Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help with Altnet, Vundo, Winfixer and more [CLOSED]

Started by mdmytryk , Nov 20 2005 01:07 PM

  • This topic is locked This topic is locked

#1
mdmytryk
Posted 20 November 2005 - 01:07 PM

mdmytryk

    New Member

  • Member
  • Pip
  • 7 posts
Hello "geeks to go", my name is Mike and i am new to this forum. I came accross this site looking for help on how to delete Winfixer. The people here seem extremely Knowledgeable and helpful so i have decided to stick around. I currently run spyboy, adaware, windows spy remover beta, and have an antivirus program installed. I used to think this was more then enough to take care of all my spyware and malware but apparently it isnt.

My computer is infected with (that i know of thus far) Altnet, winfixer, Vundo, and various browser hijackers. I have read the intro thread and have made a hijackthis log and will post it below. Any help that anyone can offer me would be greatly appreciated. Thank you in advance.

-Mike

Logfile of HijackThis v1.99.1
Scan saved at 1:57:30 PM, on 11/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
D:\WINDOWS\explorer.exe
D:\Program Files\LimeWire\LimeWire.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
D:\Documents and Settings\Michael\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://flashline.ken.../cp/home/loginf
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - _{87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - D:\WINDOWS\system32\gebcy.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - D:\WINDOWS\system32\ddccd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)
O2 - BHO: Bho - {E3C95731-C2FE-4bac-842A-DF151FED4F4D} - D:\WINDOWS\system32\hyvgiihf.dll
O3 - Toolbar: (no name) - {76886F39-D4D8-4f00-A354-3CC1C364F363} - (no file)
O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - D:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MMTray] "D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Clean Access Agent.lnk = D:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - D:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - D:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Carnival Casino - {776883A9-1EA8-4d8f-88B7-AA652FEF01A7} - C:\Casino\Carnival Casino\casino.exe
O9 - Extra 'Tools' menuitem: Carnival Casino - {776883A9-1EA8-4d8f-88B7-AA652FEF01A7} - C:\Casino\Carnival Casino\casino.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {76886F39-D4D8-4F00-A354-3CC1C364F363} - http://personalmko.f...lityToolbar.cab
O16 - DPF: {8522F9B3-0000-0000-0000-000000000000} - http://38.144.58.87/sex/xxxmovies.cab
O20 - Winlogon Notify: ddccd - D:\WINDOWS\system32\ddccd.dll
O20 - Winlogon Notify: ddcyv - D:\WINDOWS\system32\ddcyv.dll
O20 - Winlogon Notify: gebcy - D:\WINDOWS\SYSTEM32\gebcy.dll
O20 - Winlogon Notify: vturo - D:\WINDOWS\system32\vturo.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - D:\WINDOWS\system32\RioMSC.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  • 0

Advertisements

#2
OwNt
Posted 25 November 2005 - 12:28 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, mdmytryk.

Please DELETE your current HJT program from its present location.

Download and run the following HijackThis autoinstall program from Here . Please choose the default location of C:\Program Files\ as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident

Run HijackThis

Click SCAN and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

POST the log into this thread using 'Add Reply' (Ctrl-V to 'paste')
  • 0

#3
OwNt
Posted 04 December 2005 - 09:17 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Topic re-opened.

Edited by OwNt, 05 December 2005 - 01:50 PM.

  • 0

#4
OwNt
Posted 05 December 2005 - 02:00 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, mdmytryk. :tazz:

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Please also do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
After that, please open Hijackthis, scan, and place a checkmark by any of these entries that remain:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - _{87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - D:\WINDOWS\system32\gebcy.dll
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - D:\WINDOWS\system32\ddccd.dll
O2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)
O2 - BHO: Bho - {E3C95731-C2FE-4bac-842A-DF151FED4F4D} - D:\WINDOWS\system32\hyvgiihf.dll
O3 - Toolbar: (no name) - {76886F39-D4D8-4f00-A354-3CC1C364F363} - (no file)
O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - (no file)
O16 - DPF: {76886F39-D4D8-4F00-A354-3CC1C364F363} - http://personalmko.f...lityToolbar.cab
O16 - DPF: {8522F9B3-0000-0000-0000-000000000000} - http://38.144.58.87/sex/xxxmovies.cab
O20 - Winlogon Notify: ddccd - D:\WINDOWS\system32\ddccd.dll
O20 - Winlogon Notify: ddcyv - D:\WINDOWS\system32\ddcyv.dll
O20 - Winlogon Notify: gebcy - D:\WINDOWS\SYSTEM32\gebcy.dll
O20 - Winlogon Notify: vturo - D:\WINDOWS\system32\vturo.dll

Close all open windows/browsers and click Fix Checked.

Exit Hijackthis.

Please also put a checkmark by Normal Startup in msconfig. It is essential I see everything running to be able to clean the computer properly.
(Start > Run > Msconfig)

Reboot.

In your next reply please post the log from SpySweeper, a new Hijackthis log, and the log from Kaspersky.
  • 0

#5
mdmytryk
Posted 07 December 2005 - 03:51 PM

mdmytryk

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks alot for all your help. I was unable to get the online anti-virus scanner to work despite several attempts. I have ran spysweeper and HJT. i have also reenabled everything through msconfig. here are the new logs.

Logfile of HijackThis v1.99.1
Scan saved at 4:46:05 PM, on 12/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Network Associates\VirusScan\mcshield.exe
D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\system32\RioMSC.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
D:\Program

Files\Webroot\Enterprise\Server\WebServer\WebrootAdminConsole.exe
D:\Program Files\Webroot\Enterprise\Server\WebrootClientService.exe
D:\Program

Files\Webroot\Enterprise\Server\WebServer\java\bin\java.exe
D:\Program Files\Webroot\Enterprise\Server\WebrootUpdateService.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\WINDOWS\system32\PRISMSVR.EXE
D:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
D:\Program Files\Creative\Shared Files\CAMTRAY.EXE
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
D:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.EXE
D:\Program Files\Nikon\NkView5\NkvMon.exe
D:\Program Files\3M\PSNLite\PsnLite.exe
D:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
D:\PROGRA~1\3M\PSNLite\PSNGive.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
D:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://rd.yahoo.com/...://yahoo.sbc.co

m/dsl
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://red.clientapp...s/su/ymsgr6/*ht

tp://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://flashline.ken.../cp/home/loginf
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - (no

file)
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program

Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program

files\google\googletoolbar1.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} -

D:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft

AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MMTray] D:\Program Files\MUSICMATCH\MUSICMATCH

Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zdfqaz] D:\WINDOWS\tvtfem.exe
O4 - HKLM\..\Run: [wuixbpxgw] D:\WINDOWS\emawxhdef.exe
O4 - HKLM\..\Run: [WindUpdates] D:\Program

Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint

Manager\ViewMgr.exe
O4 - HKLM\..\Run: [usrO39S] schinit.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "D:\Program

Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

/nosystray
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program

Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SpyHunter] D:\Program Files\Enigma Software

Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [SJXwAcfOr] D:\documents and

settings\michael\local settings\temp\SJXwAcfOr.exe
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network

Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program

Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "D:\WINDOWS\system32\PRISMSVR.EXE"

/APPLY
O4 - HKLM\..\Run: [P2P Networking] D:\WINDOWS\System32\P2P

Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NWEHzGr] D:\documents and settings\michael\local

settings\temp\NWEHzGr.exe
O4 - HKLM\..\Run: [nodmf] D:\WINDOWS\nodmf.exe
O4 - HKLM\..\Run: [Network Associates Error Reporting Service]

"D:\Program Files\Common Files\Network

Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch

Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MimBoot]

D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [LyraHD2TrayApp] "D:\Program Files\Thomson\Lyra

Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
O4 - HKLM\..\Run: [lccxnu] D:\WINDOWS\System32\dpmgsx.exe
O4 - HKLM\..\Run: [KAZAA] D:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [gcwx] D:\WINDOWS\ejtjd.exe
O4 - HKLM\..\Run: [faxflv] D:\WINDOWS\zpizgxel.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] D:\Program

Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [BJCFD] D:\Program Files\BroadJump\Client

Foundation\CFD.exe
O4 - HKLM\..\Run: [B7N] D:\windows\temp\B7N.exe
O4 - HKLM\..\Run: [athh] D:\WINDOWS\ikgzdwl.exe
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy

Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program

Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition]

"D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE

D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [fB0ERVesT] objdui.exe
O4 - HKCU\..\Run: [Bkwzyvx] D:\WINDOWS\System32\jhutq.exe
O4 - HKCU\..\Run: [areslite] "D:\Program Files\Ares Lite

Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares Lite

Edition\Ares.exe" -h
O4 - Startup: Clean Access Agent.lnk = D:\Program Files\Cisco

Systems\Clean Access Agent\CCAAgent.exe
O4 - Startup: VirtuaGirl2.lnk = D:\Program Files\Vg\VirtuaGirl2.exe
O4 - Global Startup: 2Wire Wireless Client.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program

Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program

Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = D:\Program

Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = D:\Program

Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &AIM Search - res://D:\Program

Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://d:\program

files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word -

res://d:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://d:\program

files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -

res://d:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\program

files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -

res://d:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary -

file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program

Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program

Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program

Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Yahoo! Login -

{2499216C-4BA5-11D5-BD9C-000103C116D5} - D:\Program

Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login -

{2499216C-4BA5-11D5-BD9C-000103C116D5} - D:\Program

Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Carnival Casino -

{776883A9-1EA8-4d8f-88B7-AA652FEF01A7} - C:\Casino\Carnival

Casino\casino.exe
O9 - Extra 'Tools' menuitem: Carnival Casino -

{776883A9-1EA8-4d8f-88B7-AA652FEF01A7} - C:\Casino\Carnival

Casino\casino.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

D:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com -

{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program

Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com -

{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program

Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -

http://www.kaspersky...can_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo

Uploader Control) -

http://upload.facebo...otoUploader.cab
O16 - DPF: {8522F9B3-0000-0000-0000-000000000000} -

http://38.144.58.87/sex/xxxmovies.cab
O20 - Winlogon Notify: gebcy - D:\WINDOWS\SYSTEM32\gebcy.dll
O20 - Winlogon Notify: WRNotifier -

D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network

Associates, Inc. - D:\Program Files\Network Associates\Common

Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network

Associates, Inc. - D:\Program Files\Network

Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) -

Network Associates, Inc. - D:\Program Files\Network

Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA

Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North

America, Inc. - D:\WINDOWS\system32\RioMSC.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot

Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Webroot Admin Console (WebrootAdminConsole) -

Unknown owner - D:\Program

Files\Webroot\Enterprise\Server\WebServer\WebrootAdminConsole.exe"

-s "D:\Program

Files\Webroot\Enterprise\Server\WebServer\conf\WebrootAdminConsole.

conf (file missing)
O23 - Service: Webroot Client Service

(WebrootEnterpriseClientService) - Webroot Software, Inc. -

D:\Program Files\Webroot\Enterprise\Server\WebrootClientService.exe
O23 - Service: Webroot Update Service

