popups in ie and have tried everything :(

[railman]

gmer2

SSDT 84548DC8 ZwTerminateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwUnloadDriver
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwWriteVirtualMemory
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[284]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[285]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[286]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[287]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[288]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[289]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[290]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[291]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[292]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[293]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[294]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[295]
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS SSDT[296]

INT 0x20 srescan.sys F72EC9B0

Code \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS FsRtlCheckLockForReadAccess
Code \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.12 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804E9E54 5 Bytes JMP B4C57760 \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EE738 5 Bytes JMP B4C57C50 \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS
.text ntkrnlpa.exe!ZwCallbackReturn + 23E4 805012B4 12 Bytes [ F0, A1, 5C, B5, 80, 04, 5D, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 252C 805013FC 2 Bytes [ 60, FD ]
.text ntkrnlpa.exe!KiDispatchInterrupt + BA 80540CDA 7 Bytes JMP B4C5ACD0 \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS
? srescan.sys The system cannot find the file specified.
.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804E9E54 5 Bytes JMP B4C57760 \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EE738 5 Bytes JMP B4C57C50 \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS
.text ntkrnlpa.exe!ZwYieldExecution + 28BC 805012B4 12 Bytes [ F0, A1, 5C, B5, 80, 04, 5D, ... ]
.text ntkrnlpa.exe!ZwYieldExecution + 2A04 805013FC 2 Bytes [ 60, FD ]
.text ntkrnlpa.exe!KiDispatchInterrupt + BA 80540CDA 7 Bytes JMP B4C5ACD0 \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1176] ntdll.dll!KiFastSystemCall + 2 7C90EB8D 2 Bytes [ CD, 20 ]
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1228] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ AB, FA, C3, 83 ]
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[2984] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0002FCB0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[2984] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0002FEDC C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[2984] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 0002FE60 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[2984] kernel32.dll!VirtualFree 7C809AE4 5 Bytes JMP 0002FEA0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[3344] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 03, FF, C3, 83 ]

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 83930100
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 839311F0
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 83931178
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 83931100
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 83921020
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 839211F0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 83921178
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 83921100
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 83934020
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 839341F0
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 83934178
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 83934100
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4C85A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 83926B20
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 83926AA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 8391D1F8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 8391D180
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 8391D108
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 8385C020
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 8385C1F8
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 8385C180
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 8385C108
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 837D69B0
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 837D6938
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 83930100
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 839311F0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 83931178
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 83931100
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 83921020
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 839211F0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 83921178
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 83921100
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 83934020
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 839341F0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 83934178
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 83934100
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4C85A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 83926B20
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 83926AA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 8391D1F8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 8391D180
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 8391D108
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 8385C020
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 8385C1F8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 8385C180
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 8385C108
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 837D69B0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 837D6938
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE 83930100
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_READ 839311F0
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE 83931178
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION 83931100
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION 83921020
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA 839211F0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA 83921178
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS 83921100
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION 83934020
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION 839341F0
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL 83934178
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL 83934100
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4C85A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN 83926B20
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL 83926AA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT 8391D1F8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY 8391D180
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY 8391D108
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER 8385C020
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL 8385C1F8
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE 8385C180
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA 8385C108
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA 837D69B0
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP 837D6938
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE 83930100
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ 839311F0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE 83931178
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION 83931100
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION 83921020
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA 839211F0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA 83921178
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS 83921100
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION 83934020
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION 839341F0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL 83934178
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL 83934100
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4C85A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN 83926B20
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL

 

[railman]

gmer3

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT 8391D1F8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY 8391D180
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY 8391D108
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER 8385C020
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL 8385C1F8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE 8385C180
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA 8385C108
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA 837D69B0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP 837D6938
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE 83930100
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ 839311F0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE 83931178
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION 83931100
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION 83921020
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA 839211F0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA 83921178
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS 83921100
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION 83934020
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION 839341F0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL 83934178
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL 83934100
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4C85A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN 83926B20
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL 83926AA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [B55DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT 8391D1F8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY 8391D180
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY 8391D108
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER 8385C020
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL 8385C1F8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE 8385C180
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA 8385C108
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA 837D69B0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP 837D6938

---- EOF - GMER 1.0.12 ----

 

[railman]

otmoveit

File/Folder :\WINDOWS\system32\fgjlm.bak2 not found.
C:\WINDOWS\system32\fgjlm.ini2 moved successfully.
C:\WINDOWS\system32\fgjlm.bak1 moved successfully.
C:\WINDOWS\system32\mljgf.dll.vir moved successfully.
C:\WINDOWS\system32\geede.exe moved successfully.
C:\WINDOWS\system32\nsdsrego.exe moved successfully.
C:\WINDOWS\system32\sstqo.exe moved successfully.
C:\WINDOWS\system32\gebcd.exe moved successfully.
C:\WINDOWS\system32\winpfz32.sys moved successfully.
C:\WINDOWS\VTTC.exe moved successfully.
C:\WINDOWS\sys012172355371.exe moved successfully.
C:\WINDOWS\ase.exe moved successfully.
C:\WINDOWS\uni_eh10.exe moved successfully.
C:\WINDOWS\111uninst.exe moved successfully.
C:\Program Files\Common Files\quca moved successfully.
C:\Program Files\Common Files\rtele.html moved successfully.
File/Folder C:\WINDOWS\system32\ddcddaw.dll not found.

Created on 04/12/2007 17:34:51

 

[railman]

hijack this

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:55:12 PM, on 4/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\hijack this\hjt.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9204 bytes

 

[railman]

spysweeper

Keylogger: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: Off
IE Hijack Shield: On
6:33 PM: IE Hijack Shield: Resetting IE advanced data value.
IE Tracking Cookies Shield: Off
6:33 PM: Shield States
6:33 PM: Spyware Definitions: 845
6:33 PM: Spy Sweeper 5.3.1.2344 started
6:33 PM: Spy Sweeper 5.3.1.2344 started
6:33 PM: | Start of Session, Thursday, April 12, 2007 |
***************
6:27 PM: ApplicationMinimized - EXIT
6:27 PM: ApplicationMinimized - EXIT
6:27 PM: ApplicationMinimized - ENTER
6:27 PM: ApplicationMinimized - ENTER
6:26 PM: Removal process completed. Elapsed time 00:00:10
6:26 PM: Quarantining All Traces: adecn cookie
6:26 PM: Quarantining All Traces: 2o7.net cookie
6:26 PM: Quarantining All Traces: deluxecommunications
6:26 PM: Quarantining All Traces: maxifiles
6:26 PM: Quarantining All Traces: zenosearchassistant
6:26 PM: Quarantining All Traces: enbrowser
6:26 PM: Removal process initiated
6:26 PM: Traces Found: 10
6:26 PM: Full Sweep has completed. Elapsed time 00:28:43
6:26 PM: File Sweep Complete, Elapsed Time: 00:17:12
6:24 PM: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7DCA000C
6:24 PM: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7DEB000C
6:24 PM: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7E20000C
6:23 PM: Warning: Unable to sweep compressed file: "c:\recycler\s-1-5-21-606747145-1500820517-725345543-1006\dc26.zip": File not found
6:23 PM: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7E60000C
6:23 PM: Warning: SweepDirectories: Cannot find directory "h:". This directory was not added to the list of paths to be scanned.
6:23 PM: Warning: SweepDirectories: Cannot find directory "g:". This directory was not added to the list of paths to be scanned.
6:23 PM: Warning: SweepDirectories: Cannot find directory "f:". This directory was not added to the list of paths to be scanned.
6:22 PM: C:\WINDOWS\system32\zxdnt3d.cfg (ID = 91140)
6:22 PM: C:\WINDOWS\system32\msnav32.ax (ID = 220229)
6:21 PM: Warning: Failed to read file "c:\recycler\s-1-5-21-606747145-1500820517-725345543-1006\dc13\dvdfabplatinum3020.exe". "c:\recycler\s-1-5-21-606747145-1500820517-725345543-1006\dc13\dvdfabplatinum3020.exe": File not found
6:21 PM: Warning: PerformFileOffsetMatch Failed to check file "c:\recycler\s-1-5-21-606747145-1500820517-725345543-1006\dc14\zlib.dll". "c:\recycler\s-1-5-21-606747145-1500820517-725345543-1006\dc14\zlib.dll": File not found
6:21 PM: Warning: PerformFileOffsetMatch Failed to check file "c:\recycler\s-1-5-21-606747145-1500820517-725345543-1006\dc15\zlib.dll". "c:\recycler\s-1-5-21-606747145-1500820517-725345543-1006\dc15\zlib.dll": File not found
6:15 PM: C:\_OTMoveIt\MovedFiles\WINDOWS\system32\bkd.exe (ID = 361293)
6:15 PM: Found Adware: deluxecommunications
6:11 PM: C:\_OTMoveIt\MovedFiles\WINDOWS\system32\nsdsrego.exe (ID = 294)
6:09 PM: C:\QooBox\Quarantine\WINDOWS\system32\dwdsregt.exe.vir (ID = 294)
6:09 PM: Found Adware: zenosearchassistant
6:09 PM: Starting File Sweep
6:09 PM: Warning: SweepDirectories: Cannot find directory "a:". This directory was not added to the list of paths to be scanned.
6:09 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:09 PM: c:\documents and settings\gaynette.user-52fba29a54\cookies\gaynette@adecn[1].txt (ID = 2063)
6:09 PM: c:\documents and settings\gaynette.user-52fba29a54\cookies\gaynette@ad2.adecn[1].txt (ID = 2064)
6:09 PM: Found Spy Cookie: adecn cookie
6:09 PM: c:\documents and settings\alex\cookies\alex@msnportal.112.2o7[1].txt (ID = 1958)
6:09 PM: Found Spy Cookie: 2o7.net cookie
6:09 PM: Starting Cookie Sweep
6:09 PM: Registry Sweep Complete, Elapsed Time:00:00:21
6:08 PM: HKLM\software\microsoft\juan\ (ID = 1781228)
6:08 PM: Found Adware: maxifiles
6:08 PM: HKLM\software\system\sysold\ (ID = 926808)
6:08 PM: Found Adware: enbrowser
6:08 PM: Starting Registry Sweep
6:08 PM: Memory Sweep Complete, Elapsed Time: 00:11:07
6:02 PM: Access to Hosts file allowed for C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE
6:01 PM: Access to Hosts file allowed for C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE
5:57 PM: Starting Memory Sweep
5:57 PM: Start Full Sweep
5:57 PM: Sweep initiated using definitions version 845
5:57 PM: Spy Sweeper 5.3.1.2344 started
5:57 PM: | Start of Session, Thursday, April 12, 2007 |
***************

