View Full Version : help needed spyware removal
joyacacia
02-15-2005, 08:34 PM
hi there, i use spywareguard, noadware, spybot, ad-aware se, a-squared, cwshredder, fxistbar and also nortons nav& internet security. I keep getting hijacked and infected with LOP and istbar. My results from hijackthis
Logfile of HijackThis v1.99.0
Scan saved at 4:21:36 PM, on 16/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\pymdsb.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\WINZIP\winzip32.exe
c:\progra~1\intern~1\iexplore.exe
C:\Documents and Settings\Karen.REEDMAN\Local Settings\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hxomzniveuqqczsronhxngld.com/NRSFCRKFIzgDKZMRlK_WFeYNGoiJ77mRbKF43v9E_PxWP80/yrAtVgEOLyJZzis2.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mswspl] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe"
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Four Bind] C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\defaultc ampknob.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Karen.REEDMAN\Local Settings\Temp\{774A1354-6A34-48CB-9EF5-EB0529329520}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.ozemail.com.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{424AC613-C17A-4E24-BAD2-A87DBE7EC3A6}: NameServer = 210.80.58.34 210.80.58.42
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Anyhelp would be great, dame in distress,
thanks joyacacia
nightowl
02-16-2005, 03:20 PM
A few strange things here, If you recognize any of them and know they are ok then dont delete them. I cant find any info on some of them. The ones I'm not sure about arethe 04 entries in Bold letters.
Reboot To Safe Mode (tap F8 on Startup)
Delete this file
Delete these Files and or Folders
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\pymdsb.exe
Still In Safe Mode Place a check next to each of these and click Fix Checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hxomzniveuqqczsronhxngld...gEOLyJZzis2.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Four Bind] C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\defaultc ampknob.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Karen.REEDMAN\Local Settings\Temp\{774A1354-6A34-48CB-9EF5-EB0529329520}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{424AC613-C17A-4E24-BAD2-A87DBE7EC3A6}: NameServer = 210.80.58.34 210.80.58.42
Still In Safe Mode Delete all Temporary Internet Files, Cookies, Run AdAware and Spybot,delete what they find , Empty recycle bin.
Then Reboot and post a new log..........Jim
joyacacia
02-17-2005, 04:24 AM
hi jim, thanks for your help, i managed to do as you asked, after deleting the files, spybot showed isearch tech.power scan and adaware was showing istbar in regkey and reg value. clicked onto fix problem, after reboot, spywareguad kept saying the browser was hijacked. I have run spybot after reboot and no threats. Good news.
here is the new log
Logfile of HijackThis v1.99.0
Scan saved at 12:04:34 AM, on 18/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Karen.REEDMAN\Desktop\spyware\hijackthis\ HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://jfguzopmgzufkkmqlaolemids.com/eQ7JEMmzpXr25hmdOId3sVeW9i20dDV8vNkoDTM07TBOTSj81n Hzz_eNFaXfIIBh.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://talfyilmerzbgrzluexn.com/eQ7JEMmzpXojeBGgavWbtbnwGOrUSWXaAQ4vIlmOKzY.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.reset.net.au:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mswspl] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O14 - IERESET.INF: START_PAGE_URL=http://www.ozemail.com.au
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
thanks for your help
karen
justmaar
02-17-2005, 04:31 AM
can someone please help me get rid of the searchmiracle popups?
this is my hijackthis log..
Logfile of HijackThis v1.99.1
Scan saved at 9:23:44 PM, on 2/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AEIWLSVC.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\AEIWLRAD.EXE
C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
C:\Program Files\Hewlett-Packard\HP Mobile Printing Driver\HPBMOBIL.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\System32\mjdrklfs.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\svchst.exe
C:\WINDOWS\sssasasb32.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\packager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~2\HPUSER~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/homepage-o
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/info/homepage-o
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = web-proxy:8088
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windo ws\System32\wsaupdater.exe,
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [1AEIWLRAD.EXE] AEIWLRAD.EXE
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [HP Mobile Printing Driver] C:\Program Files\Hewlett-Packard\HP Mobile Printing Driver\HPBMOBIL.EXE
O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [brocjl] C:\WINDOWS\System32\mjdrklfs.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SysA] C:\windows\system32\wineys32.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [msnmsgq32] C:\WINDOWS\msnmsgq.exe
O4 - HKLM\..\Run: [MsnExplorer] C:\WINDOWS\svchst.exe /i
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitebsr32.exe
O4 - HKLM\..\Run: [sssasasb32] C:\WINDOWS\sssasasb32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr. exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/homepage-o
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab27571.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP/ClickYesToContinue/bridge.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
O23 - Service: Aeiwsvc - Unknown owner - C:\WINDOWS\system32\AEIWLSVC.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
nightowl
02-17-2005, 01:33 PM
Stuff reloaded here, give it another try
Reboot To Safe Mode (tap F8 on Startup)
Still In Safe Mode Place a check next to each of these and click Fix Checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://jfguzopmgzufkkmqlaolemids.co...eNFaXfIIBh.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://talfyilmerzbgrzluexn.com/eQ7...AQ4vIlmOKzY.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.reset.net.au:8080
O4 - HKLM\..\Run: [mswspl] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.ozemail.com.au
Still In Safe Mode Delete all Temporary Internet Files, Cookies, Run AdAware and Spybot,delete what they find , Empty recycle bin.
Then Reboot and post a new log..........Jim
nightowl
02-17-2005, 01:46 PM
http://forums.designtechnica.com/showthread.php?t=7081
I moved your log here.......Jim
joyacacia
02-18-2005, 01:45 AM
hi jim, well repeated the process but pretty sure some of this stuff keeps reloading itself, keep getting my browser hijacked. Here is the resuts
Logfile of HijackThis v1.99.0
Scan saved at 9:36:04 PM, on 18/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Warez P2P Client\warez.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Karen.REEDMAN\Desktop\spyware\hijackthis\ HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.reset.net.au:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mswspl] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
when you say to delete the cookies, i went to all programes, accessories, system tools, disc cleanup, is the best way to remove cookies?
once again thanks for your help
karen
Joy,
Want to be a genie pig...
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml
Get this prog...
Run it..
at top select...
VIEW,
CLICK everything in there..
SAVE a sample to desktop and post it here..
Its a new prog, want to see how it compares..
Thanks..