(WebrootEnterpriseUpdateService) - Webroot Software, Inc. -

D:\Program Files\Webroot\Enterprise\Server\WebrootUpdateService.exe

-----end HJT----
SPY SWEEPER LOG


********
4:08 PM: | Start of Session, Wednesday, December 07, 2005 |
4:08 PM: Spy Sweeper started
4:08 PM: Sweep initiated using definitions version 579
4:08 PM: Starting Memory Sweep
4:11 PM: Memory Sweep Complete, Elapsed Time: 00:02:53
4:11 PM: Starting Registry Sweep
4:11 PM: Found Adware: altnet
4:11 PM: HKLM\software\altnet\ (1 subtraces) (ID = 103481)
4:11 PM: Found Trojan Horse: trojan-downloader-conhook
4:11 PM: HKLM\software\classes\clsid\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (3 subtraces) (ID = 833627)
4:11 PM: HKCR\clsid\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (3 subtraces) (ID = 833628)
4:11 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (ID = 833629)
4:12 PM: Registry Sweep Complete, Elapsed Time:00:00:17
4:12 PM: Starting Cookie Sweep
4:12 PM: Cookie Sweep Complete, Elapsed Time: 00:00:07
4:12 PM: Starting File Sweep
4:18 PM: Found Adware: elitemediagroup-mediamotor
4:18 PM: a0146230.exe (ID = 74174)
4:22 PM: Found Adware: webhancer
4:22 PM: a0146232.exe (ID = 83803)
4:24 PM: Found Adware: twain-tech
4:24 PM: a0146231.inf (ID = 81846)
4:25 PM: File Sweep Complete, Elapsed Time: 00:12:51
4:25 PM: Full Sweep has completed. Elapsed time 00:16:11
4:25 PM: Traces Found: 14
4:25 PM: Removal process initiated
4:25 PM: Quarantining All Traces: trojan-downloader-conhook
4:25 PM: trojan-downloader-conhook is in use. It will be removed on reboot.
4:25 PM: clsid\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ is in use. It will be removed on reboot.
4:25 PM: Quarantining All Traces: altnet
4:25 PM: altnet is in use. It will be removed on reboot.
4:25 PM: HKLM: software\altnet\ is in use. It will be removed on reboot.
4:25 PM: Quarantining All Traces: elitemediagroup-mediamotor
4:25 PM: Quarantining All Traces: twain-tech
4:25 PM: Quarantining All Traces: webhancer
4:25 PM: Removal process completed. Elapsed time 00:00:07
********
3:27 PM: | Start of Session, Wednesday, December 07, 2005 |
3:27 PM: Spy Sweeper started
3:27 PM: Sweep initiated using definitions version 579
3:27 PM: Starting Memory Sweep
3:27 PM: Found Adware: virtumonde
3:27 PM: Detected running threat: D:\WINDOWS\system32\hyvgiihf.dll (ID = 153)
3:28 PM: Detected running threat: D:\WINDOWS\system32\ddccd.dll (ID = 77)
3:28 PM: Detected running threat: D:\WINDOWS\system32\ddcyv.dll (ID = 77)
3:28 PM: Detected running threat: D:\WINDOWS\system32\vturo.dll (ID = 77)
3:30 PM: Memory Sweep Complete, Elapsed Time: 00:02:45
3:30 PM: Starting Registry Sweep
3:30 PM: Found Adware: altnet
3:30 PM: HKLM\software\altnet\ (1 subtraces) (ID = 103481)
3:30 PM: Found Adware: exact bullseye
3:30 PM: HKLM\software\microsoft\windows\currentversion\run\ || bullseye network (ID = 104028)
3:30 PM: Found Adware: blazefind
3:30 PM: HKLM\software\microsoft\windows\currentversion\uninstall\windows sr 2.0\ (4 subtraces) (ID = 104552)
3:30 PM: Found System Monitor: captain mnemo
3:30 PM: HKLM\software\refog software\ (ID = 105348)
3:30 PM: Found Adware: delfin
3:30 PM: HKLM\software\dsi\ (2 subtraces) (ID = 124852)
3:30 PM: Found Adware: gain - common components
3:30 PM: HKLM\software\microsoft\windows\currentversion\run\ || cmesys (ID = 126779)
3:30 PM: Found Adware: ie driver
3:30 PM: HKU\.default\software\microsoft\internet explorer\extensions\cmdmapping\ || {120e090d-9136-4b78-8258-f0b44b4bd2ac} (ID = 127909)
3:30 PM: Found Adware: keenvalue/perfectnav
3:30 PM: HKLM\software\microsoft\windows\currentversion\run\ || updmgr (ID = 129511)
3:30 PM: Found Adware: navexcel navhelper
3:30 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{d80c4e21-c346-4e21-8e64-20746aa20aeb}\ (ID = 135543)
3:30 PM: Found Adware: 180search assistant/zango
3:30 PM: HKLM\software\microsoft\windows\currentversion\run\ || msbb (ID = 135703)
3:30 PM: Found Adware: shopathomeselect
3:30 PM: HKLM\software\microsoft\windows\currentversion\run\ || sahagent (ID = 141703)
3:30 PM: Found Adware: directrevenue-abetterinternet
3:30 PM: HKLM\software\microsoft\windows\currentversion\run\ || alchem (ID = 145947)
3:30 PM: Found Adware: webhancer
3:30 PM: HKLM\software\microsoft\windows\currentversion\run\ || webhancer agent (ID = 146272)
3:30 PM: HKLM\software\microsoft\windows\currentversion\run\ || webhancer survey companion (ID = 146273)
3:30 PM: Found Adware: webrebates
3:30 PM: HKLM\software\microsoft\windows\currentversion\run\ || webrebates0 (ID = 146298)
3:30 PM: Found Adware: websearch toolbar
3:30 PM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (8 subtraces) (ID = 146518)
3:30 PM: Found Adware: wildmedia
3:30 PM: HKCR\appid\winaffiliatebho.dll\ (1 subtraces) (ID = 146688)
3:30 PM: HKLM\software\classes\appid\winaffiliatebho.dll\ (1 subtraces) (ID = 146699)
3:30 PM: HKLM\software\microsoft\internet explorer\toolbar\ || {5aa06644-bc46-4220-a460-47a6eb47c96d} (ID = 169512)
3:30 PM: Found Trojan Horse: trojan-downloader-conhook
3:30 PM: HKLM\software\classes\clsid\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (3 subtraces) (ID = 833627)
3:30 PM: HKCR\clsid\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (3 subtraces) (ID = 833628)
3:30 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (ID = 833629)
3:30 PM: Found Adware: clocksync
3:30 PM: HKU\S-1-5-21-842925246-1450960922-839522115-1004\software\microsoft\windows\currentversion\run\ || clocksync (ID = 106141)
3:30 PM: Found Adware: ezula ilookup
3:30 PM: HKU\S-1-5-21-842925246-1450960922-839522115-1004\software\microsoft\windows\currentversion\run\ || ezmmod (ID = 126293)
3:30 PM: Found System Monitor: keyboardspectatorpro
3:30 PM: HKU\S-1-5-21-842925246-1450960922-839522115-1004\software\refog software\ (ID = 129573)
3:30 PM: Found Adware: lopdotcom
3:30 PM: HKU\S-1-5-21-842925246-1450960922-839522115-1004\software\microsoft\windows\currentversion\run\ || aida (ID = 130496)
3:30 PM: HKU\S-1-5-21-842925246-1450960922-839522115-1004\software\microsoft\internet explorer\main\ || updater2 (ID = 146720)
3:30 PM: HKU\S-1-5-21-842925246-1450960922-839522115-1004\software\microsoft\internet explorer\main\ || updater (ID = 146721)
3:30 PM: HKU\S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping\ || {120e090d-9136-4b78-8258-f0b44b4bd2ac} (ID = 127930)
3:30 PM: Registry Sweep Complete, Elapsed Time:00:00:18
3:30 PM: Starting Cookie Sweep
3:30 PM: Found Spy Cookie: 247realmedia cookie
3:30 PM: guest@247realmedia[1].txt (ID = 1953)
3:31 PM: Found Spy Cookie: 2o7.net cookie
3:31 PM: guest@2o7[1].txt (ID = 1957)
3:31 PM: Found Spy Cookie: yieldmanager cookie
3:31 PM: [email protected][2].txt (ID = 3751)
3:31 PM: Found Spy Cookie: adknowledge cookie
3:31 PM: guest@adknowledge[1].txt (ID = 2072)
3:31 PM: Found Spy Cookie: adrevolver cookie
3:31 PM: guest@adrevolver[2].txt (ID = 2088)
3:31 PM: guest@adrevolver[3].txt (ID = 2088)
3:31 PM: Found Spy Cookie: addynamix cookie
3:31 PM: [email protected][2].txt (ID = 2062)
3:31 PM: Found Spy Cookie: pointroll cookie
3:31 PM: [email protected][2].txt (ID = 3148)
3:31 PM: Found Spy Cookie: advertising cookie
3:31 PM: guest@advertising[1].txt (ID = 2175)
3:31 PM: Found Spy Cookie: ask cookie
3:31 PM: guest@ask[1].txt (ID = 2245)
3:31 PM: Found Spy Cookie: atlas dmt cookie
3:31 PM: guest@atdmt[2].txt (ID = 2253)
