AM: Your spyware definitions have been updated.
11:59 AM: Traces Found: 0
11:59 AM: Full Sweep has completed. Elapsed time 00:30:29
11:59 AM: File Sweep Complete, Elapsed Time: 00:24:07
11:35 AM: Starting File Sweep
11:35 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:35 AM: Starting Cookie Sweep
11:35 AM: Registry Sweep Complete, Elapsed Time:00:00:38
11:34 AM: Starting Registry Sweep
11:34 AM: Memory Sweep Complete, Elapsed Time: 00:05:36
11:29 AM: Starting Memory Sweep
11:29 AM: Sweep initiated using definitions version 680
11:29 AM: Spy Sweeper started
11:29 AM: | Start of Session, Thursday, May 18, 2006 |
********
11:21 AM: | End of Session, Thursday, May 18, 2006 |
10:02 AM: Your spyware definitions have been updated.
8:01 AM: BHO Shield: found: googletoolbar1.dll-- BHO installation denied at user request
8:00 AM: Removed Startup entry: SunJavaUpdateSched
8:00 AM: Processing Startup Alerts
8:00 AM: BHO Shield: found: ssv.dll-- BHO installation denied at user request
3:31 PM: Quarantine item removal complete.
3:31 PM: Automatic removal of old quarantine items in progress.
10:02 AM: Your spyware definitions have been updated.
8:44 AM: Traces Found: 0
8:44 AM: Full Sweep has completed. Elapsed time 00:28:28
8:44 AM: File Sweep Complete, Elapsed Time: 00:21:50
8:22 AM: Starting File Sweep
8:22 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:22 AM: Starting Cookie Sweep
8:22 AM: Registry Sweep Complete, Elapsed Time:00:00:35
8:22 AM: Starting Registry Sweep
8:22 AM: Memory Sweep Complete, Elapsed Time: 00:05:50
8:16 AM: Starting Memory Sweep
8:16 AM: Sweep initiated using definitions version 677
8:16 AM: Spy Sweeper started
8:16 AM: | Start of Session, Monday, May 15, 2006 |
********
8:16 AM: | End of Session, Monday, May 15, 2006 |

i think i posted every scan i have done, sorry

here is hijack log
Logfile of HijackThis v1.99.1
Scan saved at 8:16:01 AM, on 7/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\WindowsXP\My Documents\Spyware Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139438832\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunOnce: [stampsregk] C:\PROGRA~1\STAMPS~1.COM\regall.exe -k -s
O4 - HKLM\..\RunOnce: [stampsrego] C:\PROGRA~1\STAMPS~1.COM\regall.exe -o -s
O4 - HKLM\..\RunOnce: [stampsreg] C:\PROGRA~1\STAMPS~1.COM\RegAll.exe -s
O4 - HKLM\..\RunOnce: [Run IPH] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM\aim.exe" -cnetwait.odl
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117807355358
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

And i did as you instructed and disconnected internet before i ran the scan and oh thanks too the time thing worked i didnt hit apply twice!

My computer seems to be running fine, its actually running much faster but now i have the stamps garbage errors again upon rebooting.

Will wait to hear from you.

tetonbob · 07-31-2006, 09:04 AM

Ok, good news about the cIock.

have attached a file to this post - callie2.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry.

That should take care of the stamps items. The errors you're receiving are due to windows not being able to find the files associated with those run once entries.

You may have to uninstall the entire software package that it was part of to get rid of it, but let's try that first.

Next, I'd like you to clear the Spysweeper Session History. Open Spysweeper, and click on Results in the left. Next, in the right pane, click on the Session Log tab. At the bottom of the pane, you'll see a Clear Session History button. Please click it.

What Spysweeper calls clkoptimizer, we call qoologic. Spysweeper had been finding the O4 entry we fixed....so it should no longer find clkoptimizer. Run a new scan, using the same settings as before, and post the Session log. Also post a new HJT log.

callie3274 · 08-01-2006, 05:44 AM

Ok i posted the zip file and it accepted it and then ran spysweeper and it didnt find it!!!! here is a copy of the log

7:35 AM: None
7:35 AM: Traces Found: 0
7:35 AM: Full Sweep has completed. Elapsed time 00:12:28
7:35 AM: File Sweep Complete, Elapsed Time: 00:08:30
7:26 AM: Starting File Sweep
7:26 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:26 AM: Starting Cookie Sweep
7:26 AM: Registry Sweep Complete, Elapsed Time:00:00:27
7:26 AM: Starting Registry Sweep
7:26 AM: Memory Sweep Complete, Elapsed Time: 00:03:12
7:22 AM: Starting Memory Sweep
7:22 AM: Sweep initiated using definitions version 729
7:22 AM: Spy Sweeper 5.0.5.1286 started
7:22 AM: | Start of Session, August 01, 2006 |
********
7:22 AM: | End of Session, August 01, 2006 |
7:22 AM: Spy Sweeper 5.0.5.1286 started
7:22 AM: | Start of Session, August 01, 2006 |
********

