Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Win32.P2P-Worm.Alcan.a, W32/Gaobot.MJA.worm, etc.?

Started by tvanzee , Feb 08 2007 09:53 AM

This topic is locked

#1
tvanzee

Posted 08 February 2007 - 09:53 AM

Member

Member
19 posts

Hello G2G staff,

I am humbly throwing myself at your feet in hopes that you will bestow upon me your wisdom of how to once again gain the favor of the compter gods that are evidently quite upset with me right now. In other words, I would GREATLY appreciate any help you can provide.

I will try not to drag on too much, but I do want to provide you with as much information as I have recorded so that you have a complete understanding of the status of my home computer (I’m typing this from work).

About a week ago, I noticed that my computer was having “problems”. I have Spyware Doctor and AdAware SE, so I ran both of those, but things still weren’t right. Win32.P2P-Worm.Alcan.a was one of the items listed, so that’s what I’ve been trying to research. However, since then, things have been getting worse. The following are some of the alert/error messages that have come up during use or during many unsuccessful start-ups:
- B has caused an error in <unknown>. B will now close.
- KB 918547 PlayMetaFileHook
- Loadlmg
- (word containing characters I don’t know how to type) caused an invalid page fault in module KERNEL32.DLL at 017f:bff6668d
- Cmdninst caused a general protection fault in module SYSDM,CPL at 0001:00006e08
Various blue screen of death errors, including 0D : 015F : 000061BE
- Explorer has caused an error in KRNL386.EXE
- Msgsrv32 has caused an error in KRNL386.EXE

Over the past couple of nights, it has been increasingly more difficult to even get past the StartUp successfully. However, I did try to follow some of the other suggestions available on your site. I was able to download CounterSpy, SUPERAntiSpyware, Spy Emergency 2006 and BruteForceUninstall.zip. Unfortunately, I wasn’t able to follow the recommended steps exactly because of the limited amount of operations I could complete in between errors, freezes, etc. I did run HijackThis and run a Panda scan, and I will include the log info from each below. Late last night, I was finally able to run SUPERAntiSpyware, but I forgot to access the report and then my computer froze up again.

So... I am at your mercy. Again, any suggestions or help that you can offer will be greatly appreciated. Thank you very much for your time!
tvanzee

----------------------------------------
HijackThis log
----------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:18:32 PM, on 2/6/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\CONSUMER\SUNTHREATENGINE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\CONSUMER\SUNPROTECTIONSERVER.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\CONSUMER\SUNSERVER.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\NETGATE\SPY EMERGENCY 2006\SPYEMERGENCY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\MY DOCUMENTS\VIRUSSPYWARE ISSUE\HIJACKTHIS.EXE
C:\WINDOWS\WUAUBOOT.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\prefs.js)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SunServer] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\CONSUMER\sunserver.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [SpyEmergency] "C:\PROGRAM FILES\NETGATE\SPY EMERGENCY 2006\SpyEmergency.exe"
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\RunServices: [SpyEmergency] "C:\PROGRAM FILES\NETGATE\SPY EMERGENCY 2006\SpyEmergency.exe"
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\PROGRAM FILES\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\PROGRAM FILES\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://www.its.usd.e...pus/WebInst.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://64.75.174.5/push.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab28578.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...fault/shapo.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.18...ges/PopupSh.ocx
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mchsi.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1

----------------------------------------
PandaScan log
----------------------------------------
Incident Status Location

Virus:W32/Gaobot.MJA.worm Disinfected Operating system
Virus:Trj/Gaodrop.A Disinfected Operating system
Adware:adware/searchaid Not disinfected c:\windows\system\sdklr32.exe
Virus:trj/downloader.cfj Disinfected Operating system
Adware:adware/windowenhancer Not disinfected c:\windows\system\SBUtils
Adware:adware/ist.istbar Not disinfected Windows Registry
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\TEMP\Cookies\anyuser@atwola[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\TEMP\Cookies\[email protected][1].txt
Virus:Trj/Gaodrop.A Disinfected C:\WINDOWS\TEMP\install\Setup.exe
Adware:Adware/WindowEnhancer Not disinfected C:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll
Adware:Adware/WurldMedia Not disinfected C:\WINDOWS\SYSTEM\bxqlymsh.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\SYSTEM\wwzjfovu.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\SYSTEM\pma.exe
Virus:Trj/Downloader.DSS Disinfected C:\WINDOWS\SYSTEM\jwaa.dll
Spyware:Cookie/2o7 Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.2o7.net/]
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/2o7 Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.2o7.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[bs.serving-sys.com/]
Spyware:Cookie/Advertising Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.advertising.com/]
Spyware:Cookie/Overture Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.overture.com/]
Spyware:Cookie/Hitbox Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.hitbox.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.belnk.com/]
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.ath.belnk.com/]
Spyware:Cookie/PointRoll Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/CentrPort Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.centrport.net/]
Spyware:Cookie/Adserver Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.com.com/]
Spyware:Cookie/Bfast Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.bfast.com/]
Spyware:Cookie/Overture Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/RealMedia Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Apmebf Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.apmebf.com/]
Spyware:Cookie/QkSrv Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.qksrv.net/]
Spyware:Cookie/RealMedia Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.realmedia.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[server.iad.liveperson.net/hc/15619336]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\cookies.txt[.trafficmp.com/]
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\Application Data\oocs.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\Application Data\area.exe
Spyware:Cookie/Advertising Not disinfected C:\WINDOWS\Application Data\Netscape\NSB\Profiles\r4med92c.default\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\WINDOWS\Application Data\Netscape\NSB\Profiles\r4med92c.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\WINDOWS\Application Data\Netscape\NSB\Profiles\r4med92c.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\WINDOWS\Application Data\Netscape\NSB\Profiles\r4med92c.default\cookies.txt[.2o7.net/]
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\Desktop\Adobe Creative Suite\adobe cs.zip[setup.exe]
Adware:Adware/Gator Not disinfected C:\WINDOWS\Installer\b471ec.msi[unk_0037]
Adware:Adware/eZula Not disinfected C:\WINDOWS\Installer\b471ec.msi[unk_0038]
Adware:Adware/Cydoor Not disinfected C:\WINDOWS\Installer\b471ec.msi[unk_0040]
Virus:W32/Gaobot.MJA.worm Disinfected C:\WINDOWS\b.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\HP\bin\KillIt.exe
Hacktool:HackTool/ProcLog.A Not disinfected C:\HP\bin\ProcessLogger.exe
Virus:Trj/Reboot.F Disinfected C:\HP\bin\Rebooter.exe
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\Recycled\NPROTECT\00000006.UPD
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\Recycled\NPROTECT\00000014.UPD
Virus:Trj/Gaodrop.A Disinfected C:\Program Files\outlook\v.tmp
Virus:Trj/Gaodrop.A Disinfected C:\Program Files\outlook\p.zip[Setup.exe]
Virus:W32/Gaobot.MFM.worm Disinfected C:\onoes.exe