3:31 PM: Found Spy Cookie: belnk cookie
3:31 PM: [email protected][1].txt (ID = 2293)
3:31 PM: Found Spy Cookie: atwola cookie
3:31 PM: guest@atwola[1].txt (ID = 2255)
3:31 PM: guest@belnk[2].txt (ID = 2292)
3:31 PM: Found Spy Cookie: burstnet cookie
3:31 PM: guest@burstnet[2].txt (ID = 2336)
3:31 PM: Found Spy Cookie: casalemedia cookie
3:31 PM: guest@casalemedia[1].txt (ID = 2354)
3:31 PM: Found Spy Cookie: centrport net cookie
3:31 PM: guest@centrport[1].txt (ID = 2374)
3:31 PM: [email protected][1].txt (ID = 2293)
3:31 PM: Found Spy Cookie: ru4 cookie
3:31 PM: [email protected][2].txt (ID = 3269)
3:31 PM: Found Spy Cookie: fastclick cookie
3:31 PM: guest@fastclick[1].txt (ID = 2651)
3:31 PM: Found Spy Cookie: linksynergy cookie
3:31 PM: guest@linksynergy[1].txt (ID = 2926)
3:31 PM: Found Spy Cookie: maxserving cookie
3:31 PM: guest@maxserving[2].txt (ID = 2966)
3:31 PM: Found Spy Cookie: nextag cookie
3:31 PM: guest@nextag[2].txt (ID = 5014)
3:31 PM: Found Spy Cookie: offeroptimizer cookie
3:31 PM: guest@offeroptimizer[1].txt (ID = 3087)
3:31 PM: Found Spy Cookie: overture cookie
3:31 PM: guest@overture[1].txt (ID = 3105)
3:31 PM: Found Spy Cookie: paypopup cookie
3:31 PM: guest@paypopup[1].txt (ID = 3119)
3:31 PM: Found Spy Cookie: pricegrabber cookie
3:31 PM: guest@pricegrabber[1].txt (ID = 3185)
3:31 PM: Found Spy Cookie: questionmarket cookie
3:31 PM: guest@questionmarket[1].txt (ID = 3217)
3:31 PM: Found Spy Cookie: realmedia cookie
3:31 PM: guest@realmedia[1].txt (ID = 3235)
3:31 PM: Found Spy Cookie: revenue.net cookie
3:31 PM: guest@revenue[2].txt (ID = 3257)
3:31 PM: Found Spy Cookie: servedby advertising cookie
3:31 PM: [email protected][2].txt (ID = 3335)
3:31 PM: Found Spy Cookie: serving-sys cookie
3:31 PM: guest@serving-sys[1].txt (ID = 3343)
3:31 PM: Found Spy Cookie: statcounter cookie
3:31 PM: guest@statcounter[1].txt (ID = 3447)
3:31 PM: Found Spy Cookie: reliablestats cookie
3:31 PM: [email protected][1].txt (ID = 3254)
3:31 PM: Found Spy Cookie: targetnet cookie
3:31 PM: guest@targetnet[2].txt (ID = 3489)
3:31 PM: Found Spy Cookie: tradedoubler cookie
3:31 PM: guest@tradedoubler[1].txt (ID = 3575)
3:31 PM: Found Spy Cookie: trafficmp cookie
3:31 PM: guest@trafficmp[1].txt (ID = 3581)
3:31 PM: Found Spy Cookie: tribalfusion cookie
3:31 PM: guest@tribalfusion[2].txt (ID = 3589)
3:31 PM: Found Spy Cookie: adserver cookie
3:31 PM: [email protected][1].txt (ID = 2142)
3:31 PM: Found Spy Cookie: sandboxer cookie
3:31 PM: michael@0[1].txt (ID = 3282)
3:31 PM: michael@0[2].txt (ID = 3282)
3:31 PM: michael@0[3].txt (ID = 3282)
3:31 PM: michael@0[4].txt (ID = 3282)
3:31 PM: michael@0[5].txt (ID = 3282)
3:31 PM: michael@0[6].txt (ID = 3282)
3:31 PM: Found Spy Cookie: primaryads cookie
3:31 PM: [email protected][2].txt (ID = 3190)
3:31 PM: michael@247realmedia[2].txt (ID = 1953)
3:31 PM: michael@2o7[2].txt (ID = 1957)
3:31 PM: Found Spy Cookie: 3 cookie
3:31 PM: michael@3[1].txt (ID = 1959)
3:31 PM: michael@3[2].txt (ID = 1959)
3:31 PM: Found Spy Cookie: 64.62.232 cookie
3:31 PM: [email protected][1].txt (ID = 1987)
3:31 PM: [email protected][2].txt (ID = 1987)
3:31 PM: Found Spy Cookie: 66.230.183 cookie
3:31 PM: [email protected][2].txt (ID = 1993)
3:31 PM: Found Spy Cookie: 888 cookie
3:31 PM: michael@888[1].txt (ID = 2019)
3:31 PM: michael@888[2].txt (ID = 2019)
3:31 PM: Found Spy Cookie: websponsors cookie
3:31 PM: [email protected][2].txt (ID = 3665)
3:31 PM: Found Spy Cookie: go.com cookie
3:31 PM: [email protected][1].txt (ID = 2729)
3:31 PM: [email protected][2].txt (ID = 2729)
3:31 PM: Found Spy Cookie: about cookie
3:31 PM: michael@about[1].txt (ID = 2037)
3:31 PM: Found Spy Cookie: ad-logics cookie
3:31 PM: michael@ad-logics[1].txt (ID = 2049)
3:31 PM: Found Spy Cookie: reunion cookie
3:31 PM: [email protected][2].txt (ID = 3256)
3:31 PM: [email protected][1].txt (ID = 3751)
3:31 PM: Found Spy Cookie: adecn cookie
3:31 PM: michael@adecn[1].txt (ID = 2063)
3:31 PM: michael@adknowledge[1].txt (ID = 2072)
3:31 PM: Found Spy Cookie: adlegend cookie
3:31 PM: michael@adlegend[2].txt (ID = 2074)
3:31 PM: Found Spy Cookie: precisead cookie
3:31 PM: [email protected][2].txt (ID = 3182)
3:31 PM: Found Spy Cookie: specificclick.com cookie
3:31 PM: [email protected][2].txt (ID = 3400)
3:31 PM: Found Spy Cookie: adorigin cookie
3:31 PM: michael@adorigin[2].txt (ID = 2082)
3:31 PM: Found Spy Cookie: adprofile cookie
3:31 PM: michael@adprofile[1].txt (ID = 2084)
3:31 PM: michael@adrevolver[1].txt (ID = 2088)
3:31 PM: michael@adrevolver[2].txt (ID = 2088)
3:31 PM: michael@adrevolver[4].txt (ID = 2088)
3:31 PM: [email protected][2].txt (ID = 2062)
3:31 PM: Found Spy Cookie: ads.adsag cookie
3:31 PM: [email protected][1].txt (ID = 2108)
3:31 PM: Found Spy Cookie: cc214142 cookie
3:31 PM: [email protected][1].txt (ID = 2367)
3:31 PM: [email protected][1].txt (ID = 3148)
3:31 PM: Found Spy Cookie: starpulse cookie
3:31 PM: [email protected][1].txt (ID = 3440)
3:31 PM: Found Spy Cookie: ads.stileproject cookie
3:31 PM: [email protected][2].txt (ID = 2127)
3:31 PM: Found Spy Cookie: adtech cookie
3:31 PM: michael@adtech[2].txt (ID = 2155)
3:31 PM: Found Spy Cookie: adultfriendfinder cookie
3:31 PM: michael@adultfriendfinder[1].txt (ID = 2165)
3:31 PM: michael@advertising[1].txt (ID = 2175)
3:31 PM: Found Spy Cookie: affiliate cookie
3:31 PM: michael@affiliate[1].txt (ID = 2199)
3:31 PM: Found Spy Cookie: apmebf cookie
3:31 PM: michael@apmebf[2].txt (ID = 2229)
3:31 PM: [email protected][1].txt (ID = 2729)
3:31 PM: Found Spy Cookie: falkag cookie
3:31 PM: [email protected][2].txt (ID = 2650)
3:31 PM: [email protected][2].txt (ID = 2650)
3:31 PM: [email protected][2].txt (ID = 2650)
3:31 PM: michael@ask[1].txt (ID = 2245)
3:31 PM: [email protected][1].txt (ID = 2038)
3:31 PM: michael@atdmt[2].txt (ID = 2253)
3:31 PM: [email protected][2].txt (ID = 2293)
3:31 PM: michael@atwola[2].txt (ID = 2255)
3:31 PM: Found Spy Cookie: azjmp cookie
3:31 PM: michael@azjmp[2].txt (ID = 2270)
3:31 PM: Found Spy Cookie: a cookie
3:31 PM: michael@a[1].txt (ID = 2027)
3:31 PM: Found Spy Cookie: bannerspace cookie
3:31 PM: michael@bannerspace[1].txt (ID = 2284)
3:31 PM: Found Spy Cookie: banners cookie
3:31 PM: michael@banners[1].txt (ID = 2282)
3:31 PM: Found Spy Cookie: banner cookie
3:31 PM: michael@banner[1].txt (ID = 2276)
3:31 PM: michael@belnk[1].txt (ID = 2292)
3:31 PM: Found Spy Cookie: bizrate cookie
3:31 PM: michael@bizrate[2].txt (ID = 2308)
3:31 PM: Found Spy Cookie: bluestreak cookie
3:31 PM: michael@bluestreak[2].txt (ID = 2314)
3:31 PM: [email protected][1].txt (ID = 2038)
3:31 PM: Found Spy Cookie: bravenet cookie
3:31 PM: michael@bravenet[1].txt (ID = 2322)
3:31 PM: Found Spy Cookie: bs.serving-sys cookie
3:31 PM: [email protected][2].txt (ID = 2330)
3:31 PM: michael@burstnet[2].txt (ID = 2336)
3:31 PM: Found Spy Cookie: enhance cookie
3:31 PM: [email protected][1].txt (ID = 2614)
3:31 PM: Found Spy Cookie: goclick cookie
3:31 PM: [email protected][2].txt (ID = 2733)
3:31 PM: Found Spy Cookie: gostats cookie
3:31 PM: [email protected][2].txt (ID = 2748)
3:31 PM: Found Spy Cookie: zedo cookie
3:31 PM: [email protected][1].txt (ID = 3763)
3:31 PM: Found Spy Cookie: cardomain cookie
3:31 PM: michael@cardomain[2].txt (ID = 2350)
3:31 PM: michael@casalemedia[2].txt (ID = 2354)
3:31 PM: Found Spy Cookie: cassava cookie
