Hello,

Thanks for your reply. I have run Ewido Anti Spyware and it has detected and removed some spyware from my pc. Here is the report: -

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:26:11 PM 7/10/2006

+ Scan result:



C:\WINDOWS\system32\rlls.dll -> Adware.RK : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rlvknlg.exe -> Adware.RK : Cleaned with backup (quarantined).


::Report end

I also ran the BitDefender Scan, but the problem is that it took over 7 hrs, and time remaining is showing over 12 hrs! I had to stop it. However, it did find some viruses which apparently it did not remove.

I ran a fresh HJT and this is the log:

Logfile of HijackThis v1.99.1
Scan saved at 12:44:21 AM, on 7/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 8.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inter.it/aas/hp?L=it
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 8.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-tanyagravina.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-tanyagravina.html (HKCU)
O9 - Extra 'Tools' menuitem: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-tanyagravina.html (HKCU)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://l00kl23.com/default.cab?uid=6...s&ppd=5&tag=15
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: pushow6.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe



THanks again

tg

Originally Posted by Neal

Welcome to DAL,





Download and install
Ewido anti-spyware
4.0 (uninstall any previous version first).

• Click the Download BUTTON. On the next page click the
  Download now BUTTON.
• Save and then install (Run) from the save location.
  
• Open/Run ewido anti-spyware
  
• Wait a few moments and Ewido should Auto update itself (note date of last
  update). If it doesn't update, click the update ICON at top of
  screen:
  
  
  
• This is very important to get the LATEST
  updates
  
• Click on the Status ICON
  • Under "Your computers Security"
    Click change status on Resident shield to inactive
    (ONLY consider activation of that feature once you are
    clean)
• Click on the Scanner ICON at the top of the window
  
• Click on the Settings tab then select Recommended Actions
  and choose Quarantine

Close ALL open Windows / Programs / Folders. Please start
Ewido, and run a full scan:

• Click on the default Status ICON and select
  the Scan now LINK.
  
  OR
  
  
• Click on the Scanner ICON . Select the Scan
  TAB.
  
  
  • Select Complete System Scan. Ewido will now begin to scan your
    system.

• If Ewido finds anything it will list them in the Preview WINDOW:
  • Make sure that Set all elements to: shows
    Quarantine, if not click on the link and choose
    Quarantine from the popup menu.
  • Select Apply all actions at the bottom of the window (and the
    items found will be quarantined - and recoverable, if any items are needed
    back).
  
  
• When the scan has completed, click on the Save Scan Report button
  and save the scan to your Desktop where it can be easily found.
• Copy and paste the EWIDO scan results into your next
  post.
• Close Ewido.

Also...


Go here BitDefender and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post back and let us know what it found (post the log).

And post a new HJT log also..


And...



Open Hijackthis.

Click the "Open the Misc Tools" section Button.

Click the "Open Uninstall Manager" Button.

Click the "Save list..." Button.

Save it to your desktop. Copy and paste the contents into your reply.

Well that is a long time for some reason, infected badly.



To clean your temp folder, recycle bin, etc..please download this free tool:

CCleaner

Don't install any Toolbars, or other programs, should it ask you!Just uncheck the option of installing the Yahoo toolbar.
It will put a shortcut on your Desktop.
Click on CCleaner to start it. Then click "Run Cleaner", just use the windows tab up front by default.

Then Reboot (Exit)


Then...



Open Hijackthis.

Click the "Open the Misc Tools" section Button.

Click the "Open Uninstall Manager" Button.

Click the "Save list..." Button.

Save it to your desktop. Copy and paste the contents into your reply.

Thanks again for your prompt reply.
Actually I do have CCleaner. I ran it again.
This is the output of the HJT uninstall list


Ad-Aware SE Personal
Adobe Reader 7.0.8
Ahead Nero Burning ROM
AI - Series
Ares 1.8.1
ASUS Probe V2.21.03
ASUSDVD XP
AsusUpdate
AVG Free Edition
Basic Date Picker v1.2
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window DSLR 5 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX (E)
CCleaner (remove only)
CloneDVD 3.9.1
CloneDVD2
DivX
DivX Player
D-Link USB CCD Video Camera
DVD Decrypter (Remove Only)
eMule
ewido anti-spyware 4.0
Google Gmail Notifier
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
hp deskjet 5100
hp deskjet 5100 series
HP Memories Disc
HP Photo and Imaging 1.0 - Scanjet 3500c Series
HP Photo and Imaging 2.0 - Deskjet Series
hp print screen utility
HP Software Update
inter.it0506
InterActual Player
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
L&H TTS3000 British English
Liquid Pics II
Macrogaming SweetIM 1.2a
Macromedia Flash MX 2004
Macromedia Flash Player 8
Macromedia Flash Player 8
MGI PhotoSuite SE (Remove Only)
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Visual Studio .NET Academic 2003 - English
MixMeister
MP3 Player Utilities 3.06
MSDN Library for Visual Studio .NET 2003
MSN Messenger 7.5
Nokia Connectivity Cable Driver
Nokia PC Suite 6.2
NVIDIA Display Driver
Pivot Software
PrimoPDF
QuickTime
RealPlayer
RelevantKnowledge
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
SiS 900 PCI Fast Ethernet Adapter Driver
Software Dynamics Video Suite
Software PCI modem card
Sound Blaster Live!
Spybot - Search & Destroy 1.4
SweetIM For Internet Explorer 1.0a
TOSHIBA Bluetooth Stack for Windows
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip



Thanks again

tg

HI,


I suggest you go into add/remove program and remove/uninstall Ares it contains spyware.

Reboot afterwards.


Download the Registry Search Tool from here:
http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:

advertismen

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread. Thanks.

Hi,

Once again thanks for your prompt reply. I uninstalled Ares, rebooted and ran the Registry Search Tool. It did not prompt a WordPad window, however it gave me the following: - 'Search completed in 57 seconds. No instances of advertismen found'.

I tried my luck with BitDefender online again. Actually the search took about 2.5 hrs, however it continued scanning afterwards and did not give me the possibility to export the scan file (it was greyed out). It had found two infected files and deleted them. However my problem persists.

Once again thanks for your help.

tg

OK I found something that could be the problem, it is in your add/remove program and it is called RelaventKnowledge and it is adware.

Did you install this yourself or did it just appear as adware sometimes does.


Remove/uninstall RelaventKnowledge from add/remove program if it will even uninstall, from what I have found it can be a real booger to get rid of.


Reboot afterwards


This entry in hijackthis tells me that advertismen is on your computer or at least partly there:

O20 - AppInit_DLLs: pushow6.dll


Let's see what spysweeper has to say about it...







Please download WebRoot SpySweeper from HERE (It's a 14-day trial):

* Click Download Now to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits
o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply along with a fresh HJT log.

Hi,

As regards the Relevant Knowledge, I am not aware of installing it myself. However, when I went on Add/Remove Programs, I did not find it in my list!

I ran WebRoot and this is the result: -

9:15 AM: Removal process completed. Elapsed time 00:00:05
9:15 AM: Quarantining All Traces: tradedoubler cookie
9:15 AM: Quarantining All Traces: instant access
9:15 AM: Quarantining All Traces: marketscore
9:15 AM: Quarantining All Traces: rns keylogger
9:15 AM: Removal process initiated
9:03 AM: Traces Found: 6
9:03 AM: Full Sweep has completed. Elapsed time 01:01:02
9:03 AM: File Sweep Complete, Elapsed Time: 00:59:20
8:57 AM: Warning: Stream read error
8:57 AM: Warning: Stream read error
8:57 AM: Warning: Stream read error
8:57 AM: Warning: Stream read error
8:57 AM: Warning: Failed to access drive G:
8:57 AM: Warning: Failed to access drive F:
8:57 AM: Warning: Failed to access drive E:
8:57 AM: Warning: Failed to access drive D:
8:57 AM: c:\program files\smartdraw 7\library\network design\vendor hardware - network\lanoptics, inc\index.dat:kavichs (ID = 73852)
8:57 AM: Found System Monitor: rns keylogger
8:57 AM: C:\Documents and Settings\tanyagravina\Desktop\software downloads\HJT\backups\backup-20041215-183611-231.inf (ID = 63879)
8:57 AM: C:\Documents and Settings\tanyagravina\Desktop\software downloads\HJT\backups\backup-20041215-183608-683.inf (ID = 63678)
8:57 AM: Found Adware: instant access
8:50 AM: C:\Documents and Settings\nbugeja\Local Settings\Temporary Internet Files\Content.IE5\KD6V8LIR\packetqueuerules[1].xml (ID = 69221)
8:50 AM: C:\Documents and Settings\nbugeja\Local Settings\Temporary Internet Files\Content.IE5\K5674TIN\postdatarules[1].xml (ID = 69222)
8:50 AM: Found Adware: marketscore
8:03 AM: Starting File Sweep
8:03 AM: Warning: Failed to access drive A:
8:03 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:03 AM: c:\documents and settings\tanyagravina\cookies\tanyagravina@tradedo ubler[1].txt (ID = 3575)
8:03 AM: Found Spy Cookie: tradedoubler cookie
8:03 AM: Starting Cookie Sweep
8:03 AM: Registry Sweep Complete, Elapsed Time:00:00:22
8:03 AM: Starting Registry Sweep
8:03 AM: Memory Sweep Complete, Elapsed Time: 00:01:13
8:02 AM: Starting Memory Sweep
8:02 AM: Sweep initiated using definitions version 719
8:02 AM: Spy Sweeper 5.0.5.1286 started
8:02 AM: | Start of Session, Saturday, July 15, 2006 |
********
8:02 AM: | End of Session, Saturday, July 15, 2006 |
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
7:59 AM: Shield States
7:59 AM: Spyware Definitions: 719
7:59 AM: Spy Sweeper 5.0.5.1286 started
7:29 PM: Your spyware definitions have been updated.
7:28 PM: Automated check for program update in progress.
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
7:27 PM: Shield States
7:27 PM: Spyware Definitions: 691
7:27 PM: Spy Sweeper 5.0.5.1286 started
11:17 PM: | End of Session, Thursday, July 13, 2006 |
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
11:17 PM: Shield States
11:17 PM: Spyware Definitions: 691
11:17 PM: Spy Sweeper 5.0.5.1286 started
7:05 PM: | End of Session, Thursday, July 13, 2006 |
7:03 PM: Warning: The handle is invalid
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
7:03 PM: Warning: The handle is invalid
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
7:03 PM: Shield States
7:03 PM: Spyware Definitions: 691
7:02 PM: Spy Sweeper 5.0.5.1286 started
7:02 PM: Spy Sweeper 5.0.5.1286 started
7:02 PM: | Start of Session, Thursday, July 13, 2006 |
********
7:31 PM: Removal process completed. Elapsed time 00:00:06
7:30 PM: Quarantining All Traces: targetsaver
7:30 PM: Quarantining All Traces: relatedlinks bho
7:30 PM: Quarantining All Traces: netwebsearch
7:30 PM: Quarantining All Traces: marketscore
7:30 PM: Removal process initiated
7:30 PM: Sweep Status: 4 Items Found
7:30 PM: Traces Found: 16
7:30 PM: File Sweep Complete, Elapsed Time: 00:22:58
7:30 PM: Sweep Canceled
7:29 PM: C:\WINDOWS\lbbho.ini (ID = 73732)
7:15 PM: C:\Program Files\Common Files\kiuo\kiuod\vocabulary (ID = 78283)
7:15 PM: C:\Program Files\Common Files\kiuo\kiuod\class-barrel (ID = 78229)
7:15 PM: Found Adware: targetsaver
7:13 PM: C:\WINDOWS\system32\cemetrix.dll (ID = 243051)
7:08 PM: C:\Documents and Settings\nbugeja\Local Settings\Temporary Internet Files\Content.IE5\G5UJS5M7\biometricrules[1].xml (ID = 69188)
7:08 PM: C:\WINDOWS\lbbho.dll (ID = 73724)
7:08 PM: Found Adware: relatedlinks bho
7:07 PM: Starting File Sweep
7:07 PM: Warning: Failed to access drive A:
7:07 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:07 PM: Starting Cookie Sweep
7:07 PM: Registry Sweep Complete, Elapsed Time:00:00:22
7:07 PM: HKLM\software\classes\typelib\{1d743153-fc4a-43e7-9c6e-a1d3fafbc56c}\ (ID = 1180343)
7:07 PM: HKCR\typelib\{1d743153-fc4a-43e7-9c6e-a1d3fafbc56c}\ (ID = 1180311)
7:07 PM: Found Adware: netwebsearch
7:07 PM: HKLM\software\classes\iceclientatl.surveyclientctl .1\ (ID = 1149360)
7:07 PM: HKLM\software\classes\iceclientatl.surveyclientctl \ (ID = 1149354)
7:07 PM: HKCR\iceclientatl.surveyclientctl.1\ (ID = 1149346)
7:07 PM: HKCR\iceclientatl.surveyclientctl\ (ID = 1149340)
7:07 PM: HKLM\software\classes\typelib\{fe844296-3c38-4b78-a272-87557622c953}\ (ID = 1144226)
7:07 PM: HKLM\software\classes\clsid\{cd1b7795-13bc-4a12-bf42-a52748971aa2}\ (ID = 1144222)
7:07 PM: HKCR\typelib\{fe844296-3c38-4b78-a272-87557622c953}\ (ID = 1144194)
7:07 PM: HKCR\clsid\{cd1b7795-13bc-4a12-bf42-a52748971aa2}\ (ID = 1144173)
7:07 PM: Found Adware: marketscore
7:07 PM: Starting Registry Sweep
7:07 PM: Memory Sweep Complete, Elapsed Time: 00:01:15
7:05 PM: Starting Memory Sweep
7:05 PM: Sweep initiated using definitions version 691
7:05 PM: Spy Sweeper 5.0.5.1286 started
7:05 PM: | Start of Session, Thursday, July 13, 2006 |
********
11:53 PM: None
11:53 PM: Traces Found: 0
11:53 PM: File Sweep Complete, Elapsed Time: 00:33:29
11:52 PM: Sweep Canceled
11:42 PM: Warning: Failed to open file "c:\documents and settings\tanyagravina\local settings\temporary internet files\content.ie5\89abcdef\rock_r3_c4[1].gif". The operation completed successfully
11:42 PM: Warning: Failed to open file "c:\documents and settings\tanyagravina\local settings\temporary internet files\content.ie5\89abcdef\rock_r4_c2[1].gif". The operation completed successfully
11:42 PM: Warning: Failed to open file "c:\documents and settings\tanyagravina\local settings\temporary internet files\content.ie5\0der45iv\rock_r3_c1[1].gif". The operation completed successfully
11:42 PM: Warning: Failed to open file "c:\documents and settings\tanyagravina\local settings\temporary internet files\content.ie5\ffmqjrru\rock_r2_c4[1].gif". The operation completed successfully
11:42 PM: Warning: Failed to open file "c:\documents and settings\tanyagravina\local settings\temporary internet files\content.ie5\ffmqjrru\rock_r2_c1[1].gif". The operation completed successfully
11:42 PM: Warning: Failed to open file "c:\documents and settings\tanyagravina\local settings\temporary internet files\content.ie5\8dejodi3\spacer[1].gif". The operation completed successfully
11:42 PM: Warning: Failed to open file "c:\documents and settings\tanyagravina\cookies\tanyagravina@cgi-bin[1].txt". The operation completed successfully
11:19 PM: Starting File Sweep
11:19 PM: Warning: Failed to access drive A:
11:19 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:19 PM: Starting Cookie Sweep
11:19 PM: Registry Sweep Complete, Elapsed Time:00:00:22
11:19 PM: Starting Registry Sweep
11:19 PM: Memory Sweep Complete, Elapsed Time: 00:01:29
11:17 PM: Starting Memory Sweep
11:17 PM: Sweep initiated using definitions version 691
11:17 PM: Spy Sweeper 5.0.5.1286 started
11:17 PM: | Start of Session, Thursday, July 13, 2006 |
********