joyacacia
02-18-2005, 04:06 AM
here we go
HKLM\System\CurrentControlSet\Services
+ ccEvtMgr Symantec Event Manager Symantec Corporation c:\program files\common files\symantec shared\ccevtmgr.exe
+ ccPxySvc Symantec Proxy Service Symantec Corporation c:\program files\norton internet security\ccpxysvc.exe
+ EPSONStatusAgent2 EPSON Printer Status Agent (Not verified) SEIKO EPSON CORPORATION c:\program files\common files\epson\ebapi\sagent2.exe
+ InCDsrv Helper service for the InCD filesystem driver (Not verified) Ahead Software AG c:\program files\ahead\incd\incdsrv.exe
+ navapsvc Handles Norton AntiVirus Auto-Protect events. Symantec Corporation c:\program files\norton antivirus\navapsvc.exe
+ NISUM Handles Norton Internet Security Account Management Symantec Corporation c:\program files\norton internet security\nisum.exe
+ NProtectService Norton Protection Status (Not verified) Symantec Corporation c:\program files\norton antivirus\advtools\nprotect.exe
+ NVSvc Provides system and desktop level support to the NVIDIA display driver NVIDIA Corporation c:\windows\system32\nvsvc32.exe
+ SBService ScriptBlocking registration Symantec Corporation c:\program files\common files\symantec shared\script blocking\sbserv.exe
+ SymWSC Symantec WMI Service Symantec Corporation c:\program files\common files\symantec shared\security center\symwsc.exe
+ UleadBurningHelper ULCDRSvr (Not verified) Ulead Systems, Inc. c:\program files\common files\ulead systems\dvd\ulcdrsvr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKCU\Software\Policies\Microsoft\Windows\System\Sc ripts\Logon
HKLM\Software\Policies\Microsoft\Windows\System\Sc ripts\Logon
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\Shell
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\Shell
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ Advanced Tools Check Norton AntiVirus Advanced Tools Integrity Checker Symantec Corporation c:\program files\norton antivirus\advtools\advchk.exe
+ AWMON Ad-Watch System Protector (Not verified) Lavasoft Sweden c:\program files\lavasoft\ad-aware se professional\ad-watch.exe
+ ccApp Common Client CC App Symantec Corporation c:\program files\common files\symantec shared\ccapp.exe
+ ccRegVfy Common Client Registry Integrity Verifier Symantec Corporation c:\program files\common files\symantec shared\ccregvfy.exe
+ DAEMON Tools-1033 File not found: C:\Program Files\D-Tools\daemon.exe
+ EPSON Stylus C45 Series EPSON Status Monitor 3 SEIKO EPSON CORPORATION c:\windows\system32\spool\drivers\w32x86\3\e_s4i3t 1.exe
+ gHEayU8P File not found: C:\WINDOWS\pymdsb.exe
+ InCD InCD (Not verified) Ahead Software AG c:\program files\ahead\incd\incd.exe
+ iTunesHelper iTunesHelper Module (Not verified) Apple Computer, Inc. c:\program files\itunes\ituneshelper.exe
+ LOG ROAM HELP WAY c:\documents and settings\all users\application data\cashfastlogroam\itch soft.exe
+ mswspl Realtek Sound Manager (Not verified) Realtek Semiconductor Corp. C:\WINDOWS\soundman.exe
+ NeroFilterCheck NeroCheck (Not verified) Ahead Software Gmbh c:\windows\system32\nerocheck.exe
+ NvCplDaemon NVIDIA Display Properties Extension NVIDIA Corporation c:\windows\system32\nvcpl.dll
+ NvMediaCenter NVIDIA Media Center Library NVIDIA Corporation c:\windows\system32\nvmctray.dll
+ nwiz NVIDIA nView Wizard, Version 66.81 (Not verified) NVIDIA Corporation c:\windows\system32\nwiz.exe
+ PCDRealtime (Not verified) Dell c:\windows\realtime.exe
+ PRONoMgr.exe PRONotifyMgr Module (Not verified) Intel(R) Corporation c:\program files\intel\ncs\proset\pronomgr.exe
+ QuickTime Task (Not verified) Apple Computer, Inc. c:\program files\quicktime\qttask.exe
+ SoundMan Realtek Sound Manager (Not verified) Realtek Semiconductor Corp. C:\WINDOWS\soundman.exe
+ SpyBlocs File not found: C:\Program Files\SpyBlocs\SpyBlocs.exe
+ Symantec NetDriver Monitor Symantec Security Drivers Install Monitor Symantec Corporation c:\program files\symnetdrv\sndmon.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OnceEx
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
+ Adobe Gamma Loader.lnk Adobe Gamma Loader (Not verified) Adobe Systems, Inc. c:\program files\common files\adobe\calibration\adobe gamma loader.exe
+ Adobe Reader Speed Launch.lnk Adobe Acrobat SpeedLauncher (Not verified) Adobe Systems Incorporated c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
+ Image Transfer.lnk c:\program files\sony corporation\image transfer\sonytray.exe
C:\Documents and Settings\Karen.REEDMAN\Start Menu\Programs\Startup
+ PowerReg Scheduler.exe PRegScheduler MFC Application c:\documents and settings\karen.reedman\start menu\programs\startup\powerreg scheduler.exe
+ SpywareGuard.lnk SpywareGuard c:\program files\spywareguard\sgmain.exe
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ a-squared c:\program files\a2\a2guard.exe
+ Symantec NetDriver Monitor Symantec Security Drivers Install Monitor Symantec Corporation c:\program files\symnetdrv\sndmon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once
Task Scheduler
+ Symantec NetDetect.job Symantec NetDetect Symantec Corporation c:\program files\symantec\liveupdate\ndetect.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
+ AcroIEHlprObj Class Adobe Acrobat IE Helper Version 7.0 for ActiveX Adobe Systems Incorporated c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll
+ CNavExtBho Class Norton AntiVirusNAVShellExt Module Symantec Corporation c:\program files\norton antivirus\navshext.dll
+ SpywareGuardDLBLOCK.CBrowserHelper SpywareGuard Download Protection c:\program files\spywareguard\dlprotect.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks
+ spywareguard.dll SpywareGuard Protection c:\program files\spywareguard\spywareguard.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
+ AlcoholShellEx AXShlEx.dll (Not verified) Alcohol Soft Development Team c:\program files\alcohol soft\alcohol 120\axshlex.dll
+ aČ Context Menu Shell Extension c:\program files\a2\a2contmenu.dll
+ Desktop Explorer NVIDIA Desktop Explorer, Version 66.81 (Not verified) NVIDIA Corporation c:\windows\system32\nvshell.dll
+ Desktop Explorer Menu NVIDIA Desktop Explorer, Version 66.81 (Not verified) NVIDIA Corporation c:\windows\system32\nvshell.dll
+ Display Panning CPL Extension File not found: deskpan.dll
+ HyperTerminal Icon Ext HyperTerminal Applet Library Hilgraeve, Inc. c:\windows\system32\hticons.dll
+ iTunes iTunes Mini Player DLL (Not verified) Apple Computer, Inc. c:\program files\itunes\itunesminiplayer.dll
+ My Digital Camera CAMVIEW DLL (Not verified) FotoNation Inc. c:\program files\photodeluxe he 3.0\fotonation explorer\camview.dll
+ NvCpl DesktopContext Class NVIDIA Display Properties Extension NVIDIA Corporation c:\windows\system32\nvcpl.dll
+ nView Desktop Context Menu NVIDIA Desktop Explorer, Version 66.81 (Not verified) NVIDIA Corporation c:\windows\system32\nvshell.dll
+ Play on my TV helper NVIDIA Display Properties Extension NVIDIA Corporation c:\windows\system32\nvcpl.dll
+ QuickSFV Shell Extension QuickSFV Shell Extension (Not verified) Mercedes c:\program files\quicksfv1\qsfvshll.dll
+ Shell Extension for CDRW UDF Shell Extension DLL (Not verified) Ahead Software AG c:\program files\ahead\incd\incdshx.dll
+ spywareguard.dll SpywareGuard Protection c:\program files\spywareguard\spywareguard.dll
+ WinRAR shell extension c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ Norton AntiVirus Norton AntiVirusNAVShellExt Module Symantec Corporation c:\program files\norton antivirus\navshext.dll
is it looking any bettter
karen
+ LOG ROAM HELP WAY c:\documents and settings\all users\application data\cashfastlogroam\itch soft.exe
+ SpyBlocs File not found: C:\Program Files\SpyBlocs\SpyBlocs.exe
NOT A REAL SPYWARE PROGRAM
+ LOG ROAM HELP WAY c:\documents and settings\all users\application data\cashfastlogroam\itch soft.exe
+ gHEayU8P File not found: C:\WINDOWS\pymdsb.exe
Cant find info on this file...... Its NOT windows... I would FIND it and rename OLDpymdsb.exe...and see what happens..
These are what I found here...NONE of this is related to windws...
Night OWl, what you think....Between these 2 programs...use BOTH???
O4 - Global Startup: Image Transfer.lnk = ?
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
C:\Program Files\Warez P2P Client\warez.exe
BAD, NEVEr run this software, it has backdoors INTO YOUR SYSTEM..THERE are NO clean P2P software...Use NEWSGROUPS...much safer..
USE add/remove programs, to remove those you can...
Others, do a system search for, all files, ALL folder, ALL extentions and inside SYSTEM/windows folders.. Erase what you can...then use Hikack to kill what it has, and then in AUTORUN...
RESET,rerun, repost...thanks..
nightowl
02-18-2005, 11:47 AM
Reboot to Safe Mode
Delete these Files and or Folders
C:\Program Files\Warez P2P Client\warez.exe
C:\Program Files\SpyBlocs\SpyBlocs.exe
I think this is a Trojan, it keeps reloading
C:\WINDOWS\pymdsb.exe
rename it so it looks like this: pymdsb.old
Put in Recycle Bin
Still In Safe Mode Place a check next to each of these and click Fix Checked.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.reset.net.au:8080
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
Empty Recycle Bin and Post a new log........Jim
joyacacia
02-18-2005, 10:32 PM
hi there, i removed warez, searched for c:\windows\pymdsb.exe but no file found, log file
Logfile of HijackThis v1.99.0
Scan saved at 6:21:28 PM, on 19/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareGuard\sgbhp.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Karen.REEDMAN\Desktop\spyware\hijackthis\ HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.agqlylrgnnhpzoejz.com/eQ7JEMmzpXr25hmdOId3sVeW9i20dDV8vNkoDTM07TCt6WWBX3 LzT_eNFaXfIIBh.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mswspl] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{424AC613-C17A-4E24-BAD2-A87DBE7EC3A6}: NameServer = 210.80.58.34 210.80.58.42
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
spybot check clear but adaware showing lop, browser still being hijacked
thanks,
karen
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
REALLy gotta find these 2..
Did you goto TOOLS, under search, and select the options NOT TO HIDE STUFF.
Tools, Options, View...
Desplay compressed
show hidden folders and files
DONT Hide KNOW estentions
DONT HIDE, operating system files..
In the windows DIR, everything is considered HIDDEN...
nightowl
02-18-2005, 11:06 PM
When you search
Click Search, then click All Files and Folders, Scroll Down and click More Advanced Options.
You should see some options to check. Make sure there is a check mark in these 3 boxes.
Search System Folders
Search Hidden Files and Folders
Search Subfolders
All 3 need to be checked, then go back and type in the file name and find the file and kill it,
After you rename and delete, empty recycle Bin and post a new log.
Reboot and post a new log..........jim
joyacacia
02-19-2005, 05:29 AM
hi jim, im not having much luck, did the search as described, no files to be found, then went to regedit, searched for spyblocs and pymdsb.exe. files came up under search assistant, dir acmru, dir 5603 and 5604. so i deleted dir acmru. I also deleted C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM, but after rebooting this has returned and will not let me delete 2 files in the directory.these are cdrom camp exe and coolfiledart. The file ITCH SOFT.exe isnt there.
here is my log
Logfile of HijackThis v1.99.0
Scan saved at 1:18:11 AM, on 20/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Karen.REEDMAN\Desktop\spyware\hijackthis\ HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wkarbpajzergrabfzd.net/eQ7JEMmzpXr25hmdOId3sVeW9i20dDV8vNkoDTM07TD/3VI1hZgh4ueNFaXfIIBh.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {9A5BFAD1-35B6-036F-E29C-66E52CD96E04} - C:\DOCUME~1\KAREN~1.REE\APPLIC~1\STOREM~1\rect barb.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mswspl] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{424AC613-C17A-4E24-BAD2-A87DBE7EC3A6}: NameServer = 210.80.58.34 210.80.58.42
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
thanks
joyacacia
02-19-2005, 05:37 AM
hi jim thought this might give you an idea whats goin on, this is a log from adaware, sorry its a bit long
19/02/2005 12:11:46 AM> Registry modification detected
19/02/2005 12:11:46 AM>
19/02/2005 12:11:46 AM> Root:HKEY_CURRENT_USER
19/02/2005 12:11:46 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:11:46 AM> Value:Four Bind
19/02/2005 12:11:46 AM> Data:
19/02/2005 12:11:46 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 12:11:46 AM>
19/02/2005 12:33:30 AM> Registry modification detected
19/02/2005 12:33:30 AM>
19/02/2005 12:33:30 AM> Root:HKEY_CURRENT_USER
19/02/2005 12:33:30 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:33:30 AM> Value:Four Bind
19/02/2005 12:33:30 AM> Data:
19/02/2005 12:33:30 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 12:33:30 AM>
19/02/2005 12:55:23 AM> Registry modification detected
19/02/2005 12:55:23 AM>
19/02/2005 12:55:23 AM> Root:HKEY_CURRENT_USER
19/02/2005 12:55:23 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:55:23 AM> Value:Four Bind
19/02/2005 12:55:23 AM> Data:
19/02/2005 12:55:23 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 12:55:23 AM>
19/02/2005 1:17:16 AM> Registry modification detected
19/02/2005 1:17:16 AM>
19/02/2005 1:17:16 AM> Root:HKEY_CURRENT_USER
19/02/2005 1:17:16 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 1:17:16 AM> Value:Four Bind
19/02/2005 1:17:16 AM> Data:
19/02/2005 1:17:16 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 1:17:16 AM>
19/02/2005 1:39:09 AM> Registry modification detected
19/02/2005 1:39:09 AM>
19/02/2005 1:39:09 AM> Root:HKEY_CURRENT_USER
19/02/2005 1:39:09 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 1:39:09 AM> Value:Four Bind
19/02/2005 1:39:09 AM> Data:
19/02/2005 1:39:09 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 1:39:09 AM>
19/02/2005 2:01:01 AM> Registry modification detected
19/02/2005 2:01:01 AM>
19/02/2005 2:01:01 AM> Root:HKEY_CURRENT_USER
19/02/2005 2:01:01 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 2:01:01 AM> Value:Four Bind
19/02/2005 2:01:01 AM> Data:
19/02/2005 2:01:01 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 2:01:01 AM>
19/02/2005 2:22:54 AM> Registry modification detected
19/02/2005 2:22:54 AM>
19/02/2005 2:22:54 AM> Root:HKEY_CURRENT_USER
19/02/2005 2:22:54 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 2:22:54 AM> Value:Four Bind
19/02/2005 2:22:54 AM> Data:
19/02/2005 2:22:54 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 2:22:54 AM>
19/02/2005 2:44:47 AM> Registry modification detected
19/02/2005 2:44:47 AM>
19/02/2005 2:44:47 AM> Root:HKEY_CURRENT_USER
19/02/2005 2:44:47 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 2:44:47 AM> Value:Four Bind
19/02/2005 2:44:47 AM> Data:
19/02/2005 2:44:47 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 2:44:47 AM>
19/02/2005 3:06:39 AM> Registry modification detected
19/02/2005 3:06:39 AM>