3:31 PM: michael@cassava[1].txt (ID = 2362)
3:31 PM: michael@centrport[2].txt (ID = 2374)
3:31 PM: Found Spy Cookie: classmates cookie
3:31 PM: michael@classmates[2].txt (ID = 2384)
3:31 PM: [email protected][1].txt (ID = 2038)
3:31 PM: Found Spy Cookie: clickbank cookie
3:31 PM: michael@clickbank[2].txt (ID = 2398)
3:31 PM: Found Spy Cookie: clicks cookie
3:31 PM: michael@clicks[1].txt (ID = 2402)
3:31 PM: [email protected][1].txt (ID = 1958)
3:31 PM: Found Spy Cookie: howstuffworks cookie
3:31 PM: [email protected][1].txt (ID = 2806)
3:31 PM: Found Spy Cookie: tickle cookie
3:31 PM: [email protected][1].txt (ID = 3530)
3:31 PM: [email protected][1].txt (ID = 2038)
3:31 PM: [email protected][1].txt (ID = 2038)
3:31 PM: Found Spy Cookie: customer cookie
3:31 PM: michael@customer[1].txt (ID = 2481)
3:31 PM: Found Spy Cookie: clickzs cookie
3:31 PM: [email protected][2].txt (ID = 2413)
3:31 PM: [email protected][2].txt (ID = 2413)
3:31 PM: Found Spy Cookie: did-it cookie
3:31 PM: michael@did-it[2].txt (ID = 2523)
3:31 PM: Found Spy Cookie: directtrack cookie
3:31 PM: michael@directtrack[1].txt (ID = 2527)
3:31 PM: [email protected][1].txt (ID = 2293)
3:31 PM: [email protected][1].txt (ID = 3269)
3:31 PM: [email protected][1].txt (ID = 2729)
3:31 PM: Found Spy Cookie: adbureau cookie
3:31 PM: [email protected][1].txt (ID = 2060)
3:31 PM: Found Spy Cookie: euniverseads cookie
3:31 PM: michael@euniverseads[1].txt (ID = 2629)
3:31 PM: Found Spy Cookie: experclick cookie
3:31 PM: michael@experclick[2].txt (ID = 2639)
3:31 PM: [email protected][1].txt (ID = 2038)
3:31 PM: michael@fastclick[2].txt (ID = 2651)
3:31 PM: [email protected][1].txt (ID = 2038)
3:31 PM: Found Spy Cookie: fortunecity cookie
3:31 PM: michael@fortunecity[2].txt (ID = 2686)
3:31 PM: [email protected][1].txt (ID = 2729)
3:31 PM: Found Spy Cookie: wegcash cookie
3:31 PM: [email protected][2].txt (ID = 3682)
3:31 PM: Found Spy Cookie: gamespy cookie
3:31 PM: michael@gamespy[1].txt (ID = 2719)
3:31 PM: [email protected][1].txt (ID = 2038)
3:31 PM: Found Spy Cookie: go2net.com cookie
3:31 PM: michael@go2net[1].txt (ID = 2730)
3:31 PM: michael@go[1].txt (ID = 2728)
3:31 PM: michael@go[2].txt (ID = 2728)
3:31 PM: [email protected][1].txt (ID = 2038)
3:31 PM: Found Spy Cookie: humanclick cookie
3:31 PM: [email protected][1].txt (ID = 2810)
3:31 PM: Found Spy Cookie: herfirstlesbiansex cookie
3:31 PM: michael@herfirstlesbiansex[2].txt (ID = 2771)
3:31 PM: Found Spy Cookie: vioclicks cookie
3:31 PM: [email protected][1].txt (ID = 3640)
3:31 PM: Found Spy Cookie: clickandtrack cookie
3:31 PM: [email protected][2].txt (ID = 2397)
3:31 PM: Found Spy Cookie: homestore cookie
3:31 PM: michael@homestore[2].txt (ID = 2793)
3:31 PM: michael@howstuffworks[1].txt (ID = 2805)
3:31 PM: Found Spy Cookie: hypertracker.com cookie
3:31 PM: michael@hypertracker[2].txt (ID = 2817)
3:31 PM: Found Spy Cookie: screensavers.com cookie
3:31 PM: [email protected][2].txt (ID = 3298)
3:31 PM: [email protected][2].txt (ID = 1958)
3:31 PM: Found Spy Cookie: infospace cookie
3:31 PM: michael@infospace[1].txt (ID = 2865)
3:31 PM: Found Spy Cookie: kount cookie
3:31 PM: michael@kount[2].txt (ID = 2911)
3:31 PM: Found Spy Cookie: domainsponsor cookie
3:31 PM: [email protected][1].txt (ID = 2535)
3:31 PM: Found Spy Cookie: linkexchange cookie
3:31 PM: michael@linkexchange[1].txt (ID = 2920)
3:31 PM: michael@maxserving[1].txt (ID = 2966)
3:31 PM: Found Spy Cookie: metareward.com cookie
3:31 PM: michael@metareward[2].txt (ID = 2990)
3:31 PM: Found Spy Cookie: monstermarketplace cookie
3:31 PM: michael@monstermarketplace[2].txt (ID = 3006)
3:31 PM: Found Spy Cookie: morwillsearch cookie
3:31 PM: michael@morwillsearch[2].txt (ID = 3008)
3:31 PM: [email protected][1].txt (ID = 2729)
3:31 PM: [email protected][1].txt (ID = 2729)
3:31 PM: Found Spy Cookie: mygeek cookie
3:31 PM: michael@mygeek[1].txt (ID = 3041)
3:31 PM: michael@nextag[1].txt (ID = 5014)
3:31 PM: michael@overture[2].txt (ID = 3105)
3:31 PM: Found Spy Cookie: touchclarity cookie
3:31 PM: [email protected][1].txt (ID = 3567)
3:31 PM: Found Spy Cookie: partypoker cookie
3:31 PM: michael@partypoker[2].txt (ID = 3111)
3:31 PM: Found Spy Cookie: paycounter cookie
3:31 PM: michael@paycounter[1].txt (ID = 3115)
3:31 PM: michael@paypopup[1].txt (ID = 3119)
3:31 PM: Found Spy Cookie: pcstats.com cookie
3:31 PM: michael@pcstats[1].txt (ID = 3125)
3:31 PM: [email protected][1].txt (ID = 2038)
3:31 PM: Found Spy Cookie: freestats.net cookie
3:31 PM: [email protected][2].txt (ID = 2705)
3:31 PM: [email protected][1].txt (ID = 3106)
3:31 PM: Found Spy Cookie: valuead cookie
3:31 PM: [email protected][2].txt (ID = 3627)
3:31 PM: michael@pricegrabber[1].txt (ID = 3185)
3:31 PM: Found Spy Cookie: pro-market cookie
3:31 PM: michael@pro-market[2].txt (ID = 3197)
3:31 PM: Found Spy Cookie: qksrv cookie
3:31 PM: michael@qksrv[2].txt (ID = 3213)
3:31 PM: Found Spy Cookie: qsrch cookie
3:31 PM: michael@qsrch[2].txt (ID = 3215)
3:31 PM: michael@questionmarket[1].txt (ID = 3217)
3:31 PM: [email protected][2].txt (ID = 2038)
3:31 PM: [email protected][2].txt (ID = 2528)
3:31 PM: michael@realmedia[2].txt (ID = 3235)
3:31 PM: michael@reunion[1].txt (ID = 3255)
3:31 PM: michael@revenue[2].txt (ID = 3257)
3:31 PM: Found Spy Cookie: rn11 cookie
3:31 PM: michael@rn11[2].txt (ID = 3261)
3:31 PM: [email protected][1].txt (ID = 2729)
3:31 PM: [email protected][1].txt (ID = 2729)
3:31 PM: [email protected][1].txt (ID = 2729)
3:31 PM: [email protected][1].txt (ID = 2729)
3:31 PM: Found Spy Cookie: domain sponsor cookie
3:31 PM: [email protected][1].txt (ID = 2534)
3:31 PM: Found Spy Cookie: server.iad.liveperson cookie
3:31 PM: [email protected][2].txt (ID = 3341)
3:31 PM: michael@serving-sys[1].txt (ID = 3343)
3:31 PM: [email protected][2].txt (ID = 2528)
3:31 PM: [email protected][2].txt (ID = 2729)
3:31 PM: Found Spy Cookie: spykiller cookie
3:31 PM: michael@spykiller[1].txt (ID = 3413)
3:31 PM: Found Spy Cookie: spylog cookie
3:31 PM: michael@spylog[2].txt (ID = 3415)
3:31 PM: Found Spy Cookie: starware.com cookie
3:31 PM: michael@starware[2].txt (ID = 3441)
3:31 PM: Found Spy Cookie: dealtime cookie
3:31 PM: [email protected][2].txt (ID = 2506)
3:31 PM: Found Spy Cookie: onestat.com cookie
3:31 PM: [email protected][2].txt (ID = 3098)
3:31 PM: michael@statcounter[2].txt (ID = 3447)
3:31 PM: Found Spy Cookie: clicktracks cookie
3:31 PM: [email protected][1].txt (ID = 2407)
3:31 PM: [email protected][2].txt (ID = 3254)
3:31 PM: Found Spy Cookie: stlyrics cookie
3:31 PM: michael@stlyrics[2].txt (ID = 3461)
3:31 PM: michael@tickle[2].txt (ID = 3529)
3:31 PM: Found Spy Cookie: toplist cookie
3:31 PM: michael@toplist[2].txt (ID = 3557)
3:31 PM: michael@toplist[3].txt (ID = 3557)
3:31 PM: Found Spy Cookie: tracking cookie
3:31 PM: michael@tracking[2].txt (ID = 3571)
3:31 PM: michael@tradedoubler[1].txt (ID = 3575)
3:31 PM: michael@trafficmp[1].txt (ID = 3581)
3:31 PM: michael@tribalfusion[2].txt (ID = 3589)
3:31 PM: Found Spy Cookie: tripod cookie
3:31 PM: michael@tripod[1].txt (ID = 3591)
3:31 PM: Found Spy Cookie: uproar cookie
3:31 PM: michael@uproar[1].txt (ID = 3612)
3:31 PM: Found Spy Cookie: versiontracker cookie
3:31 PM: michael@versiontracker[1].txt (ID = 3636)
3:31 PM: [email protected][1].txt (ID = 2413)
3:31 PM: Found Spy Cookie: realtracker cookie
