Help - surf sidekick 3 is attacking!

Question

shazp4 0 Newbie Poster

18 Years Ago

I read previous post where you suggested the person download 'hijack this' and do a copy of the log. Well, here is mine:

Scan saved at 8:36:50 PM, on 7/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB001" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Frag Five Camp Each] C:\Documents and Settings\All Users\Application Data\AcidPhoneFragFive\Real That.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [] p2pnetworking.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O4 - HKCU\..\Run: [CashIso] C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A38DDD8E-E970-4208-9FFE-DDC07371E65E}: NameServer = 203.193.200.2 203.193.193.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: repairs303169536.dll
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\h84m0ih1e84.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

I have used spybot, adaware & xoftspy - but they cannot remove all files.
I currently cannot use add/remove programs (am thinking I am going to have to reformat :sad: )

Can you help me at all???

windows-virus

2 Contributors
10 Replies
339 Views
4 Days Discussion Span
Latest Post 18 Years Ago Latest Post by D3m3nt3d

All 10 Replies

D3m3nt3d 1 Posting Whiz in Training

18 Years Ago

You also have a Look2Me infection, we will deal with that after SSK.

I am going to give you the fix from my website here..

SurfSideKick Removal

NOTE: There are several variants of SurfSideKick. Not all the files, folders, and HijackThis entries will be present on your sytem. If you do not find one or more of the items listed, just continue with the fix.

Print out these instructions.

Download and Install:
- CCleaner
- HijackThis
- Unlocker (Windows 2000/XP Only)

Download to your Desktop:
- SSKfix98 (Windows 98/ME only)
- SSKfixXP (Windows 2000/XP only)

Read and Understand the following:
- How to view hidden, system files & folders!
- How to search for hidden files on Windows XP

Identifying SurfSideKick

In HijackThis look for lines similar to the ones below

R3 - URLSearchHook: (no name) - {000AB005-FF12-42C2-8DF5-39E12E5F9C91} - C:\Program Files\SurfSideKick\SskBho.dll
O4 - HKLM\..\Run: [SurfSideKick] C:\Program Files\SurfSideKick\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick] C:\Program Files\SurfSideKick\Ssk.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O20 - AppInit_DLLs: repairs.dll
O20 - AppInit_DLLs: repairs302972943.dll (NOTE: This may have a different number)

Close all browsers and keep them closed throughout the entire removal process.

Step 1 - Stopping running Processes

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Common Files\VCClient\VCMain.exe

Choose Kill Process

NOTE: If VCClient.exe and VCMain.exe are not present then continue.

Step 2 - Uninstalling SurfSideKick

Using Add or Remove Programs in the Control Panel uninstall the following:

Surfsidekick
Surfsidekick 2
Surfsidekick 3

If SurfSideKick is not in Add or Remove Programs, do the following:

Open Windows Explorer and check to see if any of the below exist. If not, skip to Step 3 - Cleaning. Otherwise continue with the below:

C:\Program Files\SurfSideKick
C:\Program Files\SurfSideKick 2
C:\Program Files\SurfSideKick 3

If one or more of the above SSK entries are found in Program Files do the following:

Start -> Run
Type "C:\Program Files\SurfSideKick\ssk.exe" /u -> OK

Start -> Run
Type "C:\Program Files\SurfSideKick 2\ssk.exe" /u -> OK

Start -> Run
Type "C:\Program Files\SurfSideKick 3\ssk.exe" /u -> OK

WARNING: DO NOT reboot your computer if prompted to do so until you have run the uninstaller for each directory that is present.

Enter the given security code (generated automatically by the uninstaller) -> OK

Click on YES at the reboot prompt.

[img]http://img24.imageshack.us/img24/9371/ssk17gh.jpg[/img]

Make sure PC boots to Safe Mode.

Step 3 - Cleaning (Done While in Safe Mode)

Open Windows Explorer and browse to:

- For Win2K/XP it may be in c:\windows\system32 or c:\winnt\system32
- For Win9x/Me it may be in c:\windows\system or c:\windows

Look for all instances of:

repairs.dll
repairs302972940.dll
repairs302972943.dll
repairs302972958.dll
repairs302972970.dll
repairs302972979.dll
repairs302972982.dll
repairs302972985.dll
repairs302972988.dll

once located, right-click > Unlocker > Unlock All

If none of the repairs.dll can be found then search for all files on the local hard drive using the search function in the Start Menu.