When I rebooted my computer I received the 3 stamps errors again and the can not find C:\Program~1 again. I deleted the program that the stamps program was affilliated with and did another reboot and still the same. I also keep getting AIM booting up upon restart when I keep changing my peference everytime do not start up with windows? Here is my lastest hijack log
Logfile of HijackThis v1.99.1
Scan saved at 8

41 AM, on 8/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Documents and Settings\WindowsXP\My Documents\Spyware Programs\HijackThis.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139438832\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\oocqrc.exe reg_run
O4 - HKLM\..\RunOnce: [stampsregk] C:\PROGRA~1\STAMPS~1.COM\regall.exe -k -s
O4 - HKLM\..\RunOnce: [stampsrego] C:\PROGRA~1\STAMPS~1.COM\regall.exe -o -s
O4 - HKLM\..\RunOnce: [stampsreg] C:\PROGRA~1\STAMPS~1.COM\RegAll.exe -s
O4 - HKLM\..\RunOnce: [Run IPH] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117807355358
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

the one file looks one we already tried to delete, c:\windows\system32\oocqrc.exe?
CLueless again

tetonbob · 08-01-2006, 09:48 AM

Something is putting those back, but I don't see any other registry protection tools enabled. Did you ever have Spybot's TeaTimer enabled?

Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As. Save it to your desktop, or somewhere you can find it easily.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.

To disable Webroot SpySweeper:

Go to the Options>Program Options
Uncheck Load at Windows Startup
Click Shields on the left.
Click Internet Explorer and uncheck all items.
Click Windows System and uncheck all items.
Click Startup Programs and uncheck all items.
Click Browser Add-Ons and uncheck all items.
Exit Spysweeper.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKLM\..\RunOnce: [stampsregk] C:\PROGRA~1\STAMPS~1.COM\regall.exe -k -s
O4 - HKLM\..\RunOnce: [stampsrego] C:\PROGRA~1\STAMPS~1.COM\regall.exe -o -s
O4 - HKLM\..\RunOnce: [stampsreg] C:\PROGRA~1\STAMPS~1.COM\RegAll.exe -s
O4 - HKLM\..\RunOnce: [Run IPH] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

Close HJT.

---------------------------------------------------------------------------------------------

combofix.exe should still be on your desktop.

Please run it again, and post the resulting log.

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

07-24-2006, 05:49 PM	#1 (permalink)
callie3274 Registered User Join Date: Jul 2006 Posts: 18 OS: xp	New Spyware or Something My spysweeper has detected this same thing called CLKOPTIMIZER when i do a spy scan, its quarentines it but then it comes back. I have tried cwblaster, spysweeper, stinger, avast, avg and ewido and no luck. Any suggestions? Here is my hijack log Logfile of HijackThis v1.99.1 Scan saved at 7:33:03 PM, on 7/24/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\WINDOWS\explorer.exe C:\Documents and Settings\WindowsXP\My Documents\Spyware Programs\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [08mc0oxg.dll] "RUNDLL32.EXE" 08mc0oxg.dll,b 25518312 O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139438832\ee\AOLSoftware.exe O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\oocqrc.exe reg_run O4 - HKLM\..\RunOnce: [stampsregk] C:\PROGRA~1\STAMPS~1.COM\regall.exe -k -s O4 - HKLM\..\RunOnce: [stampsrego] C:\PROGRA~1\STAMPS~1.COM\regall.exe -o -s O4 - HKLM\..\RunOnce: [stampsreg] C:\PROGRA~1\STAMPS~1.COM\RegAll.exe -s O4 - HKLM\..\RunOnce: [Run IPH] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe -a O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02a.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117807355358 O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Secure MSVS (MicroService32) - Unknown owner - C:\WINDOWS\msvcrs.exe (file missing) O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe Any help would be great! Last edited by callie3274; 07-24-2006 at 06:04 PM.

