here is my uncle´s spyware log.

Logfile of HijackThis v1.99.1
Scan saved at 11:30:21, on 2006-03-19
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\S2VudA\command.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ilt.exe
C:\Program\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\win32ssr.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\servs.exe
C:\WINDOWS\System32\winIogon.exe
C:\WINDOWS\System32\win32oleupdate.exe
C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
C:\Program\Logitech\ImageStudio\LogiTray.exe
C:\mousepad3.exe
C:\windows\eee2.exe
C:\WINDOWS\elitemediapop.exe
C:\Documents and Settings\KentKent\Internet Optimizer\optimize.exe
C:\Program\webHancer\Programs\whagent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program\lrup\pttu.exe
C:\Program\DELADE~1\wrof\wrofm.exe
C:\WINDOWS\??stem32\w?wexec.exe
C:\Program\Delade filer\Windows\services32.exe
C:\Program\DELADE~1\wrof\wrofa.exe
C:\Program\DELADE~1\wrof\wrofl.exe
C:\Documents and Settings\KentKent\Mina dokument\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\System32\pmnom.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\Program\TOOLBA~1\TOOLBA~1.DLL
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program\webHancer\programs\whiehlpr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program\Toolbar888\ToolBar888.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Mirsft sdce] servs.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\winIogon.exe
O4 - HKLM\..\Run: [Win32 Update] C:\WINDOWS\System32\win32oleupdate.exe
O4 - HKLM\..\Run: [Services] C:\iexplorer.exe
O4 - HKLM\..\Run: [WinHound] C:\Program\WinHound\WinHound.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard3.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad3.exe
O4 - HKLM\..\Run: [newname] C:\\newname3.exe
O4 - HKLM\..\Run: [ahkw] C:\windows\eee2.exe
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Documents and Settings\KentKent\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [webHancer Agent] C:\Program\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\RunServices: [Mirsft sdce] servs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Ostl] "C:\Program\lrup\pttu.exe" -vt yazb
O4 - HKCU\..\Run: [wrof] C:\Program\DELADE~1\wrof\wrofm.exe
O4 - HKCU\..\Run: [services32] C:\Program\Delade filer\Windows\mc-110-12-0000228.exe
O4 - HKCU\..\Run: [Yiztg] C:\WINDOWS\??stem32\w?wexec.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - Winlogon Notify: pmnom - C:\WINDOWS\SYSTEM32\pmnom.dll
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\sdriptpw.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S2VudA\command.exe
O23 - Service: ILT - Unknown owner - C:\WINDOWS\ilt.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe

thanks

This one is a mess, A few things I need to research here. But we can start by doing the following below.


Download The Stand Alone Version of CW Shredder,Spybot, AdAware, (Links at the bottom of my message) If you have them allready make sure they are up to date. Also download AVG Antivirus(link below)

http://forums.designtechnica.com/showthread.php?t=5583

You may want to print this out
Unplug the internet from your computer
Reboot To Safe Mode (tap F8 on Startup)


Delete these Files and or Folders (If you cant find some of them they may be hidden. we can worry about them later.)

C:\WINDOWS\ilt.exe
C:\Program\Network Monitor\netmon.exe
C:\WINDOWS\win32ssr.exe
C:\WINDOWS\System32\servs.exe
C:\WINDOWS\System32\win32oleupdate.exe
C:\mousepad3.exe
C:\windows\eee2.exe
C:\WINDOWS\elitemediapop.exe
C:\Documents and Settings\KentKent\Internet Optimizer\optimize.exe
C:\Program\lrup\pttu.exe
C:\Program\DELADE~1\wrof\wrofm.exe
C:\WINDOWS\??stem32\w?wexec.exe
C:\Program\Delade filer\Windows\services32.exe
C:\Program\DELADE~1\wrof\wrofa.exe
C:\Program\DELADE~1\wrof\wrofl.exe

Still In Safe Mode Open up Hijack This and Place a check next to each of these and click Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost

O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\System32\pmnom.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\Program\TOOLBA~1\TOOLBA~1.DLL
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program\webHancer\programs\whiehlpr.dll


O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program\Toolbar888\ToolBar888.dll

O4 - HKLM\..\Run: [Mirsft sdce] servs.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\winIogon.exe
O4 - HKLM\..\Run: [Win32 Update] C:\WINDOWS\System32\win32oleupdate.exe
O4 - HKLM\..\Run: [Services] C:\iexplorer.exe
O4 - HKLM\..\Run: [WinHound] C:\Program\WinHound\WinHound.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard3.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad3.exe
O4 - HKLM\..\Run: [newname] C:\\newname3.exe
O4 - HKLM\..\Run: [ahkw] C:\windows\eee2.exe
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Documents and Settings\KentKent\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [webHancer Agent] C:\Program\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\RunServices: [Mirsft sdce] servs.exe
O4 - HKCU\..\Run: [Ostl] "C:\Program\lrup\pttu.exe" -vt yazb
O4 - HKCU\..\Run: [wrof] C:\Program\DELADE~1\wrof\wrofm.exe
O4 - HKCU\..\Run: [services32] C:\Program\Delade filer\Windows\mc-110-12-0000228.exe
O4 - HKCU\..\Run: [Yiztg] C:\WINDOWS\??stem32\w?wexec.exe

O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O20 - Winlogon Notify: pmnom - C:\WINDOWS\SYSTEM32\pmnom.dll
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\sdriptpw.dll

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S2VudA\command.exe
O23 - Service: ILT - Unknown owner - C:\WINDOWS\ilt.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program\Network Monitor\netmon.exe
O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe


Still In Safe Mode Delete all Temporary Internet Files, Cookies, Run CW Shredder, AdAware and Spybot,AVG AntiVirus. Delete what they find , Empty Recycle Bin.

Plug the internet back in and Reboot to normal mode and post a new log..........Jim :eww :eww :eww

we have desided to empty the hole harddrive on his computer, so need to do more. but thanks anyways.

That may be a good idea, But I'm always ready for a challenge. And that one sure looks like one..........Jim