19/02/2005 3:06:39 AM> Root:HKEY_CURRENT_USER
19/02/2005 3:06:39 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 3:06:39 AM> Value:Four Bind
19/02/2005 3:06:39 AM> Data:
19/02/2005 3:06:39 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 3:06:39 AM>
19/02/2005 3:28:32 AM> Registry modification detected
19/02/2005 3:28:32 AM>
19/02/2005 3:28:32 AM> Root:HKEY_CURRENT_USER
19/02/2005 3:28:32 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 3:28:32 AM> Value:Four Bind
19/02/2005 3:28:32 AM> Data:
19/02/2005 3:28:32 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 3:28:32 AM>
19/02/2005 3:50:26 AM> Registry modification detected
19/02/2005 3:50:26 AM>
19/02/2005 3:50:26 AM> Root:HKEY_CURRENT_USER
19/02/2005 3:50:26 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 3:50:26 AM> Value:Four Bind
19/02/2005 3:50:26 AM> Data:
19/02/2005 3:50:26 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 3:50:26 AM>
19/02/2005 4:12:18 AM> Registry modification detected
19/02/2005 4:12:18 AM>
19/02/2005 4:12:18 AM> Root:HKEY_CURRENT_USER
19/02/2005 4:12:18 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 4:12:18 AM> Value:Four Bind
19/02/2005 4:12:18 AM> Data:
19/02/2005 4:12:18 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 4:12:18 AM>
19/02/2005 4:34:11 AM> Registry modification detected
19/02/2005 4:34:11 AM>
19/02/2005 4:34:11 AM> Root:HKEY_CURRENT_USER
19/02/2005 4:34:11 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 4:34:11 AM> Value:Four Bind
19/02/2005 4:34:11 AM> Data:
19/02/2005 4:34:11 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 4:34:11 AM>
19/02/2005 4:56:04 AM> Registry modification detected
19/02/2005 4:56:04 AM>
19/02/2005 4:56:04 AM> Root:HKEY_CURRENT_USER
19/02/2005 4:56:04 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 4:56:04 AM> Value:Four Bind
19/02/2005 4:56:04 AM> Data:
19/02/2005 4:56:04 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 4:56:04 AM>
19/02/2005 5:18:08 AM> Registry modification detected
19/02/2005 5:18:08 AM>
19/02/2005 5:18:08 AM> Root:HKEY_CURRENT_USER
19/02/2005 5:18:08 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 5:18:08 AM> Value:Four Bind
19/02/2005 5:18:08 AM> Data:
19/02/2005 5:18:08 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 5:18:08 AM>
19/02/2005 5:40:36 AM> Registry modification detected
19/02/2005 5:40:36 AM>
19/02/2005 5:40:36 AM> Root:HKEY_CURRENT_USER
19/02/2005 5:40:36 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 5:40:36 AM> Value:Four Bind
19/02/2005 5:40:36 AM> Data:
19/02/2005 5:40:36 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 5:40:36 AM>
19/02/2005 6:02:53 AM> Registry modification detected
19/02/2005 6:02:53 AM>
19/02/2005 6:02:53 AM> Root:HKEY_CURRENT_USER
19/02/2005 6:02:53 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 6:02:53 AM> Value:Four Bind
19/02/2005 6:02:53 AM> Data:
19/02/2005 6:02:53 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 6:02:53 AM>
19/02/2005 6:24:57 AM> Registry modification detected
19/02/2005 6:24:57 AM>
19/02/2005 6:24:57 AM> Root:HKEY_CURRENT_USER
19/02/2005 6:24:57 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 6:24:57 AM> Value:Four Bind
19/02/2005 6:24:57 AM> Data:
19/02/2005 6:24:57 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 6:24:57 AM>
19/02/2005 6:46:58 AM> Registry modification detected
19/02/2005 6:46:58 AM>
19/02/2005 6:46:58 AM> Root:HKEY_CURRENT_USER
19/02/2005 6:46:58 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 6:46:58 AM> Value:Four Bind
19/02/2005 6:46:58 AM> Data:
19/02/2005 6:46:58 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 6:46:58 AM>
19/02/2005 7:09:03 AM> Registry modification detected
19/02/2005 7:09:03 AM>
19/02/2005 7:09:03 AM> Root:HKEY_CURRENT_USER
19/02/2005 7:09:03 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 7:09:03 AM> Value:Four Bind
19/02/2005 7:09:03 AM> Data:
19/02/2005 7:09:03 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 7:09:03 AM>
19/02/2005 7:31:09 AM> Registry modification detected
19/02/2005 7:31:09 AM>
19/02/2005 7:31:09 AM> Root:HKEY_CURRENT_USER
19/02/2005 7:31:09 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 7:31:09 AM> Value:Four Bind
19/02/2005 7:31:09 AM> Data:
19/02/2005 7:31:09 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 7:31:09 AM>
19/02/2005 7:53:09 AM> Registry modification detected
19/02/2005 7:53:09 AM>
19/02/2005 7:53:09 AM> Root:HKEY_CURRENT_USER
19/02/2005 7:53:09 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 7:53:09 AM> Value:Four Bind
19/02/2005 7:53:09 AM> Data:
19/02/2005 7:53:09 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 7:53:09 AM>
19/02/2005 8:15:08 AM> Registry modification detected
19/02/2005 8:15:08 AM>
19/02/2005 8:15:08 AM> Root:HKEY_CURRENT_USER
19/02/2005 8:15:08 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 8:15:08 AM> Value:Four Bind
19/02/2005 8:15:08 AM> Data:
19/02/2005 8:15:08 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 8:15:08 AM>
19/02/2005 8:37:08 AM> Registry modification detected
19/02/2005 8:37:08 AM>
19/02/2005 8:37:08 AM> Root:HKEY_CURRENT_USER
19/02/2005 8:37:08 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 8:37:08 AM> Value:Four Bind
19/02/2005 8:37:08 AM> Data:
19/02/2005 8:37:08 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 8:37:08 AM>
19/02/2005 8:59:13 AM> Registry modification detected
19/02/2005 8:59:13 AM>
19/02/2005 8:59:13 AM> Root:HKEY_CURRENT_USER
19/02/2005 8:59:13 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 8:59:13 AM> Value:Four Bind
19/02/2005 8:59:13 AM> Data:
19/02/2005 8:59:13 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 8:59:13 AM>
19/02/2005 9:21:12 AM> Registry modification detected
19/02/2005 9:21:12 AM>
19/02/2005 9:21:12 AM> Root:HKEY_CURRENT_USER
19/02/2005 9:21:12 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 9:21:12 AM> Value:Four Bind
19/02/2005 9:21:12 AM> Data:
19/02/2005 9:21:12 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 9:21:12 AM>
19/02/2005 9:43:18 AM> Registry modification detected
19/02/2005 9:43:18 AM>
19/02/2005 9:43:18 AM> Root:HKEY_CURRENT_USER
19/02/2005 9:43:18 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 9:43:18 AM> Value:Four Bind
19/02/2005 9:43:18 AM> Data:
19/02/2005 9:43:18 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 9:43:18 AM>
19/02/2005 10:05:31 AM> Registry modification detected
19/02/2005 10:05:31 AM>
19/02/2005 10:05:31 AM> Root:HKEY_CURRENT_USER
19/02/2005 10:05:31 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 10:05:31 AM> Value:Four Bind