3:31 PM: [email protected][1].txt (ID = 3242)
3:31 PM: Found Spy Cookie: weborama cookie
3:31 PM: michael@weborama[1].txt (ID = 3658)
3:31 PM: Found Spy Cookie: webpower cookie
3:31 PM: michael@webpower[1].txt (ID = 3660)
3:31 PM: Found Spy Cookie: 123count cookie
3:31 PM: [email protected][1].txt (ID = 1928)
3:31 PM: Found Spy Cookie: adminder cookie
3:31 PM: [email protected][2].txt (ID = 2079)
3:31 PM: Found Spy Cookie: affiliatefuel.com cookie
3:31 PM: [email protected][1].txt (ID = 2202)
3:31 PM: Found Spy Cookie: burstbeacon cookie
3:31 PM: [email protected][2].txt (ID = 2335)
3:31 PM: Found Spy Cookie: commission junction cookie
3:31 PM: [email protected][1].txt (ID = 2454)
3:31 PM: Found Spy Cookie: maximumcash cookie
3:31 PM: [email protected][1].txt (ID = 2962)
3:31 PM: [email protected][1].txt (ID = 2991)
3:31 PM: Found Spy Cookie: myaffiliateprogram.com cookie
3:31 PM: [email protected][1].txt (ID = 3032)
3:31 PM: Found Spy Cookie: redzip cookie
3:31 PM: [email protected][1].txt (ID = 3250)
3:31 PM: [email protected][2].txt (ID = 3298)
3:31 PM: Found Spy Cookie: upspiral cookie
3:31 PM: [email protected][1].txt (ID = 3615)
3:31 PM: Found Spy Cookie: web-stat cookie
3:31 PM: [email protected][2].txt (ID = 3649)
3:31 PM: Found Spy Cookie: xren_cj cookie
3:31 PM: michael@xren_cj[1].txt (ID = 3723)
3:31 PM: michael@xren_cj[2].txt (ID = 3723)
3:31 PM: michael@xren_cj[3].txt (ID = 3723)
3:31 PM: Found Spy Cookie: yadro cookie
3:31 PM: michael@yadro[2].txt (ID = 3743)
3:31 PM: michael@yieldmanager[2].txt (ID = 3749)
3:31 PM: [email protected][1].txt (ID = 2142)
3:31 PM: michael@zedo[2].txt (ID = 3762)
3:31 PM: Cookie Sweep Complete, Elapsed Time: 00:00:10
3:31 PM: Starting File Sweep
3:31 PM: alchem.cab.vir (ID = 83107)
3:31 PM: Found Adware: diamond deal casino
3:31 PM: slots3reel_reel0.slt (ID = 59033)
3:31 PM: mblackjack.dll (ID = 59028)
3:31 PM: slots3reel_reel1.slt (ID = 59034)
3:31 PM: slots3reel_reel2.slt (ID = 59035)
3:31 PM: card_away_center.ani (ID = 58996)
3:31 PM: card_away_dealer.ani (ID = 58997)
3:31 PM: card_away_left.ani (ID = 58998)
3:31 PM: card_away_right.ani (ID = 58999)
3:31 PM: card_draw_center.ani (ID = 59000)
3:31 PM: card_draw_dealer.ani (ID = 59001)
3:31 PM: card_draw_dealer_face_down.ani (ID = 59002)
3:31 PM: card_draw_left.ani (ID = 59003)
3:31 PM: card_draw_right.ani (ID = 59004)
3:31 PM: card_flip.ani (ID = 59005)
3:31 PM: card_peek_dealer_down.ani (ID = 59006)
3:31 PM: slots5reel-reel0.slt (ID = 59036)
3:31 PM: slots5reel-reel1.slt (ID = 59037)
3:31 PM: slots5reel-reel2.slt (ID = 59038)
3:31 PM: slots5reel-reel3.slt (ID = 59039)
3:31 PM: slots5reel-reel4.slt (ID = 59040)
3:31 PM: back.z (ID = 58992)
3:31 PM: card_1.3d (ID = 58994)
3:31 PM: card_1b.3d (ID = 58995)
3:31 PM: card_peek_dealer_up.ani (ID = 59007)
3:31 PM: card_stand_center.ani (ID = 59008)
3:31 PM: card_stand_dealer.ani (ID = 59009)
3:31 PM: card_stand_left.ani (ID = 59010)
3:31 PM: card_stand_right.ani (ID = 59011)
3:31 PM: d:\documents and settings\all users\application data\ksp (2 subtraces) (ID = -2147480767)
3:31 PM: d:\documents and settings\all users\application data\pcsvc (20 subtraces) (ID = -2147481135)
3:31 PM: d:\windows\system32\pcs (ID = -2147481121)
3:31 PM: Found Adware: bullguard popup ad
3:31 PM: d:\windows\temp\bullguard (1 subtraces) (ID = -2147476409)
3:32 PM: Found Adware: twain-tech
3:32 PM: mxtarget.ini (ID = 81893)
3:33 PM: Found Adware: minigolf
3:33 PM: tracker9.exe (ID = 69966)
3:33 PM: delfinst.ebd (ID = 57692)
3:34 PM: delfintg.ebd (ID = 57693)
3:34 PM: key2.txt (ID = 51468)
3:34 PM: Found Adware: apropos
3:34 PM: setup.inf (ID = 50158)
3:34 PM: bunsetup.cab (ID = 75707)
3:34 PM: bulldownload.exe (ID = 52017)
3:36 PM: mxtini.cab (ID = 81845)
3:36 PM: Found Adware: elitemediagroup-mediamotor
3:36 PM: unstall.exe (ID = 74174)
3:37 PM: Found Adware: purityscan
3:37 PM: rs.exe (ID = 72949)
3:39 PM: ~mysetup.exe (ID = 57829)
3:39 PM: gstartup.lnk (ID = 61450)
3:40 PM: prelimhanse.exe (ID = 83803)
3:42 PM: twaintec.inf (ID = 81888)
3:42 PM: mediamotor1002.sah (ID = 75826)
3:42 PM: Found Adware: sexdownloader
3:42 PM: httpdownloader.inf (ID = 75380)
3:42 PM: Found Adware: xxxdial
3:42 PM: dialer.inf (ID = 90963)
3:42 PM: dialer.inf (ID = 90963)
3:42 PM: delfinsi.edx (ID = 57684)
3:42 PM: delfinky.edx (ID = 57685)
3:42 PM: twaintec.inf (ID = 81888)
3:42 PM: Found Adware: elitebar
3:42 PM: osd1c5.osd (ID = 60005)
3:42 PM: mxtini.inf (ID = 81846)
3:42 PM: Found Adware: bho_sep
3:42 PM: sepsd.bin (ID = 75367)
3:42 PM: mxtini.inf (ID = 81846)
3:42 PM: File Sweep Complete, Elapsed Time: 00:11:39
3:42 PM: Full Sweep has completed. Elapsed time 00:14:55
3:42 PM: Traces Found: 375
3:45 PM: Removal process initiated
3:45 PM: Quarantining All Traces: 180search assistant/zango
3:45 PM: Quarantining All Traces: captain mnemo
3:45 PM: Quarantining All Traces: directrevenue-abetterinternet
3:45 PM: Quarantining All Traces: elitebar
3:45 PM: Quarantining All Traces: ie driver
3:45 PM: Quarantining All Traces: keyboardspectatorpro
3:45 PM: Quarantining All Traces: lopdotcom
3:45 PM: Quarantining All Traces: purityscan
3:45 PM: Quarantining All Traces: virtumonde
3:45 PM: virtumonde is in use. It will be removed on reboot.
3:45 PM: D:\WINDOWS\system32\hyvgiihf.dll is in use. It will be removed on reboot.
3:45 PM: D:\WINDOWS\system32\ddccd.dll is in use. It will be removed on reboot.
3:45 PM: D:\WINDOWS\system32\ddcyv.dll is in use. It will be removed on reboot.
3:45 PM: D:\WINDOWS\system32\vturo.dll is in use. It will be removed on reboot.
3:45 PM: Quarantining All Traces: websearch toolbar
3:45 PM: Quarantining All Traces: wildmedia
3:45 PM: Quarantining All Traces: apropos
3:45 PM: Quarantining All Traces: blazefind
3:45 PM: Quarantining All Traces: delfin
3:45 PM: Quarantining All Traces: gain - common components
3:45 PM: Quarantining All Traces: trojan-downloader-conhook
3:45 PM: Quarantining All Traces: altnet
3:45 PM: altnet is in use. It will be removed on reboot.
3:45 PM: HKLM: software\altnet\ is in use. It will be removed on reboot.
3:45 PM: Quarantining All Traces: bho_sep
3:45 PM: Quarantining All Traces: bullguard popup ad
3:45 PM: Quarantining All Traces: clocksync
3:45 PM: Quarantining All Traces: diamond deal casino
3:45 PM: Quarantining All Traces: elitemediagroup-mediamotor
3:45 PM: Quarantining All Traces: exact bullseye
3:45 PM: Quarantining All Traces: ezula ilookup
3:45 PM: Quarantining All Traces: keenvalue/perfectnav
3:45 PM: Quarantining All Traces: minigolf
3:45 PM: Quarantining All Traces: navexcel navhelper
3:45 PM: Quarantining All Traces: sexdownloader
3:45 PM: Quarantining All Traces: shopathomeselect
3:45 PM: Quarantining All Traces: twain-tech
3:45 PM: Quarantining All Traces: webhancer
3:46 PM: Quarantining All Traces: webrebates
3:46 PM: Quarantining All Traces: xxxdial
3:46 PM: Quarantining All Traces: 123count cookie
3:46 PM: Quarantining All Traces: 247realmedia cookie
3:46 PM: Quarantining All Traces: 2o7.net cookie
3:46 PM: Quarantining All Traces: 3 cookie
3:46 PM: Quarantining All Traces: 64.62.232 cookie
3:46 PM: Quarantining All Traces: 66.230.183 cookie
3:46 PM: Quarantining All Traces: 888 cookie
3:46 PM: Quarantining All Traces: a cookie
3:46 PM: Quarantining All Traces: about cookie
3:46 PM: Quarantining All Traces: adbureau cookie
3:46 PM: Quarantining All Traces: addynamix cookie