#2
tvanzee

Posted 09 February 2007 - 01:31 PM

Member

Topic Starter
Member
19 posts

Hello again,

Please see updated info and scan logs below. Anxiously awaiting your response! Thanks again for your time and help.

tvanzee

2/8/07
Slow StartUp, cursor hourglass displaying off and on
Ran Spyware Doctor: found Trojan.Crypt.E
Ran Spy Emergency 2006: no infections found
Ran CounterSpy: found Delfin.Webbar, ClickSpring.PuritySCAN, Cookie: AdsRemote.Scripps.com, Cookie: GeoCities, Morpheus
Ran AdAware SE Personal: found Win32.P2P-Worm.Alcan.a (bszip.dll file and a regkey)
Ran SUPERAntiSpyware: found two, see scan log
Reboot/Restart
Blue screen error: 0E:017F:BFF8E64B
Black screen error: MSGSRV32 caused an invalid page fault in module KERNEL32.DLL at 017f:bff8e066
Blue screen error: 0D:14B7:000002A6
Black screen error: Mmtask - an error has occured in your program
Blue screen error: 0E:017F:BFF8E64B
Black screen error: Mmtask - MMTASK caused a general protection fault in module MSACM.DRV at 0004:0000242e
"Frozen" - power button OFF
2/9/07
Slow StartUp, cursor hourglass displaying off and on, slow response for opening folders and programs
Ran Hijack This: see scan log

-----------------------------------
SUPERAntiSpyware scan
-----------------------------------
SUPERAntiSpyware Scan Log
Generated 02/09/2007 at 00:34 AM

Application Version : 3.5.1016

Core Rules Database Version : 3179
Trace Rules Database Version: 1189

Scan type : Complete Scan
Total Scan Time : 02:03:29

Memory items scanned : 222
Memory threats detected : 0
Registry items scanned : 4072
Registry threats detected : 0
File items scanned : 48386
File threats detected : 2

Unclassified.Unknown Origin
C:\_RESTORE\TEMP\A0001112.CPY

Adware.ClickSpring
C:\_RESTORE\TEMP\A0001113.CPY

-----------------------------------
HijackThis scan
-----------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:40:41 PM, on 2/9/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\CONSUMER\SUNSERVER.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\NETGATE\SPY EMERGENCY 2006\SPYEMERGENCY.EXE
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\CONSUMER\SUNASCLEANER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\CONSUMER\SUNPROTECTIONSERVER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\CONSUMER\SUNTHREATENGINE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\CONSUMER\COUNTERSPY.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\MY DOCUMENTS\VIRUSSPYWARE ISSUE\HIJACKTHIS.EXE
C:\WINDOWS\WUAUBOOT.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\prefs.js)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SunServer] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\CONSUMER\sunserver.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [SpyEmergency] "C:\PROGRAM FILES\NETGATE\SPY EMERGENCY 2006\SpyEmergency.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\RunServices: [SpyEmergency] "C:\PROGRAM FILES\NETGATE\SPY EMERGENCY 2006\SpyEmergency.exe"
O4 - HKCU\..\RunServices: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\PROGRAM FILES\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\PROGRAM FILES\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://www.its.usd.e...pus/WebInst.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://64.75.174.5/push.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab28578.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...fault/shapo.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.18...ges/PopupSh.ocx
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mchsi.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\PROGRAM FILES\SUPERANTISPYWARE\SASWINLO.DLL

#3
handhfan

Posted 09 February 2007 - 03:09 PM

Trusted Helper

Expert
13,659 posts

Hello, tvanzee, I'll be helping you clean up your computer under the watchful eyes of our experts here at GeeksToGo.

Please give me a chance to look over your HijackThis log and come up with a fix, and I will be sure to post as soon as possible.

#4
handhfan

Posted 09 February 2007 - 08:42 PM

Trusted Helper

Expert
13,659 posts

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\PROGRAM FILES\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\PROGRAM FILES\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

PartyPoker

Please note any other programs that you dont recognize in that list in your next response

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\PROGRAM FILES\PartyGaming.net

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\about.htm

After that, Reboot.