19/02/2005 10:05:31 AM> Data:
19/02/2005 10:05:31 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 10:05:31 AM>
19/02/2005 10:11:28 AM> Registry modification detected
19/02/2005 10:11:28 AM>
19/02/2005 10:11:28 AM> Root:HKEY_CURRENT_USER
19/02/2005 10:11:28 AM> Key:Software\Microsoft\Internet Explorer\Main
19/02/2005 10:11:28 AM> Value:Start Page
19/02/2005 10:11:28 AM> Data:http://talfyilmerzbgrzluexn.com/eQ7JEMmzpXojeBGgavWbtbnwGOrUSWXaAQ4vIlmOKzY.php
19/02/2005 10:11:28 AM> New Data:http://www.google.com
19/02/2005 10:11:28 AM>
19/02/2005 10:11:40 AM> Registry modification detected
19/02/2005 10:11:40 AM>
19/02/2005 10:11:40 AM> Root:HKEY_CURRENT_USER
19/02/2005 10:11:40 AM> Key:Software\Microsoft\Internet Explorer\Main
19/02/2005 10:11:40 AM> Value:Start Page
19/02/2005 10:11:40 AM> Data:http://talfyilmerzbgrzluexn.com/eQ7JEMmzpXojeBGgavWbtbnwGOrUSWXaAQ4vIlmOKzY.php
19/02/2005 10:11:40 AM> New Data:http://www.google.com
19/02/2005 10:11:40 AM>
19/02/2005 10:11:43 AM> Registry modification detected
19/02/2005 10:11:43 AM>
19/02/2005 10:11:43 AM> Root:HKEY_CURRENT_USER
19/02/2005 10:11:43 AM> Key:Software\Microsoft\Internet Explorer\Main
19/02/2005 10:11:43 AM> Value:Start Page
19/02/2005 10:11:43 AM> Data:http://talfyilmerzbgrzluexn.com/eQ7JEMmzpXojeBGgavWbtbnwGOrUSWXaAQ4vIlmOKzY.php
19/02/2005 10:11:43 AM> New Data:http://www.google.com
19/02/2005 10:11:43 AM>
19/02/2005 10:31:45 AM> Registry modification detected
19/02/2005 10:31:45 AM>
19/02/2005 10:31:45 AM> Root:HKEY_CURRENT_USER
19/02/2005 10:31:45 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 10:31:45 AM> Value:Four Bind
19/02/2005 10:31:45 AM> Data:
19/02/2005 10:31:45 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 10:31:45 AM>
19/02/2005 12:43:30 PM> Registry modification detected
19/02/2005 12:43:30 PM>
19/02/2005 12:43:30 PM> Root:HKEY_LOCAL_MACHINE
19/02/2005 12:43:30 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:43:30 PM> Value:mswspl
19/02/2005 12:43:30 PM> Data:SOUNDMAN.EXE
19/02/2005 12:43:30 PM> New Data:
19/02/2005 12:43:30 PM>
19/02/2005 12:43:31 PM> Registry modification detected
19/02/2005 12:43:31 PM>
19/02/2005 12:43:31 PM> Root:HKEY_LOCAL_MACHINE
19/02/2005 12:43:31 PM> Key:Software\Microsoft\Internet Explorer\Search
19/02/2005 12:43:31 PM> Value:CustomizeSearch
19/02/2005 12:43:31 PM> Data:http://minisearch.startnow.com/
19/02/2005 12:43:31 PM> New Data:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
19/02/2005 12:43:31 PM>
19/02/2005 12:43:33 PM> Registry modification detected
19/02/2005 12:43:33 PM>
19/02/2005 12:43:33 PM> Root:HKEY_LOCAL_MACHINE
19/02/2005 12:43:33 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:43:33 PM> Value:DAEMON Tools-1033
19/02/2005 12:43:33 PM> Data:"C:\Program Files\D-Tools\daemon.exe" -lang 1033
19/02/2005 12:43:33 PM> New Data:
19/02/2005 12:43:33 PM>
19/02/2005 12:43:33 PM> Registry modification detected
19/02/2005 12:43:33 PM>
19/02/2005 12:43:33 PM> Root:HKEY_LOCAL_MACHINE
19/02/2005 12:43:33 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:43:33 PM> Value:SpyBlocs
19/02/2005 12:43:33 PM> Data:C:\Program Files\SpyBlocs\SpyBlocs.exe
19/02/2005 12:43:33 PM> New Data:
19/02/2005 12:43:33 PM>
19/02/2005 12:43:34 PM> Registry modification detected
19/02/2005 12:43:34 PM>
19/02/2005 12:43:34 PM> Root:HKEY_LOCAL_MACHINE
19/02/2005 12:43:34 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:43:34 PM> Value:LOG ROAM HELP WAY
19/02/2005 12:43:34 PM> Data:C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
19/02/2005 12:43:34 PM> New Data:
19/02/2005 12:43:34 PM>
19/02/2005 12:43:34 PM> Registry modification detected
19/02/2005 12:43:34 PM>
19/02/2005 12:43:34 PM> Root:HKEY_LOCAL_MACHINE
19/02/2005 12:43:34 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:43:34 PM> Value:gHEayU8P
19/02/2005 12:43:34 PM> Data:C:\WINDOWS\pymdsb.exe
19/02/2005 12:43:34 PM> New Data:
19/02/2005 12:43:34 PM>
19/02/2005 1:26:02 PM> Registry modification detected
19/02/2005 1:26:02 PM>
19/02/2005 1:26:02 PM> Root:HKEY_CURRENT_USER
19/02/2005 1:26:02 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 1:26:02 PM> Value:Four Bind
19/02/2005 1:26:02 PM> Data:
19/02/2005 1:26:02 PM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 1:26:02 PM>
19/02/2005 3:52:08 PM> Registry modification detected
19/02/2005 3:52:08 PM>
19/02/2005 3:52:08 PM> Root:HKEY_CURRENT_USER
19/02/2005 3:52:08 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 3:52:08 PM> Value:Four Bind
19/02/2005 3:52:08 PM> Data:
19/02/2005 3:52:08 PM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 3:52:08 PM>
19/02/2005 4:11:50 PM> Tracking cookie blocked.
19/02/2005 4:11:50 PM> Last Sync Time: 19/02/2005 4:11:46 PM
19/02/2005 4:11:50 PM> Name: Cookie:karen@revenue.net/
19/02/2005 4:11:50 PM> Size: 166 Bytes.
19/02/2005 4:11:50 PM> Hits: 1
19/02/2005 4:11:50 PM> UseCount: 0
19/02/2005 4:11:50 PM> Expires: 10/06/2022 4:05:42 PM
19/02/2005 4:11:50 PM>
19/02/2005 5:16:00 PM> Popup blocked (http://w.00fun.com/w.php?s=00fun&p=3536.html&e=c3dlZXRrYXR0eXBpZUBob3RtYWlsLmNvbQ== - Microsoft Internet Explorer)
19/02/2005 5:16:00 PM> 19/02/2005 5:16:00 PM: Popup blocked "http://w.00fun.com/w.php?s=00fun&p=3536.html&e=c3dlZXRrYXR0eXBpZUBob3RtYWlsLmNvbQ== - Microsoft Internet Explorer"
19/02/2005 5:16:00 PM> Browser event
19/02/2005 5:16:00 PM> Parentprocess:
19/02/2005 5:16:00 PM> "http://w.00fun.com/w.php?s=00fun&p=3536.html&e=c3dlZXRrYXR0eXBpZUBob3RtYWlsLmNvbQ== - Microsoft Internet Explorer"
19/02/2005 5:16:00 PM> Handle:399441920
19/02/2005 5:16:00 PM> Classname:WorkerW
19/02/2005 5:16:00 PM>
19/02/2005 5:16:51 PM> Popup blocked (http://w.00fun.com/w.php?s=00fun&p=3536.html&e=c3dlZXRrYXR0eXBpZUBob3RtYWlsLmNvbQ== - Microsoft Internet Explorer)
19/02/2005 5:16:51 PM> 19/02/2005 5:16:51 PM: Popup blocked "http://w.00fun.com/w.php?s=00fun&p=3536.html&e=c3dlZXRrYXR0eXBpZUBob3RtYWlsLmNvbQ== - Microsoft Internet Explorer"
19/02/2005 5:16:51 PM> Browser event
19/02/2005 5:16:51 PM> Parentprocess:
19/02/2005 5:16:51 PM> "http://w.00fun.com/w.php?s=00fun&p=3536.html&e=c3dlZXRrYXR0eXBpZUBob3RtYWlsLmNvbQ== - Microsoft Internet Explorer"
19/02/2005 5:16:51 PM> Handle:399441920
19/02/2005 5:16:51 PM> Classname:WorkerW
19/02/2005 5:16:51 PM>
19/02/2005 5:17:06 PM> Popup blocked (http://w.00fun.com/w.php?s=00fun&p=3536.html&e=c3dlZXRrYXR0eXBpZUBob3RtYWlsLmNvbQ== - Microsoft Internet Explorer)
19/02/2005 5:17:06 PM> 19/02/2005 5:17:06 PM: Popup blocked "http://w.00fun.com/w.php?s=00fun&p=3536.html&e=c3dlZXRrYXR0eXBpZUBob3RtYWlsLmNvbQ== - Microsoft Internet Explorer"
19/02/2005 5:17:06 PM> Browser event
19/02/2005 5:17:06 PM> Parentprocess:
19/02/2005 5:17:06 PM> "http://w.00fun.com/w.php?s=00fun&p=3536.html&e=c3dlZXRrYXR0eXBpZUBob3RtYWlsLmNvbQ== - Microsoft Internet Explorer"
19/02/2005 5:17:06 PM> Handle:399441920
19/02/2005 5:17:06 PM> Classname:WorkerW
19/02/2005 5:17:06 PM>
19/02/2005 6:11:58 PM> Registry modification detected
19/02/2005 6:11:58 PM>
19/02/2005 6:11:58 PM> Root:HKEY_LOCAL_MACHINE
19/02/2005 6:11:58 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 6:11:58 PM> Value:SpyBlocs
19/02/2005 6:11:58 PM> Data:C:\Program Files\SpyBlocs\SpyBlocs.exe
19/02/2005 6:11:58 PM> New Data:
19/02/2005 6:11:58 PM>
19/02/2005 6:12:01 PM> Registry modification detected
19/02/2005 6:12:01 PM>
19/02/2005 6:12:01 PM> Root:HKEY_LOCAL_MACHINE
19/02/2005 6:12:01 PM> Key:Software\Microsoft\Internet Explorer\Search
19/02/2005 6:12:01 PM> Value:CustomizeSearch
19/02/2005 6:12:01 PM> Data:http://minisearch.startnow.com/
19/02/2005 6:12:01 PM> New Data:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
19/02/2005 6:12:01 PM>
19/02/2005 6:20:01 PM> Registry modification detected
19/02/2005 6:20:01 PM>
19/02/2005 6:20:01 PM> Root:HKEY_CURRENT_USER
19/02/2005 6:20:01 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 6:20:01 PM> Value:Four Bind
19/02/2005 6:20:01 PM> Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 6:20:01 PM> New Data:
19/02/2005 6:20:01 PM>
19/02/2005 8:59:22 PM> Registry modification detected
19/02/2005 8:59:22 PM>
19/02/2005 8:59:22 PM> Root:HKEY_CURRENT_USER
19/02/2005 8:59:22 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 8:59:22 PM> Value:Four Bind
19/02/2005 8:59:22 PM> Data:
19/02/2005 8:59:22 PM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 8:59:22 PM>
19/02/2005 10:47:37 PM> Registry modification detected
19/02/2005 10:47:37 PM>
19/02/2005 10:47:37 PM> Root:HKEY_CURRENT_USER
19/02/2005 10:47:37 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 10:47:37 PM> Value:Four Bind
19/02/2005 10:47:37 PM> Data:
19/02/2005 10:47:37 PM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 10:47:37 PM>
19/02/2005 10:56:28 PM> Registry modification detected
19/02/2005 10:56:28 PM>
19/02/2005 10:56:28 PM> Root:HKEY_CURRENT_USER
19/02/2005 10:56:28 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 10:56:28 PM> Value:Four Bind
19/02/2005 10:56:28 PM> Data:
19/02/2005 10:56:28 PM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 10:56:28 PM>
20/02/2005 12:56:38 AM> Registry modification detected
20/02/2005 12:56:38 AM>
20/02/2005 12:56:38 AM> Root:HKEY_LOCAL_MACHINE
20/02/2005 12:56:38 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 12:56:38 AM> Value:mswspl
20/02/2005 12:56:38 AM> Data:SOUNDMAN.EXE
20/02/2005 12:56:38 AM> New Data:
20/02/2005 12:56:38 AM>
20/02/2005 12:56:46 AM> Registry modification detected
20/02/2005 12:56:46 AM>
20/02/2005 12:56:46 AM> Root:HKEY_LOCAL_MACHINE
20/02/2005 12:56:46 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 12:56:46 AM> Value:DAEMON Tools-1033
20/02/2005 12:56:46 AM> Data:"C:\Program Files\D-Tools\daemon.exe" -lang 1033
20/02/2005 12:56:46 AM> New Data:
20/02/2005 12:56:46 AM>
20/02/2005 12:56:50 AM> Registry modification detected
20/02/2005 12:56:50 AM>
20/02/2005 12:56:50 AM> Root:HKEY_LOCAL_MACHINE
20/02/2005 12:56:50 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 12:56:50 AM> Value:LOG ROAM HELP WAY
20/02/2005 12:56:50 AM> Data:C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
20/02/2005 12:56:50 AM> New Data:
20/02/2005 12:56:50 AM>
20/02/2005 12:56:52 AM> Registry modification detected
20/02/2005 12:56:52 AM>
20/02/2005 12:56:52 AM> Root:HKEY_LOCAL_MACHINE
20/02/2005 12:56:52 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 12:56:52 AM> Value:gHEayU8P
20/02/2005 12:56:52 AM> Data:C:\WINDOWS\pymdsb.exe
20/02/2005 12:56:52 AM> New Data:
20/02/2005 12:56:52 AM>
20/02/2005 1:00:57 AM> Registry modification detected
20/02/2005 1:00:57 AM>
20/02/2005 1:00:57 AM> Root:HKEY_CURRENT_USER
20/02/2005 1:00:57 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 1:00:57 AM> Value:Four Bind
20/02/2005 1:00:57 AM> Data:
20/02/2005 1:00:57 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
20/02/2005 1:00:57 AM>
20/02/2005 1:01:06 AM> Registry modification detected
20/02/2005 1:01:06 AM>
20/02/2005 1:01:06 AM> Root:HKEY_LOCAL_MACHINE
20/02/2005 1:01:06 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 1:01:06 AM> Value:LOG ROAM HELP WAY
20/02/2005 1:01:06 AM> Data:C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
20/02/2005 1:01:06 AM> New Data:C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\cdrom camp.exe
20/02/2005 1:01:06 AM>
20/02/2005 1:01:13 AM> Registry modification detected
20/02/2005 1:01:13 AM>
20/02/2005 1:01:13 AM> Root:HKEY_CURRENT_USER
20/02/2005 1:01:13 AM> Key:Software\Microsoft\Internet Explorer\Main
20/02/2005 1:01:13 AM> Value:Search Page
20/02/2005 1:01:13 AM> Data:http://www.google.com
20/02/2005 1:01:13 AM> New Data:
20/02/2005 1:01:13 AM>
20/02/2005 1:01:28 AM> Registry modification detected
20/02/2005 1:01:28 AM>
20/02/2005 1:01:28 AM> Root:HKEY_CURRENT_USER
20/02/2005 1:01:28 AM> Key:Software\Microsoft\Internet Explorer\Search
20/02/2005 1:01:28 AM> Value:SearchAssistant
20/02/2005 1:01:28 AM> Data:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
20/02/2005 1:01:28 AM> New Data:
20/02/2005 1:01:28 AM>
20/02/2005 1:01:36 AM> Registry modification detected
20/02/2005 1:01:36 AM>
20/02/2005 1:01:36 AM> Root:HKEY_CURRENT_USER
20/02/2005 1:01:36 AM> Key:Software\Microsoft\Internet Explorer\Main
20/02/2005 1:01:36 AM> Value:Search Page
20/02/2005 1:01:36 AM> Data:http://www.google.com
20/02/2005 1:01:36 AM> New Data:
20/02/2005 1:01:36 AM>
20/02/2005 1:01:40 AM> Registry modification detected
20/02/2005 1:01:40 AM>
20/02/2005 1:01:40 AM> Root:HKEY_LOCAL_MACHINE
20/02/2005 1:01:40 AM> Key:Software\Microsoft\Internet Explorer\Main
20/02/2005 1:01:40 AM> Value:Search Page
20/02/2005 1:01:40 AM> Data:http://www.google.com
20/02/2005 1:01:40 AM> New Data:
20/02/2005 1:01:40 AM>
20/02/2005 1:01:59 AM> Registry modification detected
20/02/2005 1:01:59 AM>
20/02/2005 1:01:59 AM> Root:HKEY_CURRENT_USER
20/02/2005 1:01:59 AM> Key:Software\Microsoft\Internet Explorer\Main
20/02/2005 1:01:59 AM> Value:Start Page
20/02/2005 1:01:59 AM> Data:http://www.google.com
20/02/2005 1:01:59 AM> New Data:http://www.pxkgrnpeuxqwjamylovnb.com/eQ7JEMmzpXojeBGgavWbtTQL7JaLjVf7AQ4vIlmOKzY.html
20/02/2005 1:01:59 AM>
20/02/2005 1:02:04 AM> ===============================================
20/02/2005 1:02:04 AM> Starting New Session..
20/02/2005 1:02:04 AM> ===============================================
20/02/2005 1:02:04 AM>
20/02/2005 1:02:04 AM> DefinitionFile SE1R28 16.02.2005 loaded successfully.
20/02/2005 1:02:04 AM> File Size :1300934
20/02/2005 1:02:04 AM> Build:SE1R28 16.02.2005
20/02/2005 1:02:04 AM> Total Signatures :34787
20/02/2005 1:02:04 AM> Target Families :632
20/02/2005 1:02:04 AM> Target Categories :6
20/02/2005 1:02:04 AM> Blocked Sites :3229
20/02/2005 1:02:04 AM>
20/02/2005 1:24:49 AM> Registry modification detected
20/02/2005 1:24:49 AM>
20/02/2005 1:24:49 AM> Root:HKEY_CURRENT_USER
20/02/2005 1:24:49 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 1:24:49 AM> Value:Four Bind
20/02/2005 1:24:49 AM> Data:
20/02/2005 1:24:49 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
20/02/2005 1:24:49 AM>
20/02/2005 1:27:24 AM> Registry modification detected
20/02/2005 1:27:24 AM>
20/02/2005 1:27:24 AM> Root:HKEY_CURRENT_USER
20/02/2005 1:27:24 AM> Key:Software\Microsoft\Internet Explorer\SearchUrl
20/02/2005 1:27:24 AM> Value:provider
20/02/2005 1:27:24 AM> Data:
20/02/2005 1:27:24 AM> New Data:
20/02/2005 1:27:24 AM>
thanks for helping
karen
nightowl
02-19-2005, 10:45 AM
That ADaware scan is long. All it does is give me a headache :eww .Maybe ECA can find something on it.
hi jim, im not having much luck, did the search as described, no files to be found, then went to regedit, searched for spyblocs and pymdsb.exe. files came up under search assistant, dir acmru, dir 5603 and 5604. so i deleted dir acmru. I also deleted C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM, but after rebooting this has returned and will not let me delete 2 files in the directory.these are cdrom camp exe and coolfiledart. The file ITCH SOFT.exe isnt there.
here is my log
Logfile of HijackThis v1.99.0
Scan saved at 1:18:11 AM, on 20/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Karen.REEDMAN\Desktop\spyware\hijackthis\ HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wkarbpajzergrabfzd.net/e...eNFaXfIIBh.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {9A5BFAD1-35B6-036F-E29C-66E52CD96E04} - C:\DOCUME~1\KAREN~1.REE\APPLIC~1\STOREM~1\rect barb.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mswspl] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/C...2/OCI/setup.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{424AC613-C17A-4E24-BAD2-A87DBE7EC3A6}: NameServer = 210.80.58.34 210.80.58.42
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
nightowl
02-19-2005, 11:00 AM
Ok I'm gonna delete a few more things that may be causing this
Reboot To Safe Mode (tap F8 on Startup)
Place a check next to each of these and click Fix Checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wkarbpajzergrabfzd.net/e...eNFaXfIIBh.html
O2 - BHO: (no name) - {9A5BFAD1-35B6-036F-E29C-66E52CD96E04} - C:\DOCUME~1\KAREN~1.REE\APPLIC~1\STOREM~1\rect barb.exe
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
O4 - Global Startup: Image Transfer.lnk = ?
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/C...2/OCI/setup.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{424AC613-C17A-4E24-BAD2-A87DBE7EC3A6}: NameServer = 210.80.58.34 210.80.58.42
Still In Safe Mode Delete all Temporary Internet Files, Cookies, Run AdAware and Spybot,delete what they find , Empty recycle bin.
Then Reboot and post a new log..........Jim :eww
I see all this and say...WOW, google is sending you LOTS of crap...AND there all reg changes... Keep reading as I go thru..
19/02/2005 12:11:46 AM> Registry modification detected
19/02/2005 12:11:46 AM>
19/02/2005 12:11:46 AM> Root:HKEY_CURRENT_USER
19/02/2005 12:11:46 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:11:46 AM> Value:Four Bind
19/02/2005 12:11:46 AM> Data:
19/02/2005 12:11:46 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 12:11:46 AM>
19/02/2005 12:33:30 AM> Registry modification detected
19/02/2005 12:33:30 AM>
19/02/2005 12:33:30 AM> Root:HKEY_CURRENT_USER
19/02/2005 12:33:30 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:33:30 AM> Value:Four Bind
19/02/2005 12:33:30 AM> Data:
19/02/2005 12:33:30 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 12:33:30 AM>
19/02/2005 12:55:23 AM> Registry modification detected
19/02/2005 12:55:23 AM>
19/02/2005 12:55:23 AM> Root:HKEY_CURRENT_USER
19/02/2005 12:55:23 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:55:23 AM> Value:Four Bind
19/02/2005 12:55:23 AM> Data:
19/02/2005 12:55:23 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 12:55:23 AM>
19/02/2005 1:17:16 AM> Registry modification detected
19/02/2005 1:17:16 AM>
19/02/2005 1:17:16 AM> Root:HKEY_CURRENT_USER
19/02/2005 1:17:16 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 1:17:16 AM> Value:Four Bind
19/02/2005 1:17:16 AM> Data:
19/02/2005 1:17:16 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 1:17:16 AM>
19/02/2005 1:39:09 AM> Registry modification detected
19/02/2005 1:39:09 AM>
19/02/2005 1:39:09 AM> Root:HKEY_CURRENT_USER
19/02/2005 1:39:09 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 1:39:09 AM> Value:Four Bind
19/02/2005 1:39:09 AM> Data:
19/02/2005 1:39:09 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 1:39:09 AM>
19/02/2005 2:01:01 AM> Registry modification detected
19/02/2005 2:01:01 AM>
19/02/2005 2:01:01 AM> Root:HKEY_CURRENT_USER
19/02/2005 2:01:01 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 2:01:01 AM> Value:Four Bind
19/02/2005 2:01:01 AM> Data:
19/02/2005 2:01:01 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 2:01:01 AM>
19/02/2005 2:22:54 AM> Registry modification detected
19/02/2005 2:22:54 AM>
19/02/2005 2:22:54 AM> Root:HKEY_CURRENT_USER
19/02/2005 2:22:54 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 2:22:54 AM> Value:Four Bind
19/02/2005 2:22:54 AM> Data:
19/02/2005 2:22:54 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 2:22:54 AM>
19/02/2005 2:44:47 AM> Registry modification detected
19/02/2005 2:44:47 AM>
19/02/2005 2:44:47 AM> Root:HKEY_CURRENT_USER
19/02/2005 2:44:47 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 2:44:47 AM> Value:Four Bind
19/02/2005 2:44:47 AM> Data:
19/02/2005 2:44:47 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 2:44:47 AM>
19/02/2005 3:06:39 AM> Registry modification detected
19/02/2005 3:06:39 AM>
19/02/2005 3:06:39 AM> Root:HKEY_CURRENT_USER
19/02/2005 3:06:39 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 3:06:39 AM> Value:Four Bind
19/02/2005 3:06:39 AM> Data:
19/02/2005 3:06:39 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 3:06:39 AM>
19/02/2005 3:28:32 AM> Registry modification detected
19/02/2005 3:28:32 AM>
19/02/2005 3:28:32 AM> Root:HKEY_CURRENT_USER
19/02/2005 3:28:32 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 3:28:32 AM> Value:Four Bind
19/02/2005 3:28:32 AM> Data:
19/02/2005 3:28:32 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 3:28:32 AM>
19/02/2005 3:50:26 AM> Registry modification detected
19/02/2005 3:50:26 AM>
19/02/2005 3:50:26 AM> Root:HKEY_CURRENT_USER
19/02/2005 3:50:26 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 3:50:26 AM> Value:Four Bind
19/02/2005 3:50:26 AM> Data:
19/02/2005 3:50:26 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 3:50:26 AM>
19/02/2005 4:12:18 AM> Registry modification detected
19/02/2005 4:12:18 AM>
19/02/2005 4:12:18 AM> Root:HKEY_CURRENT_USER
19/02/2005 4:12:18 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 4:12:18 AM> Value:Four Bind
19/02/2005 4:12:18 AM> Data:
19/02/2005 4:12:18 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 4:12:18 AM>
19/02/2005 4:34:11 AM> Registry modification detected
19/02/2005 4:34:11 AM>
19/02/2005 4:34:11 AM> Root:HKEY_CURRENT_USER
19/02/2005 4:34:11 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 4:34:11 AM> Value:Four Bind
19/02/2005 4:34:11 AM> Data:
19/02/2005 4:34:11 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 4:34:11 AM>
19/02/2005 4:56:04 AM> Registry modification detected
19/02/2005 4:56:04 AM>
19/02/2005 4:56:04 AM> Root:HKEY_CURRENT_USER
19/02/2005 4:56:04 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 4:56:04 AM> Value:Four Bind
19/02/2005 4:56:04 AM> Data:
19/02/2005 4:56:04 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 4:56:04 AM>
19/02/2005 5:18:08 AM> Registry modification detected
19/02/2005 5:18:08 AM>
19/02/2005 5:18:08 AM> Root:HKEY_CURRENT_USER
19/02/2005 5:18:08 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 5:18:08 AM> Value:Four Bind
19/02/2005 5:18:08 AM> Data:
19/02/2005 5:18:08 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 5:18:08 AM>
19/02/2005 5:40:36 AM> Registry modification detected
19/02/2005 5:40:36 AM>
19/02/2005 5:40:36 AM> Root:HKEY_CURRENT_USER
19/02/2005 5:40:36 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 5:40:36 AM> Value:Four Bind
19/02/2005 5:40:36 AM> Data:
19/02/2005 5:40:36 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 5:40:36 AM>
19/02/2005 6:02:53 AM> Registry modification detected
19/02/2005 6:02:53 AM>
19/02/2005 6:02:53 AM> Root:HKEY_CURRENT_USER
19/02/2005 6:02:53 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 6:02:53 AM> Value:Four Bind
19/02/2005 6:02:53 AM> Data:
19/02/2005 6:02:53 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 6:02:53 AM>
19/02/2005 6:24:57 AM> Registry modification detected
19/02/2005 6:24:57 AM>
19/02/2005 6:24:57 AM> Root:HKEY_CURRENT_USER
19/02/2005 6:24:57 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 6:24:57 AM> Value:Four Bind
19/02/2005 6:24:57 AM> Data:
19/02/2005 6:24:57 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 6:24:57 AM>
19/02/2005 6:46:58 AM> Registry modification detected
19/02/2005 6:46:58 AM>
19/02/2005 6:46:58 AM> Root:HKEY_CURRENT_USER
19/02/2005 6:46:58 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 6:46:58 AM> Value:Four Bind
19/02/2005 6:46:58 AM> Data:
19/02/2005 6:46:58 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 6:46:58 AM>
19/02/2005 7:09:03 AM> Registry modification detected
19/02/2005 7:09:03 AM>
19/02/2005 7:09:03 AM> Root:HKEY_CURRENT_USER
19/02/2005 7:09:03 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 7:09:03 AM> Value:Four Bind
19/02/2005 7:09:03 AM> Data:
19/02/2005 7:09:03 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 7:09:03 AM>
19/02/2005 7:31:09 AM> Registry modification detected
19/02/2005 7:31:09 AM>
19/02/2005 7:31:09 AM> Root:HKEY_CURRENT_USER
19/02/2005 7:31:09 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 7:31:09 AM> Value:Four Bind
19/02/2005 7:31:09 AM> Data:
19/02/2005 7:31:09 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 7:31:09 AM>
19/02/2005 7:53:09 AM> Registry modification detected
19/02/2005 7:53:09 AM>
19/02/2005 7:53:09 AM> Root:HKEY_CURRENT_USER
19/02/2005 7:53:09 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 7:53:09 AM> Value:Four Bind
19/02/2005 7:53:09 AM> Data:
19/02/2005 7:53:09 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 7:53:09 AM>
19/02/2005 8:15:08 AM> Registry modification detected
19/02/2005 8:15:08 AM>
19/02/2005 8:15:08 AM> Root:HKEY_CURRENT_USER
19/02/2005 8:15:08 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 8:15:08 AM> Value:Four Bind
19/02/2005 8:15:08 AM> Data:
19/02/2005 8:15:08 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 8:15:08 AM>
19/02/2005 8:37:08 AM> Registry modification detected
19/02/2005 8:37:08 AM>
19/02/2005 8:37:08 AM> Root:HKEY_CURRENT_USER
19/02/2005 8:37:08 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 8:37:08 AM> Value:Four Bind
19/02/2005 8:37:08 AM> Data:
19/02/2005 8:37:08 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 8:37:08 AM>
19/02/2005 8:59:13 AM> Registry modification detected
19/02/2005 8:59:13 AM>
19/02/2005 8:59:13 AM> Root:HKEY_CURRENT_USER
19/02/2005 8:59:13 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 8:59:13 AM> Value:Four Bind
19/02/2005 8:59:13 AM> Data:
19/02/2005 8:59:13 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 8:59:13 AM>
19/02/2005 9:21:12 AM> Registry modification detected
19/02/2005 9:21:12 AM>
19/02/2005 9:21:12 AM> Root:HKEY_CURRENT_USER
19/02/2005 9:21:12 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 9:21:12 AM> Value:Four Bind
19/02/2005 9:21:12 AM> Data:
19/02/2005 9:21:12 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 9:21:12 AM>
19/02/2005 9:43:18 AM> Registry modification detected
19/02/2005 9:43:18 AM>
19/02/2005 9:43:18 AM> Root:HKEY_CURRENT_USER
19/02/2005 9:43:18 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 9:43:18 AM> Value:Four Bind
19/02/2005 9:43:18 AM> Data:
19/02/2005 9:43:18 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 9:43:18 AM>
19/02/2005 10:05:31 AM> Registry modification detected
19/02/2005 10:05:31 AM>
19/02/2005 10:05:31 AM> Root:HKEY_CURRENT_USER
19/02/2005 10:05:31 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 10:05:31 AM> Value:Four Bind
19/02/2005 10:05:31 AM> Data:
19/02/2005 10:05:31 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 10:05:31 AM>
19/02/2005 10:11:28 AM> Registry modification detected
19/02/2005 10:11:28 AM>
19/02/2005 10:11:28 AM> Root:HKEY_CURRENT_USER
19/02/2005 10:11:28 AM> Key:Software\Microsoft\Internet Explorer\Main
19/02/2005 10:11:28 AM> Value:Start Page
19/02/2005 10:11:28 AM> Data:http://talfyilmerzbgrzluexn.com/eQ7...AQ4vIlmOKzY.php
19/02/2005 10:11:28 AM> New Data:http://www.google.com
19/02/2005 10:11:28 AM>
19/02/2005 10:11:40 AM> Registry modification detected
19/02/2005 10:11:40 AM>
19/02/2005 10:11:40 AM> Root:HKEY_CURRENT_USER
19/02/20