[img]http://img239.imageshack.us/img239/9317/ssk25uu.jpg[/img]

NOTE: Windows98/ME Systems Unlocker won't be needed at all.

Immediately afterwards delete all instances of:

repairs.dll
repairs302972940.dll
repairs302972943.dll
repairs302972958.dll
repairs302972970.dll
repairs302972979.dll
repairs302972982.dll
repairs302972985.dll
repairs302972988.dll

Now follow the patch instructions for your system.

Patch Instructions:

~ Windows 98/ME ~

Run SSKfix98.exe

Run CCLeaner

Reboot in Normal Mode; run HijackThis and fix the following lines if they exist:

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [SurfSideKick] C:\Program Files\SurfSideKick\Ssk.exe (file missing)
O4 - HKCU\..\Run: [SurfSideKick] C:\Program Files\SurfSideKick\Ssk.exe (file missing)
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe (file missing)
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe (file missing)
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe (file missing)
O20 - AppInit_DLLs: repairs.dll (file missing)
O20 - AppInit_DLLs: repairs302972943.dll (file missing) (NOTE: This may have a different number)

Using Windows Explorer navigate to the following directories and delete them if they still exist:

C:\Program Files\SurfSideKick
C:\Program Files\SurfSideKick 2
C:\Program Files\SurfSideKick 3
C:\Program Files\Common Files\VCClient

~ Windows 2000/XP ~

Now run SSKfixXP.exe (towards the end of the process it might boot your PC if that occurs, make sure you keep tapping on the F8 key to boot back in Safe Mode). Run the fix again to complete the process.

Boot back into Safe Mode.

Run CCLeaner

Reboot in Normal Mode; run HijackThis and fix the following lines if they exist:

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [SurfSideKick] C:\Program Files\SurfSideKick\Ssk.exe (file missing)
O4 - HKCU\..\Run: [SurfSideKick] C:\Program Files\SurfSideKick\Ssk.exe (file missing)
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe (file missing)
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe (file missing)
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe (file missing)
O20 - AppInit_DLLs: repairs.dll (file missing)
O20 - AppInit_DLLs: repairs302972943.dll (file missing) (NOTE: This may have a different number)

Using Windows Explorer navigate to the following directories and delete them if they still exist:

C:\Program Files\SurfSideKick
C:\Program Files\SurfSideKick 2
C:\Program Files\SurfSideKick 3
C:\Program Files\Common Files\VCClient

Reboot once more into Normal Mode and run HijackThis and post the log as an attachment.

D3m3nt3d 1 Posting Whiz in Training

18 Years Ago

Alright great!

One more scan that should also eliminate the Look2Me infection you have, along with others.

Spysweeper
http://www.ianag.com/files/14/SpySweeperTrialSetup_EN-MajorGeeks.exe
-Update it to the latest definitions and run it
-Remove everything it finds
-Save the log and attach it for me

Also attach one more HijackThis log for cleanup.

D3m3nt3d 1 Posting Whiz in Training

18 Years Ago

After running the above steps, let's do this for the P2P Networking problem..

Download and unzip BFUzip
http://computercops.biz/zx/Merijn/bfu.zip

-Run the program and click the Web button

-Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/p2pnetwork.bfu

-Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

shazp4 0 Newbie Poster · Answer 1 · 2006-03-08T15:56:58+00:00

Thanks heaps - that worked great!!
I didnt have to remove any 'repairs.dll' as there were none, and a search, including hidden files, failed to find any, and none of the programs used found any either.
Below is the HijackThis log as requested.

Shaz :-)

Logfile of HijackThis v1.99.1
Scan saved at 8:48:35 PM, on 8/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R3 - URLSearchHook: (no name) - <default> - (no file)
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB001" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Frag Five Camp Each] C:\Documents and Settings\All Users\Application Data\AcidPhoneFragFive\Real That.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [] p2pnetworking.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O4 - HKCU\..\Run: [CashIso] C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\i4060edseh060.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

shazp4 0 Newbie Poster · Answer 2 · 2006-03-09T15:22:41+00:00

Hey,

Okay, next 2 parts done.
Logs from spysweeper and hijack this after first stage are:

********
7:19 PM: |       Start of Session, Thursday, 9 March 2006       |
7:19 PM: Spy Sweeper started
7:19 PM: Sweep initiated using definitions version 629
7:19 PM: Starting Memory Sweep
7:19 PM:   The Spy Communication shield has blocked access to: [url]www.ad-w-a-r-e.com[/url]
7:19 PM:   The Spy Communication shield has blocked access to: [url]www.ad-w-a-r-e.com[/url]
7:19 PM:   The Spy Communication shield has blocked access to: [url]www.a-d-w-a-r-e.com[/url]
7:19 PM:   The Spy Communication shield has blocked access to: [url]www.a-d-w-a-r-e.com[/url]
7:20 PM:   The Spy Communication shield has blocked access to: [url]www.ad-w-a-r-e.com[/url]
7:20 PM:   The Spy Communication shield has blocked access to: [url]www.ad-w-a-r-e.com[/url]
7:20 PM:   The Spy Communication shield has blocked access to: [url]www.a-d-w-a-r-e.com[/url]
7:20 PM:   The Spy Communication shield has blocked access to: [url]www.a-d-w-a-r-e.com[/url]
7:21 PM:   Found Adware: icannnews
7:21 PM:   Detected running threat: C:\WINDOWS\system32\n0r2la9o1d.dll (ID = 83)
7:22 PM:   The Spy Communication shield has blocked access to: [url]www.ad-w-a-r-e.com[/url]
7:22 PM:   The Spy Communication shield has blocked access to: [url]www.ad-w-a-r-e.com[/url]
7:22 PM:   The Spy Communication shield has blocked access to: [url]www.a-d-w-a-r-e.com[/url]
7:22 PM:   The Spy Communication shield has blocked access to: [url]www.a-d-w-a-r-e.com[/url]
7:22 PM:   Found Adware: lopdotcom
7:22 PM:   Detected running threat: C:\Program Files\Internet Explorer\iexplore.exe (ID = 299)
7:22 PM:   Detected running threat: C:\WINDOWS\system32\qdgrprxy.dll (ID = 83)
7:23 PM:   The Spy Communication shield has blocked access to: [url]www.ad-w-a-r-e.com[/url]
7:23 PM:   The Spy Communication shield has blocked access to: [url]www.ad-w-a-r-e.com[/url]
7:23 PM:   The Spy Communication shield has blocked access to: [url]www.a-d-w-a-r-e.com[/url]
7:23 PM:   The Spy Communication shield has blocked access to: [url]www.a-d-w-a-r-e.com[/url]
7:24 PM: Memory Sweep Complete, Elapsed Time: 00:04:17
7:24 PM: Starting Registry Sweep
7:24 PM:   Found Adware: whenu save
7:24 PM:   HKCR\acm.acmfactory\  (5 subtraces) (ID = 773927)
7:24 PM:   HKCR\acm.acmfactory.1\  (3 subtraces) (ID = 773933)
7:24 PM:   HKCR\clsid\{a9aae1ab-9688-42c5-86f5-c12f6b9015ad}\  (12 subtraces) (ID = 773937)
7:24 PM:   HKCR\typelib\{df901432-1b9f-4f5b-9e56-301c553f9095}\  (9 subtraces) (ID = 773950)
7:24 PM:   HKCR\appid\acm.dll\  (1 subtraces) (ID = 773960)
7:24 PM:   HKCR\appid\{127df9b4-d75d-44a6-af78-8c3a8ceb03db}\  (1 subtraces) (ID = 773962)
7:24 PM:   HKLM\software\classes\acm.acmfactory\  (5 subtraces) (ID = 773964)
7:24 PM:   HKLM\software\classes\acm.acmfactory.1\  (3 subtraces) (ID = 773970)
7:24 PM:   HKLM\software\classes\appid\acm.dll\  (1 subtraces) (ID = 773974)
7:24 PM:   HKLM\software\classes\appid\{127df9b4-d75d-44a6-af78-8c3a8ceb03db}\  (1 subtraces) (ID = 773976)
7:24 PM:   HKLM\software\classes\clsid\{a9aae1ab-9688-42c5-86f5-c12f6b9015ad}\  (12 subtraces) (ID = 773979)
7:24 PM:   HKLM\software\classes\typelib\{df901432-1b9f-4f5b-9e56-301c553f9095}\  (9 subtraces) (ID = 773992)
7:24 PM:   Found Adware: accoona toolbar
7:24 PM:   HKCR\clsid\{f80c1d93-0d22-436e-963e-9d3156997a4e}\  (4 subtraces) (ID = 954998)
7:24 PM:   HKLM\software\classes\clsid\{f80c1d93-0d22-436e-963e-9d3156997a4e}\  (4 subtraces) (ID = 955055)
7:24 PM:   Found Adware: command
7:24 PM:   HKLM\system\currentcontrolset\services\cmdservice\  (5 subtraces) (ID = 958670)
7:24 PM:   HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\  (6 subtraces) (ID = 1016064)
7:24 PM:   HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\  (8 subtraces) (ID = 1016072)
7:24 PM:   Found Adware: dollarrevenue
7:24 PM:   HKLM\software\microsoft\drsmartload2\  (1 subtraces) (ID = 1134137)
7:24 PM:   The Spy Communication shield has blocked access to: [url]www.ad-w-a-r-e.com[/url]