Then, please download WebRoot SpySweeper from HERE (It's a 2 week trial):

Click Download Now to download the program.
Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
- Sweep Memory
- Sweep Registry
- Sweep Cookies
- Sweep All User Accounts
- Enable Direct Disk Sweeping
- Sweep Contents of Compressed Files
- Sweep for Rootkits
- Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply along with a new HijackThis log.

#5
tvanzee

Posted 13 February 2007 - 08:32 AM

Member

Topic Starter
Member
19 posts

********
8:14 PM: | Start of Session, Monday, February 12, 2007 |
8:14 PM: Spy Sweeper started
8:14 PM: Sweep initiated using definitions version 858
8:14 PM: Starting Memory Sweep
8:45 PM: Memory Sweep Complete, Elapsed Time: 00:30:51
8:45 PM: Starting Registry Sweep
8:46 PM: Found Adware: cws_ns3
8:46 PM: HKCR\clsid\{1f846f72-8833-7b85-fbf7-b2d81d30ab82}\ (2 subtraces) (ID = 117736)
8:46 PM: HKCR\clsid\{a5b3b4a7-6bd2-e7ce-e654-7a1d658d1bb3}\ (2 subtraces) (ID = 118745)
8:46 PM: HKLM\software\classes\clsid\{1f846f72-8833-7b85-fbf7-b2d81d30ab82}\ (2 subtraces) (ID = 119611)
8:47 PM: HKLM\software\classes\clsid\{a5b3b4a7-6bd2-e7ce-e654-7a1d658d1bb3}\ (2 subtraces) (ID = 120584)
8:47 PM: Found Adware: ie driver
8:47 PM: HKLM\software\microsoft\windows\currentversion\uninstall\8d52ff82f449\ (2 subtraces) (ID = 128021)
8:48 PM: Found Adware: wild media - minigolf
8:48 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\minigolf_affiliate.exe (ID = 135058)
8:49 PM: Found Adware: wurldmedia
8:49 PM: HKCR\appid\sostatatl.exe\ (1 subtraces) (ID = 147535)
8:49 PM: HKCR\appid\{dee5d795-a276-43b5-a04a-511149a354f0}\ (1 subtraces) (ID = 147536)
8:49 PM: HKCR\interface\{9603a736-05b9-4d78-bdd5-bdcb0914e522}\ (8 subtraces) (ID = 147565)
8:49 PM: Found Adware: ist yoursitebar
8:49 PM: HKCR\interface\{bf06da8e-2beb-4816-9bbd-f7625246e245}\ (8 subtraces) (ID = 147834)
8:49 PM: HKLM\software\classes\interface\{bf06da8e-2beb-4816-9bbd-f7625246e245}\ (8 subtraces) (ID = 147840)
8:51 PM: Found Adware: findthewebsiteyouneed hijack
8:51 PM: HKU\WRSS_Profile_tvz\software\microsoft\internet explorer\main\ || default_search_url (ID = 125236)
8:51 PM: HKU\WRSS_Profile_tvz\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
8:51 PM: Found Adware: cydoor
8:51 PM: HKU\WRSS_Profile_tvz\software\cydoor\ (801 subtraces) (ID = 639126)
8:51 PM: HKU\WRSS_Profile_tvz\software\cydoor services\ (12 subtraces) (ID = 639128)
8:51 PM: HKU\WRSS_Profile_tvz\software\microsoft\internet explorer\search\searchassistant explorer\main\ || Default_Search_URL (ID = 1554015)
8:51 PM: HKU\WRSS_Profile_tvz\software\microsoft\internet explorer\main\ || default_search_url (ID = 1607009)
8:51 PM: Found Adware: hiwire
8:51 PM: HKU\WRSS_Profile_tvz\software\hiwire\ (79 subtraces) (ID = 1874339)
8:51 PM: Registry Sweep Complete, Elapsed Time:00:05:53
8:51 PM: Starting Cookie Sweep
8:51 PM: Found Spy Cookie: stlyrics cookie
8:51 PM: anyuser@stlyrics[1].txt (ID = 3461)
8:51 PM: Found Spy Cookie: about cookie
8:51 PM: anyuser@about[1].txt (ID = 2037)
8:51 PM: [email protected][1].txt (ID = 2038)
8:51 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
8:51 PM: Starting File Sweep
8:51 PM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_bftat4jh3rtiyaj". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_jkvoej52lbutyuq". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_kkjl7pnw0n9wera". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_z5pacq40vjaauwb". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_eltbbtc4dxuajqt". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_0zdx7uqvgfxaons". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_cbfxjjs9rh8ksjv". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_zbqpp8k5xpldpb3". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_elpadrqxgxpj2i7". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_ecomfnmu1f45dqh". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_1acbjdbfte3rwph". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_dqyt0gm2us7qteu". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_zsc6b9hs9w355jw". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_vlsdjn8dq6jge9t". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_p6jze4aipdiuzlf". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_ce55zntqfr040ip". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_ovsnce55zntqfr0". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_hkojmy7lv47vn0l". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_xepa75cayygw8zp". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_8zb4a9dy3ysx6gq". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_vu37ddwj1iohof3". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_mtwb6knyhbgpqey". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_jsftcu6g7zphvb5". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_22qsjdoalcpculn". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_fst7gev0rafyo13". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_uuhu9nxj6da0ihd". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_q2sfbgiuhlufrms". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_b9iyhbsxujdg63l". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_jiw2kdcqzpneq25". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_tjbmo8iiz57bpif". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_8jus7ihox1m22vu". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_of7prvr5i5smata". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_hqvbnkoljlgu26z". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_5owvlk5x8gsoouw". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_c3bxbvedqpunwhu". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_5oa9g2sej69wyoe". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_mpxun896ywtnjav". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_u9xvbv9qotb5vbq". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_xwr4s2cl9ykxiea". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_nww5mtgwgvnpzzg". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_hhxwsmsmt4tpoof". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_1brcrhhkiwqf2oh". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_89hnqouminfywyo". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_krludqwqrfdxate". The process cannot access the file because it is being used by another process
9:07 PM: Warning: Failed to open file "c:\windows\temp\tmp_ng_rwuwtjyfzubmti5". The process cannot access the file because it is being used by another process