07-27-2006, 10:22 AM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,155 OS: 2000 Pro; XP Pro; XP Home	Hello and Welcome. Sorry for the delay. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- I see you have more than one Anti-Virus program installed, Avast and AVG. While this may seem like greater protection, it can cause problems including slowdowns and system hangs. Choose one to keep and uninstall the other. Any antivirus program must be removed via add/remove program. For any program that doesn't have an add/remove entry, you will have to do this: re-install the program -> reboot -> uninstall ----------------------------------------------------------------------- I see you have Ewido already. Please update it's definitions, and run a scan where I have placed it in this fix. Run Ewido From the main ewido screen, click on update, then click the Start update button. After the update finishes (the status bar at the bottom will display "Update successful") select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" Exit Ewido. DO NOT scan yet. ----------------------------------------------------------------------- Download and install CleanUp! NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe Click Start->Run - type SERVICES.MSC & then click on the OK button Locate the service - Secure MSVS Double-click on it to open the Properties dialog. Under the General tab: Stop the service by using the Stop button. Change the Startup type to Disabled & then click on the OK button Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, copy/paste MicroService32 Click on the OK button Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O4 - HKLM\..\Run: [08mc0oxg.dll] "RUNDLL32.EXE" 08mc0oxg.dll,b 25518312 O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\oocqrc.exe reg_run O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02a.cab --------------------------------------------------------------------------------------------- Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. Delete the following if they exist: C:\WINDOWS\msvcrs.exe C:\WINDOWS\system32\oocqrc.exe 08mc0oxg.dll<<<find via Start>Search --------------------------------------------------------------------------------------------- Run Cleanup! using the following configuration: Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!): Empty Recycle Bins Delete Cookies Delete Prefetch files (if present) Cleanup! All Users Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked. Click OK Press the CleanUp! button to start the program.. Do NOT Reboot/logoff when prompted. * CleanUp! will not create any backups!! Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important). Restart in normal mode. Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------------------------------------- Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- Create an uninstall list:* Open HiJackThis Click on the configure button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Copy and past the List from the notepad file into your post Please return with results from: Ewido Panda HijackThis Uninstall List __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

07-27-2006, 07:19 PM	#3 (permalink)
callie3274 Registered User Join Date: Jul 2006 Posts: 18 OS: xp	RE: spyware or something Ok I did everything you instructed me to do as follows: Ewido report --------------------------------------------------------- ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 8:40:43 PM 7/27/2006 + Scan result: Nothing found. ::Report end Panda Report Incident Status Location Adware:adware/dollarrevenue Not disinfected c:\windows\timessquare1.dat Adware:adware/sqwire Not disinfected Windows Registry Adware:adware/sidestep Not disinfected Windows Registry Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\WindowsXP\Application Data\Webroot\Spy Sweeper\Logs\060624100508.ses Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\WindowsXP\My Documents\VirtumundoBeGone.exe[²ƒÇ] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\WindowsXP\My Documents\VundoFix\VundoFix\process.exe HijackThis Report Logfile of HijackThis v1.99.1 Scan saved at 9:11:40 PM, on 7/27/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Documents and Settings\WindowsXP\My Documents\Spyware Programs\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117807355358 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Secure MSVS (MicroService32) - Unknown owner - C:\WINDOWS\msvcrs.exe (file missing) O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe Uninstaller List report Ad-aware 6 Personal Ad-Aware SE Personal Adobe Reader 6.0.1 AOL Instant Messenger AVG Free Edition CleanUp! Contextual Tool ewido anti-spyware 4.0 Google Desktop Google Earth HighMAT Extension to Microsoft Windows XP CD Writing Wizard HijackThis 1.99.1 ImageShack QuickLoad J2SE Runtime Environment 5.0 Update 5 J2SE Runtime Environment 5.0 Update 6 Java 2 Runtime Environment, SE v1.4.2_04 LimeWire 4.9.29 Logitech Desktop Messenger Logitech Print Service Logitech QuickCam Software Logitech® Camera Driver Macromedia Flash Player 8 Microsoft .NET Framework 1.1 Microsoft AntiSpyware Microsoft Office Professional Edition 2003 MyDataBase Nero 6 Ultra Edition Panda ActiveScan Picasa 2 PowerDVD S3 S3Display S3 S3Gamma2 S3 S3Info2 S3 S3Overlay Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows XP (KB883939) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899589) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB903235) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913433) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) SoundMAX Spy Sweeper Spybot - Search & Destroy 1.4 Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB910437) VIA Rhine-Family Fast Ethernet Adapter VIA/S3G Display Driver Viewpoint Manager (Remove Only) Viewpoint Media Player Windows Installer 3.1 (KB893803) Windows Media Format Runtime Windows Media Player 10 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB887797 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893066 Windows XP Hotfix - KB893086 Yahoo! Messenger Please let me know what to do next and thank you so much for your help.

07-27-2006, 10:29 PM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,155 OS: 2000 Pro; XP Pro; XP Home	Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- We need to update your Java as it is out of date. The older version is a security risk, as malware writers exploit the weaknesses in it's code. Updating Java: Go to Start > Control Panel double-click on the Software icon, Add or Remove programs. Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... ) Select it and click Remove. Then Download and install the newest version from here: http://www.java.com/en/download/manual.jsp After the reboot, go back into the Control Panel and double-click the Java Icon. Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 Checked Downloaded Applets Downloaded Applications Other Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel. --------------------------------------------------------------------------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Contextual Tool This Add or Remove Programs entry corresponds to a program that is either malware, installs malware, or is bundled with malware. It is advised that you uninstall this program from your computer due to the above reasons. If this program gave you the option to not install the malware or adware during setup, and you chose that option, then it should be safe to leave the program installed. Please note that not all programs listed here will actually be uninstalled when you attempt to do so --------------------------------------------------------------------------------------------- Delete the following if they exist: c:\windows\timessquare1.dat C:\Documents and Settings\WindowsXP\Application Data\Webroot\Spy Sweeper\Logs\060624100508.ses If they resist deletion, boot to safe mode and delete them from there. --------------------------------------------------------------------------------------------- Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------------------------------------- Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- Please post logs from: Kaspersky HJT How is your system behaving? If Spysweeper is finding CLKOPTIMIZER still, please note the exact location it does find. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