7:24 PM:   The Spy Communication shield has blocked access to: [url]www.ad-w-a-r-e.com[/url]
7:24 PM:   The Spy Communication shield has blocked access to: [url]www.a-d-w-a-r-e.com[/url]
7:24 PM:   The Spy Communication shield has blocked access to: [url]www.a-d-w-a-r-e.com[/url]
7:24 PM:   Found Adware: webrebates
7:24 PM:   HKU\S-1-5-21-343818398-1202660629-839522115-1003\software\microsoft\internet explorer\menuext\web rebates.\  (2 subtraces) (ID = 866137)
7:24 PM:   HKU\S-1-5-21-343818398-1202660629-839522115-1003\software\microsoft\internet explorer\urlsearchhooks\{944864a5-3916-46e2-96a9-a2e84f3f1208}\ (ID = 955003)
7:24 PM: Registry Sweep Complete, Elapsed Time:00:00:35
7:24 PM: Starting Cookie Sweep
7:24 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:24 PM: Starting File Sweep
7:25 PM:   c:\program files\webrebates4 (53 subtraces) (ID = -2147470148)
7:25 PM:   c:\program files\network monitor (ID = -2147459771)
7:25 PM:   readme.txt (ID = 119871)
7:38 PM:   uninstall_nmon.vbs (ID = 231442)
7:38 PM:   Found Adware: look2me
7:38 PM:   n0r2la9o1d.dll (ID = 159)
7:46 PM:   jiiuckxz.exe (ID = 308)
7:47 PM:   en08l1du1.dll (ID = 159)
7:47 PM:   opjsel.dll (ID = 159)
7:47 PM:   qdgrprxy.dll (ID = 159)
7:47 PM:   Found Adware: targetsaver
7:47 PM:   class-barrel (ID = 78229)
7:47 PM:   lvlq0935e.dll (ID = 159)
7:48 PM:   vocabulary (ID = 78283)
7:49 PM:   real that.exe (ID = 308)
7:49 PM:   HKLM\Software\Microsoft\Windows\CurrentVersion\Run || Frag Five Camp Each (ID = 0)
7:50 PM:   enp8l17u1.dll (ID = 159)
7:50 PM:   webrebates.dll (ID = 207054)
7:50 PM:   atomdefydeaf.exe (ID = 90)
7:50 PM:   enc bend.exe (ID = 91)
7:50 PM:   Found Adware: zquest
7:50 PM:   dr21206.exe (ID = 251354)
7:51 PM:   oye.vbs (ID = 185675)
7:51 PM:   Warning: Failed to access drive D:
7:51 PM: File Sweep Complete, Elapsed Time: 00:26:40
7:51 PM: Full Sweep has completed.  Elapsed time 00:31:40
7:51 PM: Traces Found: 188
8:02 PM: Removal process initiated
8:02 PM:   Quarantining All Traces: icannnews
8:02 PM:   icannnews is in use.  It will be removed on reboot.
8:02 PM:     C:\WINDOWS\system32\n0r2la9o1d.dll is in use.  It will be removed on reboot.
8:02 PM:     C:\WINDOWS\system32\qdgrprxy.dll is in use.  It will be removed on reboot.
8:02 PM:   Quarantining All Traces: look2me
8:02 PM:   look2me is in use.  It will be removed on reboot.
8:02 PM:     n0r2la9o1d.dll is in use.  It will be removed on reboot.
8:02 PM:     qdgrprxy.dll is in use.  It will be removed on reboot.
8:02 PM:     lvlq0935e.dll is in use.  It will be removed on reboot.
8:02 PM:   Quarantining All Traces: lopdotcom
8:02 PM:   lopdotcom is in use.  It will be removed on reboot.
8:02 PM:     real that.exe is in use.  It will be removed on reboot.
8:02 PM:     C:\Program Files\Internet Explorer\iexplore.exe is in use.  It will be removed on reboot.
8:02 PM:   Quarantining All Traces: dollarrevenue
8:02 PM:   Quarantining All Traces: zquest
8:02 PM:   Quarantining All Traces: accoona toolbar
8:02 PM:   Quarantining All Traces: command
8:02 PM:   Quarantining All Traces: targetsaver
8:03 PM:   Quarantining All Traces: webrebates
8:03 PM:   Quarantining All Traces: whenu save
8:03 PM:   Preparing to restart your computer. Please wait...
8:03 PM: Removal process completed.  Elapsed time 00:01:25
********
7:18 PM: |       Start of Session, Thursday, 9 March 2006       |
7:18 PM: Spy Sweeper started
7:18 PM: The Spy Communication shield has blocked access to: [url]www.ad-w-a-r-e.com[/url]
7:18 PM: The Spy Communication shield has blocked access to: [url]www.ad-w-a-r-e.com[/url]
7:18 PM: The Spy Communication shield has blocked access to: [url]www.a-d-w-a-r-e.com[/url]
7:18 PM: The Spy Communication shield has blocked access to: [url]www.a-d-w-a-r-e.com[/url]
7:19 PM: Your spyware definitions have been updated.
7:19 PM: |       End of Session, Thursday, 9 March 2006       |