Below please also find the latest HJT log: -

Logfile of HijackThis v1.99.1
Scan saved at 9:19:25 AM, on 7/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 8.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inter.it/aas/hp?L=it
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 8.exe
O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-tanyagravina.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-tanyagravina.html (HKCU)
O9 - Extra 'Tools' menuitem: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-tanyagravina.html (HKCU)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europ...vex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://l00kl23.com/default.cab?uid=6...s&ppd=5&tag=15
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


Thanks very much again for your help.

tgravina

Originally Posted by Neal

OK I found something that could be the problem, it is in your add/remove program and it is called RelaventKnowledge and it is adware.

Did you install this yourself or did it just appear as adware sometimes does.


Remove/uninstall RelaventKnowledge from add/remove program if it will even uninstall, from what I have found it can be a real booger to get rid of.


Reboot afterwards


This entry in hijackthis tells me that advertismen is on your computer or at least partly there:

O20 - AppInit_DLLs: pushow6.dll


Let's see what spysweeper has to say about it...







Please download WebRoot SpySweeper from HERE (It's a 14-day trial):

* Click Download Now to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits
o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply along with a fresh HJT log.

We must disable Spy Sweeper for it may interfere with our fix

To disable SpySweeper:

• Right click on the SpySweeper icon in your System Tray (near the clock).
• From the pop up menu, left click on Shields, this will open the program at the same time.
  • Under the Internet Explorer Tab, uncheck all boxes (if already checked).
  • Under the Windows System Tab, uncheck the following shields (if already checked):
    • Memory Shield
    • Spy Installation Shield
  • Under the Startup Programs Tab, uncheck the Startup Shield box (if already checked).
  • Under the Browser Add-ons Tab, uncheck the Browser Helper Object box (if already checked).

Note: Remember to re-enable these shields once we have completed our work.


Open hijackthis

* Click on the configure button on the bottom right
* Click on the tab "Misc Tools"
* Click on the Box that says "Uninstall Manager"
* Click on

RelaventKnowledge

* Click on Delete this entry
* Click "Yes"

Close HijackThis.


Run hijackthis again and click on scan button and put checks next to these:


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://l00kl23.com/default.cab?uid=...1s&ppd=5&tag=15


Nothing open but hijackthis and click on fix checked.


Reboot and tell me how your computer is behaving now please.