07-29-2006, 06:13 AM	#7 (permalink)
callie3274 Registered User Join Date: Jul 2006 Posts: 18 OS: xp	Re Spyware Ok I had the virtumonde virus or whatever on my computer back in november and i used fixvundo.exe to get rid of it, but i dont think it truly was ever fixed, then when i started having this clkoptimizer show up, which spysweeper finds it everytime i scan and i cant find where it is located, i get start up errors, such as the rundll32 error which i dont not get anymore, that is fixed, but i keep getting this message 3 times when i boot up : C:\Progra1\stamps~1.com\regall.exe - this exact message pops up and i have to ok 3 times to bypass it, also I have gone into my start up by going to run then typing msconfig and delete aim & spysweeper from being in the start up and they keep coming back. Here are the post you asked for and my computer runs ok, i do not get pop ups when im online, but i hear my computer always scrolling,even when im not using it. The files in the last reply you told me to delete, i deleted and they gave me no problem. Combofix Start Time= Sat 07/29/2006 7:58:08.56 Running from: C:\Documents and Settings\WindowsXP\Desktop ((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))) 7:58:41.79 * * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 2006-07-07 17:16:10 8,704 "C:\WINDOWS\system32\ssiefr.EXE" 2006-07-07 17:16:10 20,992 "C:\WINDOWS\system32\wrlzma.dll" * * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * * DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO * * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 2006-07-07 17:16:10 8,704 "C:\WINDOWS\system32\ssiefr.EXE" 2006-07-07 17:16:10 20,992 "C:\WINDOWS\system32\wrlzma.dll" (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-07-28 18:35:34 ( .D... ) "C:\Program Files\Java" 2006-07-28 18:34:58 ( .D... ) "C:\Program Files\Common Files\Java" 2006-07-25 12:33:14 ( .D... ) "C:\Program Files\PC MightyMax" 2006-07-21 17:23:06 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0" 2006-07-18 16:28:46 ( .D... ) "C:\Documents and Settings\WindowsXP\Application Data\AVG7" 2006-07-18 16:28:32 ( .D... ) "C:\Program Files\Grisoft" 2006-07-18 07:17:16 ( .D... ) "C:\Documents and Settings\WindowsXP\Application Data\Lavasoft" 2006-07-18 06:45:38 ( .D... ) "C:\Program Files\Spybot - Search & Destroy" 2006-07-07 17:16:28 252928 ( A.... ) "C:\WINDOWS\WRUninstall.dll" 2006-07-07 17:16:12 208896 ( A.... ) "C:\WINDOWS\system32\WRLogonNtf.dll" 2006-07-07 17:16:12 208896 ( A.... ) "C:\WINDOWS\system32\WRLogonNtf(2)(2).dll" 2006-07-07 17:16:10 20992 ( A.... ) "C:\WINDOWS\system32\wrlzma.dll" 2006-07-07 17:16:10 8704 ( A.... ) "C:\WINDOWS\system32\ssiefr.EXE" 2006-05-11 10:31:58 2560 ( A.... ) "C:\WINDOWS\_MSRSTRT.EXE" (((((((((((((((((((((((((((((((((((((( Files Created - Last 30days ))))))))))))))))))))))))))))))))))))))))))) 2006-07-28 18:36 49,250 C:\WINDOWS\system32\javaw.exe 2006-07-28 18:36 49,248 C:\WINDOWS\system32\java.exe 2006-07-28 18:36 127,078 C:\WINDOWS\system32\javaws.exe 2006-07-27 20:47 73,728 C:\WINDOWS\system32\asuninst.exe 2006-07-27 20:47 11,776 C:\WINDOWS\system32\ZPORT4AS.dll 2006-07-25 19:43 86,016 C:\WINDOWS\system32\mdmxsdk.dll 2006-07-08 12:24 5,632 C:\WINDOWS\system32\ptpusb.dll 2006-07-08 12:24 159,232 C:\WINDOWS\system32\ptpusd.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup" "AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP" "SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray" "HostManager"="C:\\Program Files\\Common Files\\AOL\\1139438832\\ee\\AOLSoftware.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "PlaxoUpdate"="C:\\Program Files\\Plaxo\\2.6.2.9\\PlaxoHelper.exe -a" "AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] "stampsregk"="C:\\PROGRA~1\\STAMPS~1.COM\\regall.exe -k -s" "stampsrego"="C:\\PROGRA~1\\STAMPS~1.COM\\regall.exe -o -s" "stampsreg"="C:\\PROGRA~1\\STAMPS~1.COM\\RegAll.exe -s" "Run IPH"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex] "flags"=dword:00000008 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\ 00,00,01,00,00,00 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" "mofk"="C:\\Program Files\\Common Files\\mofk\\mofkm.exe" "Otss"="C:\\Program Files\\alwd\\waue.exe -vt yazr" "Njtycqd"="C:\\WINDOWS\\system32\\ssembly\\svchost.exe" [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" "mofk"="C:\\Program Files\\Common Files\\mofk\\mofkm.exe" "Otss"="C:\\Program Files\\alwd\\waue.exe -vt yazr" "Njtycqd"="C:\\WINDOWS\\system32\\ssembly\\svchost.exe" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="aim" "hkey"="HKCU" "command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ashDisp" "hkey"="HKLM" "command"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="avgcc" "hkey"="HKLM" "command"="\"C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ctfmon" "hkey"="HKCU" "command"="C:\\WINDOWS\\system32\\ctfmon.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="AOLSoftware" "hkey"="HKLM" "inimapping"="0" "command"="C:\\Program Files\\Common Files\\AOL\\1139438832\\ee\\AOLSoftware.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ISStart" "hkey"="HKLM" "command"="\"C:\\Program Files\\Logitech\\Video\\ISStart.exe\" " "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="LogiTray" "hkey"="HKLM" "command"="\"C:\\Program Files\\Logitech\\Video\\LogiTray.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWFX5RS_0001_0808] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="WFXScanR[1]" "hkey"="HKLM" "command"="\"C:\\Documents and Settings\\WindowsXP\\Local Settings\\Temporary Internet Files\\Content.IE5\\WZ7NASHD\\WFXScanR[1].exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="PlaxoHelper" "hkey"="HKCU" "inimapping"="0" "command"="C:\\Program Files\\Plaxo\\2.6.2.9\\PlaxoHelper.exe -a" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="qttask" "hkey"="HKLM" "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="RoboTaskBarIcon" "hkey"="HKCU" "command"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SpySweeperUI" "hkey"="HKLM" "command"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="jusched" "hkey"="HKLM" "command"="\"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="VTTimer" "hkey"="HKLM" "command"="VTTimer.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "wuauserv"=dword:00000002 "wscsvc"=dword:00000002 "SENS"=dword:00000002 "ERSvc"=dword:00000002 "Browser"=dword:00000002 "BITS"=dword:00000002 HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system DisableRegistryTools REG_DWORD 0 (0x0) HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\svcWRSSSDK HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\XoftSpy.job Completion time: Sat 07/29/2006 8:00:22.06 ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt ComboFix.2006-07-29.075808.txt Hijack this Logfile of HijackThis v1.99.1 Scan saved at 08:03:01, on 7/29/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AIM\aim.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\Documents and Settings\WindowsXP\My Documents\Spyware Programs\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139438832\ee\AOLSoftware.exe O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\oocqrc.exe reg_run O4 - HKLM\..\RunOnce: [stampsregk] C:\PROGRA~1\STAMPS~1.COM\regall.exe -k -s O4 - HKLM\..\RunOnce: [stampsrego] C:\PROGRA~1\STAMPS~1.COM\regall.exe -o -s O4 - HKLM\..\RunOnce: [stampsreg] C:\PROGRA~1\STAMPS~1.COM\RegAll.exe -s O4 - HKLM\..\RunOnce: [Run IPH] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe -a O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM\aim.exe" -cnetwait.odl O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117807355358 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe I have also gone into hijack this and checked the boxes that contain aol software, because i only use Aim, not aol, and also the 3 files that contain stamps and they keep coming back. I hope i have posted all the information you needed. Again many thanks for the help.

07-28-2006, 07:43 PM	#5 (permalink)
callie3274 Registered User Join Date: Jul 2006 Posts: 18 OS: xp	ok Here are the 2 post logs as follows: Kaspersky Friday, July 28, 2006 9:40:16 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 29/07/2006 Kaspersky Anti-Virus database records: 209742 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer A:\ C:\ D:\ E:\ Scan Statistics Total number of scanned objects 29227 Number of viruses found 2 Number of infected objects 5 Number of suspicious objects 0 Duration of the scan process 00:34:44 Infected Object Name Virus Name Last Action C:\Documents and Settings\WindowsXP\My Documents\Spyware Programs\backups\backup-20051231-082119-305.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped C:\Documents and Settings\WindowsXP\Shared\Top of Charts - 2005 (scrappin).wm Infected: Trojan-Downloader.WMA.Wimad.c skipped C:\WINDOWS\system32\ddccd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped C:\WINDOWS\system32\pmkjj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped C:\WINDOWS\system32\pmnnk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped Scan process completed. HiJAckTHis Logfile of HijackThis v1.99.1 Scan saved at 9:41:37 PM, on 7/28/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\WindowsXP\My Documents\Spyware Programs\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117807355358 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Secure MSVS (MicroService32) - Unknown owner - C:\WINDOWS\msvcrs.exe (file missing) O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe Thanks for your help and I will wait for your reply

07-29-2006, 08:54 AM	#8 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,155 OS: 2000 Pro; XP Pro; XP Home	Please don't fix anything on your own while we're working together. Also, don't disable anything through msconfig for now, as it will hinder my ability to see everything and help you. Do you have an online stamp download program installed? --------------------------------------------------------------------------------------------- Webroot SpySweeper Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable Webroot SpySweeper: Go to the Options>Program Options Uncheck Load at Windows Startup Click Shields on the left. Click Internet Explorer and uncheck all items. Click Windows System and uncheck all items. Click Startup Programs and uncheck all items. Click Browser Add-Ons and uncheck all items. Exit Spysweeper. --------------------------------------------------------------------------------------------- I have attached a file to this post - callie.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry. --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\oocqrc.exe reg_run --------------------------------------------------------------------------------------------- Delete the following if it exists: C:\WINDOWS\system32\oocqrc.exe If it resists deletion, boot to safe mode and delete it from there. Don't worry if you cannot find it. --------------------------------------------------------------------------------------------- * Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found: If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. --------------------------------------------------------------------------------------------- Create an uninstall list: Open HiJackThis Click on the configure button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Copy and past the List from the notepad file into your post --------------------------------------------------------------------------------------------- Run a new scan with HijackThis. Save the log file and post it here. --------------------------------------------------------------------------------------------- Right click on this link http://www.greyknight17.com/spy/RegSrch.vbs and choose 'Save As'. Save it somewhere. Now run that program and do a search for these files (if more than one, make sure to search and save them separately): clkoptimizer Save the file/files and post the results in the forum. Please return with results from: DrWeb Uninstall list HijackThis regsearch __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 09-19-2006 at 01:53 PM.