 

[railman]

still running great

I completed all the steps,and thanks again,all seems to be well

 

[Angelfire777]

Hi,

We got it! :yahoo: :2thumb:

I see that you have chosen a ZoneAlarm version that has an Antivirus component..It is recommended that you use only 1 Antivirus with realtime monitoring switched on.. 2 Antivirus running at the same time will cause conflicts with each other and furthermore, it will reduce your machine's overall security..So please turn off either ZoneAlarm or AVG Free's realtime monitoring to prevent such conflicts.

Please empty the contents of these folders:

C:\_OTMoveiT\MovedFiles
C:\QooBox\Quarantine

Empty your recycle bin.
_________

Other than that,

Congratulations! Your log looks clean!

This is a good time to clear your existing system restore points and establish a new clean restore point:

• Go to Start > All Programs > Accessories > System Tools > System Restore
  
• Select Create a restore point, and Ok it.
  
• Next, go to Start > Run and type in cleanmgr
  
• Select the More options tab
  
• Choose the option to clean up system restore and OK it.
  
  This will remove all restore points except the new one you just created.

______________________
Here are some free programs I recommend that could help you improve your pc's security.

Install Spyware Guard
~You can download it from here
~You can read the tutorial on how to use Spyware Guard here

Install SpyWare Blaster
~You can download it from here
~You can read the tutorial on how to use Spyware Blaster here

Install WinPatrol
~You can download it from here
~You can get some information about how WinPatrol works here

IESpyAds
~You can download it from here
~If you want to know how IEspyads work you can take a look at it here
~Please note that IESpyAds only works with Internet Explorer.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

Happy safe surfing!

 

[Angelfire777]

I'll leave this thread open for 2 days just in case those nasties decides to fight again:bigthumb:

 

[railman]

thanks again for all your help

gotta love a plan that comes together.This computer is working fanatastic.

 

[Angelfire777]

Glad we could be of assistance :bigthumb:

Since the problem has been resolved, this topic is now closed and archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.