Logfile of HijackThis v1.99.1
Scan saved at 8:10:00 PM, on 9/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\soundman.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://ninemsn.com.au/[/url]
R3 - URLSearchHook: (no name) - <default> - (no file)
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB001" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [] p2pnetworking.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O4 - HKCU\..\Run: [CashIso] C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - [url]http://advnt01.com/dialer/int_ver34.CAB[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

after running BFU:

BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 8:15:05 PM, on 9/03/2006

Warning: unknown command '
<html>

<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
</head>

<body>

<table border="0" width="100%" cellspacing="0" cellpadding="0" id="table1" background="http://www.geekstogo.com/images/blue/background.jpg">
    <tr>
        <td width="355"><map name="FPMap0">
        <area href="http://www.geekstogo.com" shape="rect" coords="1, 83, 48, 99">
        <area href="index.php" shape="rect" coords="47, 82, 99, 99">
        <area href="index.php?act=Search&f=" shape="rect" coords="99, 82, 148, 99">
        <area href="http://www.geekstogo.com/archive.php" shape="rect" coords="147, 82, 195, 99">
        <area href="http://www.geekstogo.com/aboutus.php" shape="rect" coords="196, 83, 241, 99">
        </map>
        <img border="0" src="http://www.geekstogo.com/images/blue/Left.jpg" usemap="#FPMap0"></td>
        <td>&nbsp;</td>
        <td align="right" width="470">
        <map name="FPMap1">
        <area href="index.php?act=UserCP&CODE=00" shape="rect" coords="269, 81, 325, 99">
        <area href="index.php?act=Msg&CODE=01" shape="rect" coords="324, 81, 412, 99">
        <area href="index.php?act=Members" shape="rect" coords="414, 82, 469, 99">
        </map>
        <img border="0" src="http://www.geekstogo.com/images/blue/Right.jpg" width="470" height="100" usemap="#FPMap1"></td>
    </tr>
</table>

<p><font face="arial" size="+1"><b>Sorry, the requested page is not available.</b></font></p>
<p><font face="arial" size="-1">Please check the URL for proper spelling and 
capitalization. If you're having trouble locating a destination on our site, try 
our <b><a href="http://www.geekstogo.com/forum/index.php?act=Search&f=">site 
search</a></b> or <b>
<a href="http://www.geekstogo.com/forum/index.php">click here</a></b> 
to browse our <b><a href="http://www.geekstogo.com/forum/index.php">free 
computer help forum</a></b>. Also, you may find what you're looking for on our 
site if you try searching below.</font></p>

</center>
<!--IBF.NEWPMBOX-->
<script type="text/javascript">
<!--
    function go_gadget_simple(){
        window.location = "http://www.geekstogo.com/forum/index.php?s=&act=Search&mode=simple&f=";
    }

    function win_pop(){
        window.open("http://www.geekstogo.com/forum/index.php?s=&act=Search&CODE=explain","WIN","width=400,height=300,resizable=yes,scrollbars=yes"); 
    }
-->
</script>

<form action="http://www.geekstogo.com/forum/index.php?act=Search&amp;CODE=simpleresults&amp;mode=simple" method="post" name="sForm">

    <div class="borderwrap">
        <div class="formsubtitle" align="center"><hr>
            <p style="margin-top: 0; margin-bottom: 0"><b>Search by Keywords</b></div>
        <div class="tablepad" align="center">
            <input type="text" maxlength="100" size="40" id="keywords" name="keywords" /><br />

            <label for="keywords">Enter a keyword or phrase to search by.</label> &#091; <a href="#" title="Find out how to improve your search with boolean operators" onclick="win_pop()">Advanced Usage Help</a> &#093;
        </div>
        <div class="formsubtitle" align="center">
            <p style="margin-top: 0; margin-bottom: 0">&nbsp;</p>
            <p style="margin-top: 0; margin-bottom: 0"><b>Search Where</b></div>
        <div class="tablepad" align="center">
            <select name='forums[]' class='forminput' size='10' multiple='multiple'>
<option value='all' selected="selected">&raquo; All Forums</option><option value="41">Operating Systems</option>

<option value="5">&nbsp;&nbsp;&#0124;-- Windows NT/2000/2003/XP</option>
<option value="3">&nbsp;&nbsp;&#0124;-- Windows 95/98/ME</option>
<option value="7">&nbsp;&nbsp;&#0124;-- All Other Operating Systems</option>
<option value="40">Hardware</option>
<option value="9">&nbsp;&nbsp;&#0124;-- Hardware/Components/Peripherals</option>
<option value="27">&nbsp;&nbsp;&#0124;-- System Building/Overclocking</option>
<option value="11">&nbsp;&nbsp;&#0124;-- Networking</option>
<option value="44">Internet</option>
<option value="28">&nbsp;&nbsp;&#0124;-- Web Design &amp; Web Hosting</option>

<option value="13">&nbsp;&nbsp;&#0124;-- Spyware/Adware/Viruses</option>
<option value="37">&nbsp;&nbsp;&#0124;---- HiJackThis Logs</option>
<option value="26">&nbsp;&nbsp;&#0124;-- Internet/Browsers</option>
<option value="42">Software</option>
<option value="12">&nbsp;&nbsp;&#0124;-- Applications</option>
<option value="19">&nbsp;&nbsp;&#0124;-- Games</option>
<option value="25">&nbsp;&nbsp;&#0124;-- Microsoft Office</option>
<option value="43">Community</option>
<option value="29">&nbsp;&nbsp;&#0124;-- Live Chat</option>

<option value="45">&nbsp;&nbsp;&#0124;-- Arcade</option>
<option value="16">&nbsp;&nbsp;&#0124;-- Off-Topic</option>
<option value="15">&nbsp;&nbsp;&#0124;-- Comments/Suggestions</option>
<option value="23">&nbsp;&nbsp;&#0124;-- News and Updates</option>
<option value="30">&nbsp;&nbsp;&#0124;-- GeekU</option>
<option value="34">&nbsp;&nbsp;&#0124;---- Tutorials</option>
<option value="36">&nbsp;&nbsp;&#0124;---- Tools and Resources</option>
<option value="33">&nbsp;&nbsp;&#0124;---- Spyware Fixes (Special Cases)</option>
<option value="31">&nbsp;&nbsp;&#0124;---- Canned Speeches</option>

<option value="35">&nbsp;&nbsp;&#0124;---- Practice Hijack This logs</option>
<option value="32">&nbsp;&nbsp;&#0124;---- &quot;Check this proposed fix before I reply&quot;</option>
<option value="38">&nbsp;&nbsp;&#0124;---- Tips and Tricks</option>
<option value="39">&nbsp;&nbsp;&#0124;---- Links to Live Logs</option>
<option value="24">&nbsp;&nbsp;&#0124;---- Mods Only</option>
</select><br /><br />
            <b>Show me</b>
            <input type="radio" name="sortby" value="relevant" id="sortby_one" class="radiobutton" />