07-29-2006, 06:55 PM	#9 (permalink)
callie3274 Registered User Join Date: Jul 2006 Posts: 18 OS: xp	Ok I installed a program a while back called mysoft, which contains a program i use called my database, which i have used for 3 years on my work computer and never had a problem, when it installs it installs a postage program which i have removed months ago. I disabled spysweeper. I tried to unzip the callie.zip you posted and got this message : cannot impart c:\Docume~1window~1\locals~1\temp\temporary\directory1 for callie.reg. The specified file is not a registry script I deleted the 04 - HKLM\..Run: [winsync] C:\windows\system32\oocqrc.exe I did a search for clkoptimizer with regsrch.vbs and i got "No instances of clkoptimizer found" Here are the list you requested DrWed setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.1.3;Probably BACKDOOR.Trojan;Incurable.Moved.; setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.6.1;Probably BACKDOOR.Trojan;Incurable.Moved.; process.exe;C:\Documents and Settings\WindowsXP\My Documents\VundoFix\VundoFix;Tool.Prockill;Incurable.Moved.; WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;Incurable.Moved.; ddayy.dll;C:\WINDOWS\system32;Adware.Virtumonde;Incurable.Moved.; setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.1.3;Probably BACKDOOR.Trojan;Deleted.; setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.6.1;Probably BACKDOOR.Trojan;Deleted.; process.exe;C:\Documents and Settings\WindowsXP\My Documents\VundoFix\VundoFix;Tool.Prockill;Deleted.; WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;; uninstall list Ad-aware 6 Personal Ad-Aware SE Personal Adobe Reader 6.0.1 AOL Instant Messenger AVG Free Edition CleanUp! ewido anti-spyware 4.0 Google Desktop Google Earth HighMAT Extension to Microsoft Windows XP CD Writing Wizard HijackThis 1.99.1 ImageShack QuickLoad J2SE Runtime Environment 5.0 Update 6 Kaspersky On-line Scanner LimeWire 4.9.29 Logitech Desktop Messenger Logitech Print Service Logitech QuickCam Software Logitech® Camera Driver Macromedia Flash Player 8 Microsoft .NET Framework 1.1 Microsoft AntiSpyware Microsoft Office Professional Edition 2003 MyDataBase Nero 6 Ultra Edition Panda ActiveScan Picasa 2 PowerDVD S3 S3Display S3 S3Gamma2 S3 S3Info2 S3 S3Overlay Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows XP (KB883939) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899589) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB903235) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913433) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) SoundMAX Spy Sweeper Spybot - Search & Destroy 1.4 Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB910437) VIA Rhine-Family Fast Ethernet Adapter VIA/S3G Display Driver Viewpoint Manager (Remove Only) Viewpoint Media Player Windows Installer 3.1 (KB893803) Windows Media Format Runtime Windows Media Player 10 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB887797 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893066 Windows XP Hotfix - KB893086 Yahoo! Messenger hijackthis Logfile of HijackThis v1.99.1 Scan saved at 08:03:01, on 7/29/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AIM\aim.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\Documents and Settings\WindowsXP\My Documents\Spyware Programs\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139438832\ee\AOLSoftware.exe O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\oocqrc.exe reg_run O4 - HKLM\..\RunOnce: [stampsregk] C:\PROGRA~1\STAMPS~1.COM\regall.exe -k -s O4 - HKLM\..\RunOnce: [stampsrego] C:\PROGRA~1\STAMPS~1.COM\regall.exe -o -s O4 - HKLM\..\RunOnce: [stampsreg] C:\PROGRA~1\STAMPS~1.COM\RegAll.exe -s O4 - HKLM\..\RunOnce: [Run IPH] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe -a O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM\aim.exe" -cnetwait.odl O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117807355358 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe and regsearch i could not get a report, it couldnt find clkoptimizer.

07-29-2006, 07:36 PM	#10 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,155 OS: 2000 Pro; XP Pro; XP Home	I've corrected the attached regfix. Discard the one you already downloaded, and download the newly uploaded zip file in the previous post. There's no need to unzip it, you can run it from within the zip folder, as long as you download the zip file to your desktop. Please do so now using the previous instructions. Spysweeper still appears to be active on your machine, and it is this program's protection which I think is preventing some HJT entries from staying fixed. Is this a paid version of Spysweeper, or a trial? While this program is still enabled, it may prevent us from fixing HJT entries. We can try again: Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable Webroot SpySweeper: Go to the Options>Program Options Uncheck Load at Windows Startup Click Shields on the left. Click Internet Explorer and uncheck all items. Click Windows System and uncheck all items. Click Startup Programs and uncheck all items. Click Browser Add-Ons and uncheck all items. Exit Spysweeper. Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\oocqrc.exe reg_run O4 - HKLM\..\RunOnce: [stampsregk] C:\PROGRA~1\STAMPS~1.COM\regall.exe -k -s O4 - HKLM\..\RunOnce: [stampsrego] C:\PROGRA~1\STAMPS~1.COM\regall.exe -o -s O4 - HKLM\..\RunOnce: [stampsreg] C:\PROGRA~1\STAMPS~1.COM\RegAll.exe -s --------------------------------------------------------------------------------------------- Then run another HJT scan, save the log and post it. Right click on http://www.silentrunners.org/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Double click on 'Silent Runners' to run it. Choose 'No' at the prompt. It will create a file called 'Startup Programs' (followed by your computer name and current date) on your desktop. Do NOT open it yet. Wait until you get the prompt 'All Done'. Then open up that file and post all the contents here in your next post. If you receive a warning message about scripts, choose to allow it to run. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

07-30-2006, 01:11 PM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,155 OS: 2000 Pro; XP Pro; XP Home	I see where we erred... The HJT logs in post #7 and post #9 are the same. Logfile of HijackThis v1.99.1 Scan saved at 08:03:01, on 7/29/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Logfile of HijackThis v1.99.1 Scan saved at 08:03:01, on 7/29/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) So, the items I wanted fixed, and the Stamps items you fixed, were. Which your latest log shows. Let's try one more attempt at locating clkoptimizer Download & extract this file to it's own folder - Registry Search Launch Registry Search In the search box, enter clkoptimizer & click "Ok". Notepad will open with some text in it (the file will also be saved in the program's folder as well). Post this text in your next reply. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

07-30-2006, 02:37 PM	#13 (permalink)
callie3274 Registered User Join Date: Jul 2006 Posts: 18 OS: xp	ok here is what i got from registry search REGEDIT4 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.1.0 ; Results at 7/30/2006 4:35:19 PM for strings: ; 'clkoptimizer ' ; Strings excluded from search: ; 'clkoptimizer ' ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS ; End Of The Log... Now for some reason, my time is in military time? lol It is just my luck!

07-30-2006, 03:49 PM	#15 (permalink)
callie3274 Registered User Join Date: Jul 2006 Posts: 18 OS: xp	ok here is the new log, sorry bout that one! The time thing didnt work so i dont know what else to do for that. REGEDIT4 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.1.0 ; Results at 7/30/2006 17:46:37 for strings: ; 'clkoptimizer' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS ; End Of The Log... Let me know what comes next. Thanks!

07-30-2006, 11:13 PM	#16 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,155 OS: 2000 Pro; XP Pro; XP Home	Well, we can't seem to find any instances of clkoptimizer. I'm not sure what Spysweeper is hitting on. Reenable it, and run a full system scan, using these settings: Enable Webroot SpySweeper: Go to the Options>Program Options Check Load at Windows Startup Click Shields on the left. Click Internet Explorer and Check all items. Click Windows System and Check all items. Click Startup Programs and Check all items. Click Browser Add-Ons and Check all items. Exit Spysweeper. First, update it's definitions. On the Home screen, Click on the Check for Definition Update link on the right side of the screen. Once the definitions are installed, disconnect from the internet. Click Options on the left side. Click the Sweep Options tab. Under What to Sweep please put a check next to the following: Sweep Memory Sweep Registry Sweep Cookies Sweep All User Accounts Enable Direct Disk Sweeping Sweep Contents of Compressed Files Sweep for Rootkits Please UNCHECK Do not Sweep System Restore Folder. Click Sweep Now on the left side. Click the Start button. When it's done scanning, click the Next button. Make sure everything has a check next to it, then click the Next button. It will remove all of the items found. Click Session Log in the upper right corner, copy everything in that window. Click the Summary tab and click Finish. Paste the contents of the session log you copied into your next reply. Also post a new HJT log, and let me know how your system is behaving. About the time settings, did you click Apply>OK>Apply on the way out of the screens? Try it once more, please, as I've done this before on my own system in error.... __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

07-31-2006, 09:04 AM	#18 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,155 OS: 2000 Pro; XP Pro; XP Home	Ok, good news about the cIock. have attached a file to this post - callie2.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry. That should take care of the stamps items. The errors you're receiving are due to windows not being able to find the files associated with those run once entries. You may have to uninstall the entire software package that it was part of to get rid of it, but let's try that first. Next, I'd like you to clear the Spysweeper Session History. Open Spysweeper, and click on Results in the left. Next, in the right pane, click on the Session Log tab. At the bottom of the pane, you'll see a Clear Session History button. Please click it. What Spysweeper calls clkoptimizer, we call qoologic. Spysweeper had been finding the O4 entry we fixed....so it should no longer find clkoptimizer. Run a new scan, using the same settings as before, and post the Session log. Also post a new HJT log. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 09-19-2006 at 01:53 PM.

08-01-2006, 09:48 AM	#20 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,155 OS: 2000 Pro; XP Pro; XP Home	Something is putting those back, but I don't see any other registry protection tools enabled. Did you ever have Spybot's TeaTimer enabled? Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As. Save it to your desktop, or somewhere you can find it easily. Double click ResetTeaTimer.bat to remove all entries set by TeaTimer. Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable Webroot SpySweeper: Go to the Options>Program Options Uncheck Load at Windows Startup Click Shields on the left. Click Internet Explorer and uncheck all items. Click Windows System and uncheck all items. Click Startup Programs and uncheck all items. Click Browser Add-Ons and uncheck all items. Exit Spysweeper. --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O4 - HKLM\..\RunOnce: [stampsregk] C:\PROGRA~1\STAMPS~1.COM\regall.exe -k -s O4 - HKLM\..\RunOnce: [stampsrego] C:\PROGRA~1\STAMPS~1.COM\regall.exe -o -s O4 - HKLM\..\RunOnce: [stampsreg] C:\PROGRA~1\STAMPS~1.COM\RegAll.exe -s O4 - HKLM\..\RunOnce: [Run IPH] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl Close HJT. --------------------------------------------------------------------------------------------- combofix.exe should still be on your desktop. Please run it again, and post the resulting log. --------------------------------------------------------------------------------------------- Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 08-01-2006 at 09:49 AM.