3:46 PM: Quarantining All Traces: adecn cookie
3:46 PM: Quarantining All Traces: adknowledge cookie
3:46 PM: Quarantining All Traces: adlegend cookie
3:46 PM: Quarantining All Traces: ad-logics cookie
3:46 PM: Quarantining All Traces: adminder cookie
3:46 PM: Quarantining All Traces: adorigin cookie
3:46 PM: Quarantining All Traces: adprofile cookie
3:46 PM: Quarantining All Traces: adrevolver cookie
3:46 PM: Quarantining All Traces: ads.adsag cookie
3:46 PM: Quarantining All Traces: ads.stileproject cookie
3:46 PM: Quarantining All Traces: adserver cookie
3:46 PM: Quarantining All Traces: adtech cookie
3:46 PM: Quarantining All Traces: adultfriendfinder cookie
3:46 PM: Quarantining All Traces: advertising cookie
3:46 PM: Quarantining All Traces: affiliate cookie
3:46 PM: Quarantining All Traces: affiliatefuel.com cookie
3:46 PM: Quarantining All Traces: apmebf cookie
3:46 PM: Quarantining All Traces: ask cookie
3:46 PM: Quarantining All Traces: atlas dmt cookie
3:46 PM: Quarantining All Traces: atwola cookie
3:46 PM: Quarantining All Traces: azjmp cookie
3:46 PM: Quarantining All Traces: banner cookie
3:46 PM: Quarantining All Traces: banners cookie
3:46 PM: Quarantining All Traces: bannerspace cookie
3:46 PM: Quarantining All Traces: belnk cookie
3:46 PM: Quarantining All Traces: bizrate cookie
3:46 PM: Quarantining All Traces: bluestreak cookie
3:46 PM: Quarantining All Traces: bravenet cookie
3:46 PM: Quarantining All Traces: bs.serving-sys cookie
3:46 PM: Quarantining All Traces: burstbeacon cookie
3:46 PM: Quarantining All Traces: burstnet cookie
3:46 PM: Quarantining All Traces: cardomain cookie
3:46 PM: Quarantining All Traces: casalemedia cookie
3:46 PM: Quarantining All Traces: cassava cookie
3:46 PM: Quarantining All Traces: cc214142 cookie
3:46 PM: Quarantining All Traces: centrport net cookie
3:46 PM: Quarantining All Traces: classmates cookie
3:46 PM: Quarantining All Traces: clickandtrack cookie
3:46 PM: Quarantining All Traces: clickbank cookie
3:46 PM: Quarantining All Traces: clicks cookie
3:46 PM: Quarantining All Traces: clicktracks cookie
3:46 PM: Quarantining All Traces: clickzs cookie
3:46 PM: Quarantining All Traces: commission junction cookie
3:46 PM: Quarantining All Traces: customer cookie
3:46 PM: Quarantining All Traces: dealtime cookie
3:46 PM: Quarantining All Traces: did-it cookie
3:46 PM: Quarantining All Traces: directtrack cookie
3:46 PM: Quarantining All Traces: domain sponsor cookie
3:46 PM: Quarantining All Traces: domainsponsor cookie
3:46 PM: Quarantining All Traces: enhance cookie
3:46 PM: Quarantining All Traces: euniverseads cookie
3:46 PM: Quarantining All Traces: experclick cookie
3:46 PM: Quarantining All Traces: falkag cookie
3:46 PM: Quarantining All Traces: fastclick cookie
3:46 PM: Quarantining All Traces: fortunecity cookie
3:46 PM: Quarantining All Traces: freestats.net cookie
3:46 PM: Quarantining All Traces: gamespy cookie
3:46 PM: Quarantining All Traces: go.com cookie
3:46 PM: Quarantining All Traces: go2net.com cookie
3:46 PM: Quarantining All Traces: goclick cookie
3:46 PM: Quarantining All Traces: gostats cookie
3:46 PM: Quarantining All Traces: herfirstlesbiansex cookie
3:46 PM: Quarantining All Traces: homestore cookie
3:46 PM: Quarantining All Traces: howstuffworks cookie
3:46 PM: Quarantining All Traces: humanclick cookie
3:46 PM: Quarantining All Traces: hypertracker.com cookie
3:46 PM: Quarantining All Traces: infospace cookie
3:46 PM: Quarantining All Traces: kount cookie
3:46 PM: Quarantining All Traces: linkexchange cookie
3:46 PM: Quarantining All Traces: linksynergy cookie
3:46 PM: Quarantining All Traces: maximumcash cookie
3:46 PM: Quarantining All Traces: maxserving cookie
3:46 PM: Quarantining All Traces: metareward.com cookie
3:46 PM: Quarantining All Traces: monstermarketplace cookie
3:46 PM: Quarantining All Traces: morwillsearch cookie
3:46 PM: Quarantining All Traces: myaffiliateprogram.com cookie
3:46 PM: Quarantining All Traces: mygeek cookie
3:46 PM: Quarantining All Traces: nextag cookie
3:46 PM: Quarantining All Traces: offeroptimizer cookie
3:46 PM: Quarantining All Traces: onestat.com cookie
3:46 PM: Quarantining All Traces: overture cookie
3:46 PM: Quarantining All Traces: partypoker cookie
3:46 PM: Quarantining All Traces: paycounter cookie
3:46 PM: Quarantining All Traces: paypopup cookie
3:46 PM: Quarantining All Traces: pcstats.com cookie
3:46 PM: Quarantining All Traces: pointroll cookie
3:46 PM: Quarantining All Traces: precisead cookie
3:46 PM: Quarantining All Traces: pricegrabber cookie
3:46 PM: Quarantining All Traces: primaryads cookie
3:46 PM: Quarantining All Traces: pro-market cookie
3:46 PM: Quarantining All Traces: qksrv cookie
3:46 PM: Quarantining All Traces: qsrch cookie
3:46 PM: Quarantining All Traces: questionmarket cookie
3:46 PM: Quarantining All Traces: realmedia cookie
3:46 PM: Quarantining All Traces: realtracker cookie
3:46 PM: Quarantining All Traces: redzip cookie
3:46 PM: Quarantining All Traces: reliablestats cookie
3:46 PM: Quarantining All Traces: reunion cookie
3:46 PM: Quarantining All Traces: revenue.net cookie
3:46 PM: Quarantining All Traces: rn11 cookie
3:46 PM: Quarantining All Traces: ru4 cookie
3:46 PM: Quarantining All Traces: sandboxer cookie
3:46 PM: Quarantining All Traces: screensavers.com cookie
3:46 PM: Quarantining All Traces: servedby advertising cookie
3:46 PM: Quarantining All Traces: server.iad.liveperson cookie
3:46 PM: Quarantining All Traces: serving-sys cookie
3:46 PM: Quarantining All Traces: specificclick.com cookie
3:46 PM: Quarantining All Traces: spykiller cookie
3:46 PM: Quarantining All Traces: spylog cookie
3:46 PM: Quarantining All Traces: starpulse cookie
3:46 PM: Quarantining All Traces: starware.com cookie
3:46 PM: Quarantining All Traces: statcounter cookie
3:46 PM: Quarantining All Traces: stlyrics cookie
3:46 PM: Quarantining All Traces: targetnet cookie
3:46 PM: Quarantining All Traces: tickle cookie
3:46 PM: Quarantining All Traces: toplist cookie
3:46 PM: Quarantining All Traces: touchclarity cookie
3:46 PM: Quarantining All Traces: tracking cookie
3:46 PM: Quarantining All Traces: tradedoubler cookie
3:46 PM: Quarantining All Traces: trafficmp cookie
3:46 PM: Quarantining All Traces: tribalfusion cookie
3:46 PM: Quarantining All Traces: tripod cookie
3:46 PM: Quarantining All Traces: uproar cookie
3:46 PM: Quarantining All Traces: upspiral cookie
3:46 PM: Quarantining All Traces: valuead cookie
3:46 PM: Quarantining All Traces: versiontracker cookie
3:46 PM: Quarantining All Traces: vioclicks cookie
3:46 PM: Quarantining All Traces: weborama cookie
3:46 PM: Quarantining All Traces: webpower cookie
3:46 PM: Quarantining All Traces: websponsors cookie
3:46 PM: Quarantining All Traces: web-stat cookie
3:46 PM: Quarantining All Traces: wegcash cookie
3:46 PM: Quarantining All Traces: xren_cj cookie
3:46 PM: Quarantining All Traces: yadro cookie
3:46 PM: Quarantining All Traces: yieldmanager cookie
3:46 PM: Quarantining All Traces: zedo cookie
3:46 PM: Warning: Launched explorer.exe
3:46 PM: Warning: Quarantine process could not restart Explorer.
********
3:25 PM: | Start of Session, Wednesday, December 07, 2005 |
3:25 PM: Spy Sweeper started
3:26 PM: Your spyware definitions have been updated.
3:27 PM: | End of Session, Wednesday, December 07, 2005 |
  • 0