9:09 PM: Found Adware: security iguard
9:09 PM: chmhelp.chm (ID = 453379)
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs2879d1bb-55ba-43e0-a31b-6b43606e84cc.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs1cc286fb-1746-4ac2-9db6-3e6517a09b33.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs84d4a49f-d9ec-4994-b4a9-405f623d9d94.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsd53ca69f-b527-4fc5-8bd9-da62baeed31c.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs4c5856c5-c69e-4ce0-8aed-0743200ba4e1.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs6d15f081-7d14-4415-8216-20e5224c55b8.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs34f68c3d-0a72-42b5-a39a-48f002c1c152.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsa5fc9aee-cc6b-4e01-a5d9-a92398ac6ee0.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsa1729ac0-4c9e-4556-ba00-3f4313bad719.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsee6c3528-794a-4147-8cc4-1450735e2217.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs1ef792f7-2c61-4635-97f0-c09e86c4f9e8.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs43f57c05-035e-440e-b111-c8ded95d2e58.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs17d3a635-cf6e-4242-9da9-2ef9db62788f.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs1e908fb6-f9aa-47b2-9a9a-81afd2e6ffd7.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs1fcd87c1-8c28-4b94-8eb8-fd1ccf06959d.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscse428643c-b96e-44e8-996e-c3df3a3e8931.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscse7193b96-8da7-43cd-8c62-4cfb5c302b87.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscse702586a-8506-4935-a416-7ced47e953e3.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscse76f86b0-ff27-414d-86a9-cc5194011088.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc4690f38-8433-4185-a19f-6374db6ffd29.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs9f0370b2-f950-4537-b724-dbd1d53129c7.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsd862e0a3-6eb5-4041-875d-23e8cad02514.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs817037b9-67fa-47d0-a4f1-2ad8b343a790.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs6651bce3-2387-42d7-9b5b-edce8739bcdc.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsb79fde07-2548-4b8c-9de3-11535ee89fa2.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs1373ca08-3bef-441e-a979-ff90f6061104.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsccf22b79-79e5-4f84-b774-587d15706a1b.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs1312a01a-6879-43ef-9899-c2983d4a43c7.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs4f3f6020-1731-47df-aabd-23edb17d3112.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsa92e9f0f-3da1-4700-9199-1319bbf77239.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs5f17b33e-8cd4-4ee4-a9f4-b83dbf702fa3.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs82c58ec2-4bb5-4de6-b255-fd599bb094ef.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs7c1966b6-eef8-432d-888a-c6799967bd28.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs96b77a96-3137-4b14-9d39-3f8f4be91871.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsf03f8ffa-9955-4b85-ac17-748b529d2ced.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsb0ef6fec-5390-469c-ad0f-24270a586ff4.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs37d1bf3b-d5bf-4b4a-b483-c3893fd7352e.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsb30db284-6e78-4659-ba51-9b5bd92959b9.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsb6c59076-48a6-451a-9cd5-4a15ea7b9744.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs057eb328-e348-44b5-97bb-d17b70c275fa.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs7285fdf7-1363-493e-8bf3-7075124c80cf.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsa38ce074-e5e8-4a5c-b46c-b317ab4940ce.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs043ef08e-f2b6-4caf-8042-c6d155e884ab.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs1f890f6e-d618-4b1f-9bdd-864012b044e6.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsd76f581d-a6eb-4f59-980e-9e0ffccee875.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs2aa8d9e9-63cb-4fe9-9883-d9767d3ab42e.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsb539a9a9-dbb5-4d2a-b2ec-af02da28cea3.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8fb5d0ec-5d4a-4e6d-8d2f-2f0e691ed47c.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscseab82cd9-b782-4384-a081-e269d5482ace.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsd1c33251-85b0-48c9-b5ee-ca81b98f5d17.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsbafcaacd-a6f0-46ee-a632-bf350b4674ae.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsfe13f2a3-90a6-41c4-8473-08629c319239.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs0f504324-78ff-4157-97c4-82aecc047c86.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs0d4c90c1-3be0-4773-9b94-8e5d0a6b73bf.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs4b9a8030-dd9e-4bce-be2b-a8f848c5d5ab.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsfdae7cd8-4a47-424d-bfce-e1d30fb5ae5f.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs60189228-33ba-4981-a941-1a0d43ffdb38.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs62cce5b3-4bd2-4eab-b599-d8ae7eacb88d.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs1b50e378-166f-4f58-a2aa-8f45c7049eab.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsb6dd6e44-318f-4a19-bc2c-365babd2c610.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs69d28634-edfa-487a-b39d-a99547f093ac.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs94101bdc-0bef-4fdd-b2d6-8901fc07080d.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs6666273e-01f7-4fa5-be1d-161e872422dd.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsed98e0f3-a405-47f0-93ec-63a5b05f2ac1.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs3d788f88-f8d6-4676-9a73-02ecf1fdcbcf.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs003fdc84-9155-4f94-8d66-d6010eafa68c.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs208f3182-fd7f-4b6e-98cb-3db86a8ace38.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsa7e4bcdb-446f-4790-807c-7cb7d6947325.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs97cb3c3c-b2e7-4a79-8068-4179c8bebf66.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs7e74b352-cf13-4f97-b81c-165d75667a71.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs56809ae4-999e-4b56-915c-eb8f5baf8349.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs01586796-827b-4e88-afad-c03798a24797.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8488ee94-5af2-423e-a3bc-91436975c50d.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsaef3c6b4-c36b-4fbf-9937-a0afd2271d27.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs5fa2328c-e27e-46d4-bfd5-f72c7c41a9ae.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsd9093b5f-1507-4c76-8701-aa021985518e.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsd7f293c1-5a5b-4e94-b909-6c9db565e553.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs3d0d6bbc-9c99-49e4-a2dd-43a93de08af2.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8df9edf9-fbaf-45b9-bfaf-895f9e8e1ffb.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsbc93a7e9-8553-4127-a1fa-d85a72e1902e.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsdd6d425b-29d8-42e3-be39-146d01c15c05.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsf0cd9b3f-21cd-45b6-b428-dc21b786fbda.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs50fce577-261a-4a86-b0f0-9df4baa88811.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs3d165947-8dcb-40e0-b017-ec758d17ddbe.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs59f71a81-2ba1-42f5-8b0b-f3ef6b8dfe61.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs4d8dc1fd-410b-4ad5-9b26-a0872dcaebd9.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs7fa67d18-7960-4f8b-92c5-e12adc4a5c49.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs3204a650-74bb-4a77-9761-41eb741772c5.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsf4d5ee43-ac92-43ac-9728-6c1be36a4fc1.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsd49a3e4e-2af1-40c4-9924-292cab69f904.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsd88001f5-ac9c-4d02-ac38-9ddddb20c427.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs7b672d01-8525-4c65-ae98-436a9568cf02.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsb2d89c57-0206-4cb9-a164-aecec9bf01d4.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs76224e0c-7d95-404f-938b-3f989636e000.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsf7c87140-5e26-46c2-9d3f-236f88891e72.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs30b82bbb-78d4-4be3-9c21-8071bca8b71d.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsbe73a53a-5084-4ad7-b2fc-677d9e84e26b.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs63697cb6-4dee-4e36-a580-d318863e07b6.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs786793cb-fb79-4b33-8ee6-aff066f1e63d.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs84935039-792b-4081-8c28-f155e45a10fc.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsf7218207-ef58-437f-9efe-1b087a4edfd4.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs1a865471-f066-4951-b017-8ae9452c07e5.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs264a3c29-970f-45fb-91f1-0522423a7d44.tmp". The process cannot access the file because it is being used by another process
9:42 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs22deaea0-7dfc-4c08-a239-0a2a838b373b.tmp". The process cannot access the file because it is being used by another process
9:49 PM: Found Adware: purityscan
9:49 PM: a0001112.cpy (ID = 73136)
11:10 PM: adobe cs.zip (ID = 258153)
11:10 PM: Warning: Unhandled Archive Type
11:12 PM: Warning: Invalid file - not a PKZip file
11:15 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:18 PM: Warning: Invalid file - not a PKZip file
11:19 PM: File Sweep Complete, Elapsed Time: 02:28:18
11:19 PM: Full Sweep has completed. Elapsed time 03:05:41
11:19 PM: Traces Found: 952
7:31 AM: Removal process initiated
7:31 AM: Quarantining All Traces: cws_ns3
7:31 AM: Warning: Out of memory
7:31 AM: Warning: Out of memory
7:31 AM: Warning: Out of memory
7:31 AM: Warning: Out of memory
7:31 AM: Failed to quarantine cws_ns3
7:31 AM: Failed to quarantine clsid\{1f846f72-8833-7b85-fbf7-b2d81d30ab82}\
7:31 AM: Failed to quarantine clsid\{a5b3b4a7-6bd2-e7ce-e654-7a1d658d1bb3}\
7:31 AM: Failed to quarantine HKLM: software\classes\clsid\{1f846f72-8833-7b85-fbf7-b2d81d30ab82}\
7:31 AM: Failed to quarantine HKLM: software\classes\clsid\{a5b3b4a7-6bd2-e7ce-e654-7a1d658d1bb3}\
7:31 AM: Quarantining All Traces: ie driver
7:31 AM: Warning: Out of memory
7:31 AM: Failed to quarantine ie driver
7:31 AM: Failed to quarantine HKLM: software\microsoft\windows\currentversion\uninstall\8d52ff82f449\
7:31 AM: Quarantining All Traces: ist yoursitebar
7:31 AM: Warning: Out of memory
7:31 AM: Warning: Out of memory
7:31 AM: Warning: Out of memory
7:31 AM: Failed to quarantine ist yoursitebar
7:31 AM: Failed to quarantine adobe cs.zip
7:31 AM: Failed to quarantine interface\{bf06da8e-2beb-4816-9bbd-f7625246e245}\
7:31 AM: Failed to quarantine HKLM: software\classes\interface\{bf06da8e-2beb-4816-9bbd-f7625246e245}\
7:31 AM: Quarantining All Traces: purityscan
7:31 AM: Warning: Out of memory
7:31 AM: Failed to quarantine purityscan
7:31 AM: Failed to quarantine a0001112.cpy
7:31 AM: Quarantining All Traces: cydoor
7:31 AM: Quarantining All Traces: findthewebsiteyouneed hijack
7:31 AM: Quarantining All Traces: hiwire
7:31 AM: Quarantining All Traces: security iguard
7:31 AM: Warning: Out of memory
7:31 AM: Failed to quarantine security iguard
7:31 AM: Failed to quarantine chmhelp.chm
7:31 AM: Quarantining All Traces: wild media - minigolf
7:31 AM: Quarantining All Traces: wurldmedia
7:31 AM: Warning: Out of memory
7:31 AM: Warning: Out of memory
7:31 AM: Warning: Out of memory
7:31 AM: Failed to quarantine wurldmedia
7:31 AM: Failed to quarantine appid\sostatatl.exe\
7:31 AM: Failed to quarantine appid\{dee5d795-a276-43b5-a04a-511149a354f0}\
7:31 AM: Failed to quarantine interface\{9603a736-05b9-4d78-bdd5-bdcb0914e522}\
7:31 AM: Quarantining All Traces: about cookie
7:31 AM: Warning: Out of memory
7:31 AM: Warning: Out of memory
7:31 AM: Failed to quarantine about cookie
7:31 AM: Failed to quarantine anyuser@about[1].txt
7:31 AM: Failed to quarantine [email protected][1].txt
7:31 AM: Quarantining All Traces: stlyrics cookie
7:31 AM: Warning: Out of memory
7:31 AM: Failed to quarantine stlyrics cookie
7:31 AM: Failed to quarantine anyuser@stlyrics[1].txt
7:31 AM: Warning: Out of memory
7:31 AM: Warning: Out of memory
7:31 AM: Warning: Out of memory
7:32 AM: Removal process completed. Elapsed time 00:01:33
********
8:08 PM: | Start of Session, Monday, February 12, 2007 |
8:08 PM: Spy Sweeper started
8:11 PM: Your spyware definitions have been updated.
8:14 PM: | End of Session, Monday, February 12, 2007 |

************************************************

Logfile of HijackThis v1.99.1
Scan saved at 7:35:12 AM, on 2/13/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\CONSUMER\SUNTHREATENGINE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\CONSUMER\SUNPROTECTIONSERVER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\CONSUMER\SUNSERVER.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETGATE\SPY EMERGENCY 2006\SPYEMERGENCY.EXE
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\MY DOCUMENTS\VIRUSSPYWARE ISSUE\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\prefs.js)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SunServer] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\CONSUMER\sunserver.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [SpyEmergency] "C:\PROGRAM FILES\NETGATE\SPY EMERGENCY 2006\SpyEmergency.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://www.its.usd.e...pus/WebInst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://64.75.174.5/push.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab28578.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...fault/shapo.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.18...ges/PopupSh.ocx
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mchsi.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\PROGRAM FILES\SUPERANTISPYWARE\SASWINLO.DLL

#6
handhfan

Posted 14 February 2007 - 06:57 AM

Trusted Helper

Expert
13,659 posts

1. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

2. Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

#7
tvanzee

Posted 14 February 2007 - 09:23 PM

Member

Topic Starter
Member
19 posts

I did not download ATF Cleaner because you stated it is only for XP and Windows 2000, while my system is Windows ME.

Also, after completing the Kaspersky Online Scanner, I was only able to save the report as an html file. However, I opened the file with Notepad and will paste the contents below. In case it would be easier for you to view, I will also attach the html file.

To update you on the status of my computer: it's certainly better than last week, but it still has problems; even if it makes it completely through the StartUp without errors locking it up, it takes a very long time for it to get up and running properly (I think a lot of that has to do with all the anti-spyware programs now involved with StartUp); the cursor hourglass is usually blinking on and off; on multiple occasions, I'm greeted with the "blue screen of death" errors and/or errors involving KERNEL32; etc.

I really appreciate the time and effort you've put into helping me thus far, and I TRULY hope you can assist me in getting my computer back to a state of normalcy.

---------------------------------

<html>
<head>
<title>KASPERSKY ONLINE SCANNER REPORT</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
</head>

<style>
.pagetitle { font-size:20px; color:#FFFFFF; font-family: Arial, Geneva, sans-serif; }
.text { font-size:11px; font-family: Arial, Geneva, sans-serif; }
TD { font-size:11px; font-family: Arial, Geneva, sans-serif; }
</style>

<body>
<table width='100%' height='110' border='0'>
<tr height='30' align='center' bgcolor='#005447'>
<td colspan='2' height='30' class='pagetitle'>
<b>KASPERSKY ONLINE SCANNER REPORT</b>
</td>
</tr>
<tr height='70'>
<td colspan='2' height='70'>
Wednesday, February 14, 2007 9:15:51 PM<br>
Operating System: Microsoft Windows Millennium Edition<br>
Kaspersky Online Scanner version: 5.0.83.0<br>
Kaspersky Anti-Virus database last update: 15/02/2007<br>
Kaspersky Anti-Virus database records: 268049<br>
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
</table>
<table width='100%' height='145' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Settings</b></td>
</tr>
<tr height='15'>
<td height='15' width='250'>Scan using the following antivirus database</td>
<td>extended</td>
</tr>
<tr height='15'>
<td height='15'>Scan Archives</td>
<td>true</td>
</tr>
<tr height='15'>
<td height='15'>Scan Mail Bases</td>
<td>true</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Scan Target</b></td>
<td>My Computer</td>
</tr>
<tr height='20'>
<td colspan='2' height='20'>
a:\<br>
c:\<br>
d:\<br>
m:\<br>
n:\
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Statistics</b></td>
</tr>
<tr height='15'>
<td height='15'>Total number of scanned objects</td>
<td>51239</td>
</tr>
<tr height='15'>
<td height='15'>Number of viruses found</td>
<td>2</td>
</tr>
<tr height='15'>
<td height='15'>Number of infected objects</td>
<td>3 / 0</td>
</tr>
<tr height='15'>
<td height='15'>Number of suspicious objects</td>
<td>0</td>
</tr>
<tr height='15'>
<td height='15'>Duration of the scan process</td>
<td>02:10:10</td>
</tr>
</table>
<br>
<table width='100%' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Infected Object Name</b></td>
<td width='200'><b>Virus Name</b></td>
<td width='100'><b>Last Action</b></td>
</tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\~DF6DBE.TMP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\~DF6CB9.TMP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\~DF7390.TMP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_dJH7VY5agROSsyw </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_cJvR1sKEqHbEW64 </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_OOnNavHaCdeIe3p </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_Hp2n6V2ZSNsZxNI </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_kCtQkakYfUz3PcE </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_i3qabtunAzBRG2o </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_dI0c0fHGjMYeFJI </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_moa2qOej5KzGE0m </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_EgR3adaH3sIj03T </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_W2BVQmfwNoJUlXk </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_YdVgaGJ1pe1fDuC </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_MDAnc0jcPaYCjXZ </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_phe4FqoPxyQedwx </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_ZOCocq2PifSyjQr </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_qdkp0stqmmfmLW1 </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_WCRcnmVvAvWN7Mt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_Zs1jTcd69kd44xQ </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_REdncp4AMRxmT2t </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_XvpilvnugGpX7dP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_MFtr7dRMwn0fmpR </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_qMPriyFXS6pWqhV </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_nosjZ33YqtFDcOL </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>c:\WINDOWS\TEMP\tmp_ng_IzSugi632j7

Attached Files

KasperskyOnlineScannerReport20070214.html 194.65KB 11 downloads

#8
handhfan

Posted 15 February 2007 - 08:13 PM

Trusted Helper

Expert
13,659 posts

Sorry about ATF Cleaner. The program below in step 2 will work for Windows ME.

1. Please navigate through Windows Explorer to the file below and delete it if it is there:

C:\WINDOWS\SYSTEM\bxqlymsh.dll

2. Download and install CleanUp!
NOTE: Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

3. Reboot your computer, and write down every error you recieve. This will help me to know what is going on with your computer.

#9
tvanzee

Posted 20 February 2007 - 09:43 AM

Member

Topic Starter
Member
19 posts

Below is info on issues I encountered while using my computer during the past few days:

(Blue screen) Error: OE : 017F : BFF8E64B
Msgsrv32 MSGSRV32 caused an invalid page fault in module KERNEL32.DLL at 017f:bff8e066
Mmtask An error has occured in your program. To keep working anyway, click Ignore...
(Blue screen) Error: OE : 017F : BFF8E64B
Mmtask MMTASK caused a general protection fault in module MSACM.DRV at 0004:0000242e
(Blue screen) Error: OD : 14B7 : 000002A6

Very slow StartUp
Very slow response to mouseclicks/commands

Running programs:
Explorer
Swdoctor
Spysweeper
Wrsssdk
Osd
Winmgmt
Superantispyware
Sunserver
Qttask
Rundll
Imgicon
Systray
Sunprotectionserver
Sunthreatengine
Winampa
Hp_finder
Wuuabout

Tried defragmenting Drive C: constantly checking drive for errors, didn't continue

AdAware SE:
Six tracking cookies
Win32.P2P-Worm.Alcan.a (File, Worm, c:\_RESTORE\TEMP\A0001171.CPY
Win32.P2P-Worm.Alcan.a (Regkey, Worm, HKEY_LOCAL_MACHINE:software\microsoft\downloadmanager\

Webroot Spy Sweeper:
Four cookies

CounterSpy:
Two cookies
Delfin.WebBar

Spyware Doctor:
Three tracking cookies
Trojan.StartPage.GEN (six registry files, HKCU\software\Microsoft\Multimedia\ActiveMovie...)

(Blue screen) Error: File Name: VFAT(01)+00006800 Error OE:0028:C0046260

#10
handhfan

Posted 20 February 2007 - 10:13 PM

Trusted Helper

Expert
13,659 posts

1. Let's run CleanUp! one more time, before doing another scan.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to log-off/reboot at the end, if it does please do so.

2. Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

3. Then, post a new HijackThis log along with the Panda report in your next reply.

If you come up clean, we will send you off to the Windows 2000 forum so you can get these errors fixed, as they are not malware related.

#11
tvanzee

Posted 21 February 2007 - 09:35 PM

Member

Topic Starter
Member
19 posts

Incident Status Location

Adware:adware/searchaid Not disinfected c:\windows\system\sdklr32.exe
Adware:adware/windowenhancer Not disinfected c:\windows\system\SBUtils
Adware:Adware/WurldMedia Not disinfected C:\WINDOWS\SYSTEM\bxqlymsh.dll
Spyware:Cookie/Advertising Not disinfected C:\WINDOWS\Application Data\Netscape\NSB\Profiles\r4med92c.default\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\WINDOWS\Application Data\Netscape\NSB\Profiles\r4med92c.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\WINDOWS\Application Data\Netscape\NSB\Profiles\r4med92c.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\WINDOWS\Application Data\Netscape\NSB\Profiles\r4med92c.default\cookies.txt[.2o7.net/]
Adware:Adware/WindowEnhancer Not disinfected C:\WINDOWS\Application Data\Sunbelt Software\CounterSpy\Quarantine\74186DCB-258E-43F2-91DA-C73113\70E7D75C-5077-4E0A-AD84-58D65F
Adware:Adware/Gator Not disinfected C:\WINDOWS\Installer\b471ec.msi[unk_0037]
Adware:Adware/eZula Not disinfected C:\WINDOWS\Installer\b471ec.msi[unk_0038]
Adware:Adware/Cydoor Not disinfected C:\WINDOWS\Installer\b471ec.msi[unk_0040]
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\HP\bin\KillIt.exe
Hacktool:HackTool/ProcLog.A Not disinfected C:\HP\bin\ProcessLogger.exe
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\Recycled\NPROTECT\00000006.UPD
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\Recycled\NPROTECT\00000014.UPD

Logfile of HijackThis v1.99.1
Scan saved at 9:37:16 PM, on 2/21/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\CONSUMER\SUNTHREATENGINE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\CONSUMER\SUNPROTECTIONSERVER.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\CONSUMER\SUNSERVER.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\MY DOCUMENTS\VIRUSSPYWARE ISSUE\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\pzp07wue.slt\prefs.js)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SunServer] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\CONSUMER\sunserver.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [SpyEmergency] "C:\PROGRAM FILES\NETGATE\SPY EMERGENCY 2006\SpyEmergency.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://www.its.usd.e...pus/WebInst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://64.75.174.5/push.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab28578.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...fault/shapo.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.18...ges/PopupSh.ocx
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mchsi.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\PROGRAM FILES\SUPERANTISPYWARE\SASWINLO.DLL

#12
handhfan

Posted 22 February 2007 - 12:40 AM

Trusted Helper

Expert
13,659 posts

Please download the OTMoveIt by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system\sdklr32.exe
C:\WINDOWS\system\SBUtils
C:\WINDOWS\SYSTEM\bxqlymsh.dll
C:\WINDOWS\Application Data\Sunbelt Software\CounterSpy\Quarantine\74186DCB-258E-43F2-91DA-C73113\70E7D75C-5077-4E0A-AD84-58D65F
C:\WINDOWS\Installer\b471ec.msi[unk_0037]
C:\WINDOWS\Installer\b471ec.msi[unk_0038]
C:\WINDOWS\Installer\b471ec.msi[unk_0040]
C:\HP\bin\KillIt.exe
C:\HP\bin\ProcessLogger.exe
C:\Recycled\NPROTECT\00000006.UPD
C:\Recycled\NPROTECT\00000014.UPD
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Then, run SUPERAntiSpyware.

On the first page select Check for Update.
On completion select SCAN YOUR COMPUTER.
On the next page select COMPLETE SCAN and tick ALL your drives.
The next stage will take a while as your entire drive(s), memory and registry are scanned.
When it has completed click NEXT.
The next screen shows the problems found click OK.
On the next screen place a tick against all items and select NEXT.

Now to get the log Go to the PREFERENCES button on the right bottom.
Select the STATISTICS/LOG tab.
Highlight the scan just completed and click VIEW LOG.
This will open a notepad text file copy and paste this to your next reply.

#13
tvanzee

Posted 22 February 2007 - 11:38 PM

Member

Topic Starter
Member
19 posts

C:\WINDOWS\system\sdklr32.exe moved successfully.
C:\WINDOWS\system\SBUtils moved successfully.
C:\WINDOWS\SYSTEM\bxqlymsh.dll unregistered successfully.
C:\WINDOWS\SYSTEM\bxqlymsh.dll moved successfully.
C:\WINDOWS\Application Data\Sunbelt Software\CounterSpy\Quarantine\74186DCB-258E-43F2-91DA-C73113\70E7D75C-5077-4E0A-AD84-58D65F moved successfully.
File/Folder C:\WINDOWS\Installer\b471ec.msi[unk_0037] not found.
File/Folder C:\WINDOWS\Installer\b471ec.msi[unk_0038] not found.
File/Folder C:\WINDOWS\Installer\b471ec.msi[unk_0040] not found.
C:\HP\bin\KillIt.exe moved successfully.
C:\HP\bin\ProcessLogger.exe moved successfully.
C:\Recycled\NPROTECT\00000006.UPD moved successfully.
C:\Recycled\NPROTECT\00000014.UPD moved successfully.

Created on 02/22/2007 23:41:13

#14
tvanzee

Posted 23 February 2007 - 08:56 AM

Member

Topic Starter
Member
19 posts

SUPERAntiSpyware Scan Log
Generated 02/23/2007 at 01:46 AM

Application Version : 3.5.1016

Core Rules Database Version : 3188
Trace Rules Database Version: 1198

Scan type : Complete Scan
Total Scan Time : 02:01:18

Memory items scanned : 227
Memory threats detected : 0
Registry items scanned : 4076
Registry threats detected : 0
File items scanned : 50174
File threats detected : 2

Adware.Tracking Cookie
C:\WINDOWS\Cookies\[email protected][2].txt
C:\WINDOWS\Cookies\tvz@overture[1].txt

#15
handhfan

Posted 23 February 2007 - 11:19 AM

Trusted Helper

Expert
13,659 posts

Congratulations, tvansee, you are clean! :whistling:

We have a couple of last steps to perform and then you're all set.

First, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

You should also have a good firewall. Here are 3 free ones available for personal use:

and a good antivirus (these are also free for personal use):

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Microsoft Windows Update

monthly. And to keep your system clean run these free malware scanners

weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

If you have any last questions, please ask them here now. If you don't have any questions, let me know and I will have an expert close this topic.