            <label for="sortby_one">most relevant</label>&nbsp;
            <input type="radio" name="sortby" value="date" id="sortby_two" checked="checked" class="radiobutton" />
            <label for="sortby_two">most recent <strong>first</strong></label>
        </div>
        <div class="formsubtitle" align="center">
            <p style="margin-top: 0; margin-bottom: 0">
            <input type="submit" value="Perform the search" />&nbsp;
            <input type="button" value="More Options" onclick="go_gadget_advanced()" />

            </p>
            <hr>

        </div>
    </div>
</form>
<p style="margin-top: 0; margin-bottom: 0"><font size="1" face="Arial">(c)2004 
Geeks to Go</font></p>

</body>

</html>' on line #1
Script completed.

and completed Hijack This again (in case you wanted it)

Logfile of HijackThis v1.99.1
Scan saved at 8:19:57 PM, on 9/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\soundman.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
C:\Program Files\PC Probs\bfu\BFU.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://ninemsn.com.au/[/url]
R3 - URLSearchHook: (no name) - <default> - (no file)
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB001" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [] p2pnetworking.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O4 - HKCU\..\Run: [CashIso] C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - [url]http://advnt01.com/dialer/int_ver34.CAB[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{A38DDD8E-E970-4208-9FFE-DDC07371E65E}: NameServer = 203.193.200.2 203.193.193.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Wow, not sure how you know all this - but greatly appreciate your time.

Shaz :-)

D3m3nt3d 1 Posting Whiz in Training · Answer 3 · 2006-03-09T19:22:19+00:00

Alright - doesn't look like BFU worked correctly.

Let's do this

Run thru the BFU procedure once again

When it completes, scan with HijackThis and check the following

R3 - URLSearchHook: (no name) - <default> - (no file)
O4 - HKLM\..\Run: [] p2pnetworking.exe
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

Now with ALL Browsers closed, click FIX CHECKED

Now download PocketKillbox
http://files3.majorgeeks.com/files/878afc3a94e8d373d2d8b7d3fcaba9b9/admin/killbox.exe

Open Killbox
-Copy and Paste C:\WINDOWS\System32\p2pnetworking.exe into the box
-It will appear in blue if it exists
-Choose the Delete on Reboot option
-Click the red X to confirm and allow it to reboot
-If you get a Pending error, or if it doesnt reboot on its own - reboot manually

Now attach one more HijackThis log - also when we are done with this we will need to update your Java

shazp4 0 Newbie Poster · Answer 4 · 2006-03-10T16:27:33+00:00

Hi,

Did the above - killbox didnt find the file.

New log:

Logfile of HijackThis v1.99.1
Scan saved at 9:26:50 PM, on 10/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\soundman.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB001" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CashIso] C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A38DDD8E-E970-4208-9FFE-DDC07371E65E}: NameServer = 203.193.200.2 203.193.193.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Shaz :-)

D3m3nt3d 1 Posting Whiz in Training · Answer 5 · 2006-03-10T18:39:37+00:00

That log looks fine - just to make sure, please use Killbox and try the following two paths:

C:\WINDOWS\p2pnetworking.exe
C:\p2pnetworking.exe

The BFU script was supposed to eliminate it, and perhaps it did, but it was still in the log so I want to verify.
After that download the newest Java here
http://www.java.com/en/download/manual.jsp

Afterwords uninstall the older version thru Add/Remove Programs and you should be fine if you are not having anymore problems. :)

shazp4 0 Newbie Poster · Answer 6 · 2006-03-11T10:56:15+00:00

Thanks heaps - have really appreciated your time.

All seems to be fine - except my add/remove programs opens but wont show any files, it just sits and says "please wait while the list is being populated..." - I think this is a separate issue????
I can repost this for someone else to help me with if its another time consuming issue.

Shaz :-)

D3m3nt3d 1 Posting Whiz in Training · Answer 7 · 2006-03-12T02:25:08+00:00

Yeah - that is probably a different issue - couple of things to try

Does it do the same thing in Safe Mode?

Also-if you choose Switch to Classic View then choose Add/Remove Programs does it hang?

Help - surf sidekick 3 is attacking!

Recommended Answers Collapse Answers

All 10 Replies

Recommended Answers