#6
OwNt
Posted 07 December 2005 - 04:19 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, mdmytryk.

Could you post another Hijackthis log without wordwrap? It makes it very hard to read like that.
  • 0

#7
mdmytryk
Posted 07 December 2005 - 04:32 PM

mdmytryk

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Sorry about that...heres the new log

Logfile of HijackThis v1.99.1
Scan saved at 4:46:05 PM, on 12/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Network Associates\VirusScan\mcshield.exe
D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\system32\RioMSC.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
D:\Program Files\Webroot\Enterprise\Server\WebServer\WebrootAdminConsole.exe
D:\Program Files\Webroot\Enterprise\Server\WebrootClientService.exe
D:\Program Files\Webroot\Enterprise\Server\WebServer\java\bin\java.exe
D:\Program Files\Webroot\Enterprise\Server\WebrootUpdateService.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\WINDOWS\system32\PRISMSVR.EXE
D:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
D:\Program Files\Creative\Shared Files\CAMTRAY.EXE
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
D:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.EXE
D:\Program Files\Nikon\NkView5\NkvMon.exe
D:\Program Files\3M\PSNLite\PsnLite.exe
D:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
D:\PROGRA~1\3M\PSNLite\PSNGive.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
D:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://flashline.ken.../cp/home/loginf
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - D:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MMTray] D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zdfqaz] D:\WINDOWS\tvtfem.exe
O4 - HKLM\..\Run: [wuixbpxgw] D:\WINDOWS\emawxhdef.exe
O4 - HKLM\..\Run: [WindUpdates] D:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [usrO39S] schinit.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "D:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SpyHunter] D:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [SJXwAcfOr] D:\documents and settings\michael\local settings\temp\SJXwAcfOr.exe
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "D:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [P2P Networking] D:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NWEHzGr] D:\documents and settings\michael\local settings\temp\NWEHzGr.exe
O4 - HKLM\..\Run: [nodmf] D:\WINDOWS\nodmf.exe
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "D:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MimBoot] D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [LyraHD2TrayApp] "D:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
O4 - HKLM\..\Run: [lccxnu] D:\WINDOWS\System32\dpmgsx.exe
O4 - HKLM\..\Run: [KAZAA] D:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [gcwx] D:\WINDOWS\ejtjd.exe
O4 - HKLM\..\Run: [faxflv] D:\WINDOWS\zpizgxel.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] D:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [BJCFD] D:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [B7N] D:\windows\temp\B7N.exe
O4 - HKLM\..\Run: [athh] D:\WINDOWS\ikgzdwl.exe
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [fB0ERVesT] objdui.exe
O4 - HKCU\..\Run: [Bkwzyvx] D:\WINDOWS\System32\jhutq.exe
O4 - HKCU\..\Run: [areslite] "D:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares Lite Edition\Ares.exe" -h
O4 - Startup: Clean Access Agent.lnk = D:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Startup: VirtuaGirl2.lnk = D:\Program Files\Vg\VirtuaGirl2.exe
O4 - Global Startup: 2Wire Wireless Client.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = D:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = D:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - D:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - D:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Carnival Casino - {776883A9-1EA8-4d8f-88B7-AA652FEF01A7} - C:\Casino\Carnival Casino\casino.exe
O9 - Extra 'Tools' menuitem: Carnival Casino - {776883A9-1EA8-4d8f-88B7-AA652FEF01A7} - C:\Casino\Carnival Casino\casino.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {8522F9B3-0000-0000-0000-000000000000} - http://38.144.58.87/sex/xxxmovies.cab
O20 - Winlogon Notify: gebcy - D:\WINDOWS\SYSTEM32\gebcy.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - D:\WINDOWS\system32\RioMSC.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Webroot Admin Console (WebrootAdminConsole) - Unknown owner - D:\Program Files\Webroot\Enterprise\Server\WebServer\WebrootAdminConsole.exe" -s "D:\Program Files\Webroot\Enterprise\Server\WebServer\conf\WebrootAdminConsole.conf (file missing)
O23 - Service: Webroot Client Service (WebrootEnterpriseClientService) - Webroot Software, Inc. - D:\Program Files\Webroot\Enterprise\Server\WebrootClientService.exe
O23 - Service: Webroot Update Service (WebrootEnterpriseUpdateService) - Webroot Software, Inc. - D:\Program Files\Webroot\Enterprise\Server\WebrootUpdateService.exe
  • 0

#8
OwNt
Posted 07 December 2005 - 04:58 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, mdmytryk. :tazz:

Please open Hijackthis, scan, and place a checkmark by the following entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - (no file)
O4 - HKLM\..\Run: [zdfqaz] D:\WINDOWS\tvtfem.exe
O4 - HKLM\..\Run: [wuixbpxgw] D:\WINDOWS\emawxhdef.exe
O4 - HKLM\..\Run: [WindUpdates] D:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [usrO39S] schinit.exe
O4 - HKLM\..\Run: [SJXwAcfOr] D:\documents and settings\michael\local settings\temp\SJXwAcfOr.exe
O4 - HKLM\..\Run: [NWEHzGr] D:\documents and settings\michael\local settings\temp\NWEHzGr.exe
O4 - HKLM\..\Run: [nodmf] D:\WINDOWS\nodmf.exe
O4 - HKLM\..\Run: [lccxnu] D:\WINDOWS\System32\dpmgsx.exe
O4 - HKLM\..\Run: [gcwx] D:\WINDOWS\ejtjd.exe
O4 - HKLM\..\Run: [faxflv] D:\WINDOWS\zpizgxel.exe
O4 - HKLM\..\Run: [B7N] D:\windows\temp\B7N.exe
O4 - HKLM\..\Run: [athh] D:\WINDOWS\ikgzdwl.exe
O4 - HKCU\..\Run: [fB0ERVesT] objdui.exe
O4 - HKCU\..\Run: [Bkwzyvx] D:\WINDOWS\System32\jhutq.exe
O16 - DPF: {8522F9B3-0000-0000-0000-000000000000} - http://38.144.58.87/sex/xxxmovies.cab
O20 - Winlogon Notify: gebcy - D:\WINDOWS\SYSTEM32\gebcy.dll

Close ALL open windows/browsers and click Fix Checked.

Exit Hijackthis.

Reboot into safe mode by tapping F8 as your computer turns on. Select safe mode from the list that appears.

Once in safe mode please show hidden files.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Now uninstall the following programs from add/remove:
(Start > Settings > Control Panel > Add/Remove Programs)

WindUpdates

Then delete the following files/folders:

D:\WINDOWS\tvtfem.exe
D:\WINDOWS\emawxhdef.exe
D:\documents and settings\michael\local settings\temp\SJXwAcfOr.exe
D:\documents and settings\michael\local settings\temp\NWEHzGr.exe
D:\WINDOWS\nodmf.exe
D:\WINDOWS\System32\dpmgsx.exe
D:\WINDOWS\ejtjd.exe
D:\WINDOWS\zpizgxel.exe
D:\windows\temp\B7N.exe
D:\WINDOWS\ikgzdwl.exe
Search for this one --> objdui.exe
D:\WINDOWS\System32\jhutq.exe

D:\Program Files\WindUpdates

Now run SpySweeper with the same settings as before.

Reboot into normal mode and post a fresh Hijackthis log, and the log from Spy Sweeper.
  • 0

#9
mdmytryk
Posted 08 December 2005 - 12:30 PM

mdmytryk

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Apparently i did something seriously wrong. Everything was going fine until i went to restart my computer. When i restart, i get a message saying NTLDR is missing PRESS CTRL ALT DEL to restart. This is right after i restart before windows even boots. I am able to get into the boot menu but i cannot hit F8 to try to boot in safe mode.

I think my only option is to get my XP cd and boot off of that and try to and repair it. Any ideas?

thanks,
-Mike
  • 0

#10
OwNt
Posted 08 December 2005 - 12:56 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, mdmytryk.

Repairing XP would probably be the best way to go in this case, and the easiest.

You will not lose any of your files or data, the repair will only replace the system files.

Instructions Here.
  • 0

#11
OwNt
Posted 20 December 2005 - 10:20 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP