Member Avatar for flyfc

when i surf on the internet, there are always pop-up ad windows which seemed auto-pop-up by some viruses. Actually I have turned on pop-up
blocker.
I have scaned my computer by symantec and found some viruses, (such as AP5.htm, AP4.htm, AP3.htm, AP3.enc, .etc). And i have removed these items but the issuse still occurs.

this is hjt log as follow. would you please check it?
Thank you so much.

Logfile of HijackThis v1.99.1
Scan saved at 11:18:43, on 2006-8-6
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\LSASS.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
D:\05 Temp\hijackthis\HijackThis.exe

F3 - REG:win.ini: run=C:\WINDOWS\services.exe
O1 - Hosts: 61.129.75.124 mir.100888290cs.com
O1 - Hosts: 61.129.75.124 woool.100888290cs.com
O1 - Hosts: 61.129.75.124 www.mir5173.com
O1 - Hosts: 61.129.75.124 ert0003.e76.163ns.com
O1 - Hosts: 222.73.4.246 www.chenshijituan.com
O1 - Hosts: 59.36.96.132 qq.etsoft.com.cn
O1 - Hosts: 61.129.75.124 www.wg581.com
O2 - BHO: Shockwave Flash Object - {14A21378-5BB1-4BC4-95D5-5D3F51527F6F} - C:\WINDOWS\system32\smflash.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [TkBellExe] ; "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe"
O4 - HKLM\..\Run: [SOUNDM] winsmd.exe
O4 - HKLM\..\Run: [NTdhcp] C:\WINDOWS\system32\NTdhcp.exe
O4 - HKLM\..\Run: [ToP] C:\WINDOWS\LSASS.exe
O4 - HKLM\..\Run: [Rundll32] C:\WINDOWS\Rundll32.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [svchost] C:\Program Files\Common Files\System\svchost.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [] C:\WINDOWS\system32\intenat.exe
O4 - HKLM\..\RunServices: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\RunServices: [services] C:\WINDOWS\services.exe
O4 - Startup: nvojziniang242.exe
O4 - Global Startup: efncwzhici679.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?ProgramFiles%\Network ICE\BlackICE\blackice.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\04 Other\qqlite_06rc\AddToNetDisk.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\04 Other\qqlite_06rc\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\04 Other\qqlite_06rc\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\04 Other\qqlite_06rc\SendMMS.htm
O9 - Extra button: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)
O9 - Extra 'Tools' menuitem: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=taobao (file missing)
O9 - Extra 'Tools' menuitem: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=taobao (file missing)
O9 - Extra button: Yahoo Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)
O9 - Extra 'Tools' menuitem: Yahoo Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)
O9 - Extra button: 精彩游戏 - {D1EDDE84-E67E-4ccd-B28E-73AD3B71A7C9} - http://bars.duole8.com/ (file missing)
O9 - Extra 'Tools' menuitem: 精彩游戏 - {D1EDDE84-E67E-4ccd-B28E-73AD3B71A7C9} - http://bars.duole8.com/ (file missing)
O9 - Extra button: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra button: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com/
O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab
O16 - DPF: {081459AA-9F75-4405-9FED-94D00AFC4B6A} (TcastPlayer Control) - http://61.135.158.241/tcasttest/mmtv0427.cab
O16 - DPF: {0CF3B659-FA43-436F-92FE-09DAFDF681FF} (Siebel High Interactivity Framework) - http://bpo-4brsr1x-mob.accenture.com/18368/applets/SiebelAx_HI_Client.cab
O16 - DPF: {1416D7C8-8A28-11CF-9236-444553540000} (Infragistics Data Explorer Control) - https://mylearning-lms6.accenture.com/docent/lms/pvxplore8.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18F57D30-EF36-4C0E-9343-7BFA6DF79B4A} - http://my.ncard.cn/cert/ncard.cab
O16 - DPF: {252D8B73-FEEF-454D-97EB-F6BCF54DE48C} (Siebel High Interactivity Framework) - http://134.96.33.102/ecommunications_chs/18368/applets/SiebelAx_HI_Client.cab
O16 - DPF: {39044F32-421E-4CE0-A595-EF66D42C363C} (PptvPlayer Class) - http://hot1.vdown.21cn.com/rmdownload/drm/data3/eyejoy/21cnPptv.cab
O16 - DPF: {3A5A2021-0895-11D2-8817-0060089E0724} (GlobalEnglish Learning Technology) - http://corp.globalenglish.com/html/setup/cabs/ge.cab
O16 - DPF: {42442236-3673-4054-89C0-A7408BC51EFC} (SDLNSrvr.clsNotes) - https://methodology.accenture.com/codebase/SDLnSrvr_ChainMaster.cab
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (CEditCtrl Object) - https://img.alipay.com/download/1007/aliedit.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {87CCFDB0-C4BE-4BC2-A78C-9EAA7CF96667} - http://ps.itv.mop.com/dn/files/vodupdate_1.0.0.8_20051009.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B4FE8160-76DB-48C4-9803-68ED6278CA2C} (File Uploader ) - http://211.90.241.111/main/uploaderx.cab
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
O16 - DPF: {E07E152B-A291-4701-9C4D-AFD62B2ED430} (ClipboardAccess Class) - https://mylearning-lms6.accenture.com/docent/lms/LMSClipboard.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} (pCastPanel Class) - http://cache10.itv.mop.com/pCastCtl-1.0.0.88_signed.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\Software\..\Telephony: DomainName = accenture.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: DVDBurn - {790448C3-4239-45AF-C98B-367991A8B103} - C:\WINDOWS\Downloaded Program Files\AfxEdit.dll (file missing)
O21 - SSODL: DelayRun - {5A6F2F95-3191-433B-8533-EB0B596A7BAC} - C:\WINDOWS\f8dde700.dll
O23 - Service: asdfasdf - Unknown owner - C:\WINDOWS\asdf.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: systme - Unknown owner - C:\WINDOWS\cnc.exe

  • 2 Contributors
  • 4 Replies
  • 338 Views
  • 2 Weeks Discussion Span
  • Latest Post Latest Post by DMR

Recommended Answers

All 4 Replies

Member Avatar for DMR

That's a pretty infested system; let's have a few virus/spyware removal programs do some general clean-up before we dig in to the manual fixes:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.


* Visit at least two of the following sites for an online virus scan (if the scanners find any malicious items, note their names and include that information in your next post):

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/active...n_principal.htm
Make sure you tick Disinfect automatically under Scan Options.

Housecall at TrendMicro
http://housecall60.trendmicro.com/e...orp.asp?id=scan
Make sure you tick Auto Clean.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Also run this online trojan scanner: TrojanScan
* Visit at least two of the following sites for an online virus scan:

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/active...n_principal.htm
Make sure you tick Disinfect automatically under Scan Options.

Housecall at TrendMicro
http://housecall60.trendmicro.com/e...orp.asp?id=scan
Make sure you tick Auto Clean.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Also run this online trojan scanner: TrojanScan


* Your version of ewido is out of date. Please upgrade to the new version: http://www.ewido.net/en/download/

* Use Norton's Live Update feature to download the most current Norton Antivirus updates.

* Download the most current updates for Spy Sweeper.

* Download ATF-Cleaner and save it to yor desktop or another convenient location. Don't run the program yet.

* Download Hoster.

  • Unzip Hoster to C:\Hoster .
  • Run Hoster.exe from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available) .
  • Click Restore Original Hosts and then click OK.
  • Click the X to exit the program.
    Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

* Install and Configure ewido:

  • Close all other Applications and then run the ewido installer
  • Select language click Ok
  • Click I Agree
  • Click next
  • Click Install
  • Click Finish
  • Wait Ewido will open main screen automatically.
  • Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
  • It is very important to get the updates
  • When updating has finished, close Ewido.

* Reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Log in to the Administrator account.

* Run ATF-Cleaner
- Double-click ATF-Cleaner.exe to open the program.
- Under Main choose: Select All
- Click the Empty Selected button.

If you use Firefox browser : Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser: Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


* Run full system scans with Norton and Spy Sweeper; have them fix all malicious items they find.

* Open Ewido

  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
  • Close Ewido.

* Reboot normally.

* Run HijackThis again and post the new log. Also post the logs that ewido and Spy Sweeper generated.


.

Member Avatar for flyfc

:D Thank you very much for you great help.
as followed what you said, i found some virsus in my computer.
this the hjt log after i finished the steps.

Logfile of HijackThis v1.99.1
Scan saved at 15:35:43, on 2006-8-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\05 Temp\hijackthis\HijackThis.exe
C:\Program Files\UltraEdit\uedit32.exe

O1 - Hosts: 134.96.33.102 crmud01 crmud01.ctzj.net
O1 - Hosts: 134.96.33.103 crmud02 crmud02.ctzj.net
O1 - Hosts: 134.96.33.105 crmud04 crmud04.ctzj.net
O1 - Hosts: 134.98.83.139 ZJ-CRM-TRL ZJ-CRM-TRL.TEST.CTZJ.NET
O2 - BHO: Shockwave Flash Object - {14A21378-5BB1-4BC4-95D5-5D3F51527F6F} - C:\WINDOWS\system32\smflash.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe"
O4 - HKLM\..\Run: [SOUNDM] winsmd.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?ProgramFiles%\Network ICE\BlackICE\blackice.exe
O9 - Extra button: (no name) - {0062C9BD-B349-40DE-91A0-755F37ACD559} - (no file)
O9 - Extra button: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com/
O15 - Trusted IP range: http://134.96.38.154
O16 - DPF: {0CF3B659-FA43-436F-92FE-09DAFDF681FF} (Siebel High Interactivity Framework) - http://bpo-4brsr1x-mob.accenture.com/18368/applets/SiebelAx_HI_Client.cab
O16 - DPF: {1416D7C8-8A28-11CF-9236-444553540000} (Infragistics Data Explorer Control) - https://mylearning-lms6.accenture.com/docent/lms/pvxplore8.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {252D8B73-FEEF-454D-97EB-F6BCF54DE48C} (Siebel High Interactivity Framework) - http://134.96.33.102/ecommunications_chs/18368/applets/SiebelAx_HI_Client.cab
O16 - DPF: {3A5A2021-0895-11D2-8817-0060089E0724} (GlobalEnglish Learning Technology) - http://corp.globalenglish.com/html/setup/cabs/ge.cab
O16 - DPF: {42442236-3673-4054-89C0-A7408BC51EFC} (SDLNSrvr.clsNotes) - https://methodology.accenture.com/codebase/SDLnSrvr_ChainMaster.cab
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (CEditCtrl Object) - https://img.alipay.com/download/1007/aliedit.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://www.trendmicro.com.cn/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {E07E152B-A291-4701-9C4D-AFD62B2ED430} (ClipboardAccess Class) - https://mylearning-lms6.accenture.com/docent/lms/LMSClipboard.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\Software\..\Telephony: DomainName = accenture.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: DVDBurn - {790448C3-4239-45AF-C98B-367991A8B103} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

:lol:

Member Avatar for flyfc

and this is spy sweeper session log:

13:08: | Start of Session, 2006年8月18日 |
13:08: Spy Sweeper started
13:08: Sweep initiated using definitions version 743
13:08: Starting Memory Sweep
13:12: Memory Sweep Complete, Elapsed Time: 00:04:11
13:12: Starting Registry Sweep
13:12: Found Adware: deskadtop
13:12: HKCR\monitorie.monitorurl\ (5 subtraces) (ID = 1159528)
13:12: HKCR\monitorie.monitorurl.1\ (3 subtraces) (ID = 1159534)
13:12: HKCR\clsid\{08a312bb-5409-49fc-9347-54bb7d069ac6}\ (10 subtraces) (ID = 1159548)
13:12: HKCR\typelib\{647bb013-e900-473e-bc10-99cf3ac365ad}\ (8 subtraces) (ID = 1159572)
13:12: HKLM\software\classes\monitorie.monitorurl\ (5 subtraces) (ID = 1159615)
13:12: HKLM\software\classes\monitorie.monitorurl.1\ (3 subtraces) (ID = 1159625)
13:12: HKLM\software\classes\clsid\{08a312bb-5409-49fc-9347-54bb7d069ac6}\ (10 subtraces) (ID = 1159639)
13:12: HKLM\software\classes\typelib\{647bb013-e900-473e-bc10-99cf3ac365ad}\ (8 subtraces) (ID = 1159663)
13:12: Found Trojan Horse: trojan-downloader-searchnet
13:12: HKLM\software\microsoft\windows\currentversion\uninstall\zsxz\ (1 subtraces) (ID = 1159700)
13:12: Found Trojan Horse: trojan-phisher-wow
13:12: HKCR\windowfiles\shell\open\command\ (ID = 1360639)
13:12: HKLM\software\classes\windowfiles\shell\open\command\ (ID = 1360696)
13:12: Found Adware: desktop media
13:12: HKCR\dmbar.dmbar\ (5 subtraces) (ID = 1540166)
13:12: HKCR\dmbar.dmbar.1\ (3 subtraces) (ID = 1540172)
13:12: HKCR\clsid\{1fca37ba-7259-4bf1-878b-a39fa83bfbbb}\ (12 subtraces) (ID = 1540227)
13:12: HKCR\typelib\{25649a6a-637d-4416-9d03-98146330492a}\ (8 subtraces) (ID = 1540322)
13:12: Found Adware: biagoo
13:12: HKLM\software\microsoft\internet explorer\explorer bars\{1fca37ba-7259-4bf1-878b-a39fa83bfbbb}\ (1 subtraces) (ID = 1540417)
13:12: HKLM\software\classes\dmbar.dmbar\ (5 subtraces) (ID = 1540512)
13:12: HKLM\software\classes\dmbar.dmbar.1\ (3 subtraces) (ID = 1540518)
13:12: HKLM\software\classes\clsid\{1fca37ba-7259-4bf1-878b-a39fa83bfbbb}\ (12 subtraces) (ID = 1540576)
13:12: HKLM\software\classes\typelib\{25649a6a-637d-4416-9d03-98146330492a}\ (8 subtraces) (ID = 1540672)
13:12: Found Adware: roogoo
13:12: HKCR\adplus.xlink\ (5 subtraces) (ID = 1580328)
13:12: HKCR\adplus.xlink.1\ (3 subtraces) (ID = 1580334)
13:12: HKCR\clsid\{18f57d30-ef36-4c0e-9343-7bfa6df79b4a}\ (10 subtraces) (ID = 1580338)
13:12: HKLM\software\classes\adplus.xlink\ (5 subtraces) (ID = 1580375)
13:12: HKLM\software\classes\adplus.xlink.1\ (3 subtraces) (ID = 1580381)
13:12: HKLM\software\classes\clsid\{18f57d30-ef36-4c0e-9343-7bfa6df79b4a}\ (10 subtraces) (ID = 1580385)
13:12: HKU\S-1-5-21-1820523884-3612750246-872684453-1009\software\deskadtop\ (2 subtraces) (ID = 1159592)
13:12: HKU\S-1-5-21-1820523884-3612750246-872684453-1009\software\microsoft\internet explorer\explorer bars\{1fca37ba-7259-4bf1-878b-a39fa83bfbbb}\ (1 subtraces) (ID = 1540375)
13:12: HKU\S-1-5-18\software\microsoft\internet explorer\explorer bars\{1fca37ba-7259-4bf1-878b-a39fa83bfbbb}\ (1 subtraces) (ID = 1540375)
13:12: Registry Sweep Complete, Elapsed Time:00:00:15
13:12: Starting Cookie Sweep
13:12: Cookie Sweep Complete, Elapsed Time: 00:00:00
13:12: Starting File Sweep
13:51: d:\documents and settings\all users\application data\share helper\cast (11 subtraces) (ID = -2147443089)
13:55: File Sweep Complete, Elapsed Time: 00:42:52
13:55: Full Sweep has completed. Elapsed time 00:47:22
13:55: Traces Found: 191
13:58: Removal process initiated
13:58: Quarantining All Traces: trojan-phisher-wow
13:58: Quarantining All Traces: deskadtop
13:58: Quarantining All Traces: trojan-downloader-searchnet
13:58: Quarantining All Traces: biagoo
13:58: Quarantining All Traces: desktop media
13:58: Quarantining All Traces: roogoo
13:58: Removal process completed. Elapsed time 00:00:08
14:00: Deletion from quarantine initiated
14:00: Processing: biagoo
14:00: Processing: deskadtop
14:00: Processing: desktop media
14:00: Processing: roogoo
14:00: Processing: trojan-downloader-searchnet
14:00: Processing: trojan-phisher-wow
14:00: Deletion from quarantine completed. Elapsed time 00:00:00
15:48: Program Version 4.5.9 (Build 709) Using Spyware Definitions 743

Member Avatar for DMR

And did you save the ewido log? If so, please post it.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.