Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log Analysis Request


  • Please log in to reply
7 replies to this topic

#1 SATCFI

SATCFI

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 03 December 2005 - 03:47 PM

Hello,

I am new to all this so please be kind ;)

I have had the problem of the win fixer going off everytime I log onto the internet. I ran hijack this and have the following logs:

StartupList report, 12/3/2005, 2:29:28 PM
StartupList version: 1.52.2
Started from : C:\hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

VTTrayp = VTtrayp.exe
VTTimer = VTTimer.exe
AudioDeck = C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
LiveMonitor = C:\Program Files\MSI\Live Update 3\LMonitor.exe
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
vptray = C:\Program Files\NavNT\vptray.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "D:\Program Files\Messenger\msmsgs.exe" /background
AIM = C:\Program Files\AIM\aim.exe -cnetwait.odl
LwxERif4j = aklkmon.exe
H/PC Connection Agent = "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
Spyware Begone = "C:\Documents and Settings\All Users\Desktop\Old 20GB Drive Contents\spywarebegone\SpywareBeGone.exe" -FastScan

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\msagent\intl\cab.dll - {827DC836-DD9F-4A68-A602-5812EB50A834}

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/...b?1124393622046

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[QDiagHUpdateObj Class]
InProcServer32 = C:\WINDOWS\system32\qdiagh.ocx
CODEBASE = http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 5,081 bytes
Report generated in 0.016 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only



and this one:

Logfile of HijackThis v1.99.1
Scan saved at 2:27:10 PM, on 12/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\msagent\intl\cab.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [LwxERif4j] aklkmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Spyware Begone] "C:\Documents and Settings\All Users\Desktop\Old 20GB Drive Contents\spywarebegone\SpywareBeGone.exe" -FastScan
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://D:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124393622046
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: cab - C:\WINDOWS\msagent\intl\cab.dll
O20 - Winlogon Notify: imgsys - C:\WINDOWS\repair\imgsys.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Can you pleae help me get rid of winfixer?

Best regards,

Brad

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:25 PM

Posted 03 December 2005 - 04:01 PM

Hi and :thumbsup: to BleepingComputer!

My name is David Posted Image

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link for "SpySweeper" to download the program. NOTE: DO NOT click the Free Spyware Scan link.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Then reboot your computer - IMPORTANT
Then post a new HJT log

David

#3 SATCFI

SATCFI
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 04 December 2005 - 04:15 PM

Hi David,

I did as you suggested. Just to let you know, I ran spy sweeper last night and the hijack this this afternoon. Ihope there is no problem with the delay between steps.

Here is the spy sweeper log:

********
4:58 PM: | Start of Session, Saturday, December 03, 2005 |
4:58 PM: Spy Sweeper started
4:58 PM: Sweep initiated using definitions version 577
4:58 PM: Starting Memory Sweep
4:59 PM: Found Adware: virtumonde
4:59 PM: Detected running threat: C:\WINDOWS\msagent\intl\cab.dll (ID = 77)
4:59 PM: Detected running threat: C:\WINDOWS\repair\imgsys.dll (ID = 77)
5:00 PM: Memory Sweep Complete, Elapsed Time: 00:02:25
5:00 PM: Starting Registry Sweep
5:00 PM: HKCR\msevents.msevents\ (5 subtraces) (ID = 749130)
5:00 PM: HKCR\msevents.msevents.1\ (3 subtraces) (ID = 749136)
5:00 PM: HKCR\clsid\{827dc836-dd9f-4a68-a602-5812eb50a834}\ (12 subtraces) (ID = 749140)
5:00 PM: HKLM\software\classes\msevents.msevents\ (5 subtraces) (ID = 749153)
5:00 PM: HKLM\software\classes\msevents.msevents.1\ (3 subtraces) (ID = 749157)
5:00 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{827dc836-dd9f-4a68-a602-5812eb50a834}\ (ID = 749160)
5:00 PM: HKLM\software\classes\clsid\{827dc836-dd9f-4a68-a602-5812eb50a834}\ (12 subtraces) (ID = 749166)
5:00 PM: HKLM\software\classes\clsid\{827dc836-dd9f-4a68-a602-5812eb50a834}\progid\ (1 subtraces) (ID = 749172)
5:00 PM: Found Trojan Horse: alwaysupdatednews
5:00 PM: HKU\S-1-5-21-3723271197-3581506895-1790521817-1009\software\aun\ (4 subtraces) (ID = 103544)
5:00 PM: Found Adware: ebates money maker
5:00 PM: HKU\S-1-5-21-3723271197-3581506895-1790521817-1009\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 125587)
5:00 PM: Found Adware: webrebates
5:00 PM: HKU\S-1-5-21-3723271197-3581506895-1790521817-1009\software\microsoft\internet explorer\extensions\{6685509e-b47b-4f47-8e16-9a5f3a62f683}\ (6 subtraces) (ID = 125589)
5:00 PM: HKU\S-1-5-21-3723271197-3581506895-1790521817-1009\software\microsoft\internet explorer\extensions\{6685509e-b47b-4f47-8e16-9a5f3a62f683}\ (6 subtraces) (ID = 125589)
5:00 PM: Found Adware: drsnsrch.com hijack
5:00 PM: HKU\S-1-5-21-3723271197-3581506895-1790521817-1009\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
5:00 PM: Found Adware: ist sidefind
5:00 PM: HKU\S-1-5-21-3723271197-3581506895-1790521817-1009\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
5:00 PM: Found Adware: wildmedia
5:00 PM: HKU\S-1-5-21-3723271197-3581506895-1790521817-1009\software\microsoft\internet explorer\main\ || updater2 (ID = 146720)
5:00 PM: HKU\S-1-5-21-3723271197-3581506895-1790521817-1008\software\aun\ (2 subtraces) (ID = 103544)
5:00 PM: Found Adware: delfin
5:00 PM: HKU\S-1-5-21-3723271197-3581506895-1790521817-1008\software\dvx\ (4 subtraces) (ID = 124853)
5:00 PM: HKU\S-1-5-21-3723271197-3581506895-1790521817-1008\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 125587)
5:00 PM: HKU\S-1-5-21-3723271197-3581506895-1790521817-1008\software\microsoft\internet explorer\extensions\{6685509e-b47b-4f47-8e16-9a5f3a62f683}\ (6 subtraces) (ID = 125589)
5:00 PM: HKU\S-1-5-21-3723271197-3581506895-1790521817-1008\software\microsoft\internet explorer\extensions\{6685509e-b47b-4f47-8e16-9a5f3a62f683}\ (6 subtraces) (ID = 125589)
5:00 PM: Found Adware: ieplugin
5:00 PM: HKU\S-1-5-21-3723271197-3581506895-1790521817-1008\software\intexp\ (9 subtraces) (ID = 128173)
5:00 PM: HKU\S-1-5-21-3723271197-3581506895-1790521817-1008\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
5:00 PM: Found Adware: keenvalue/perfectnav
5:00 PM: HKU\S-1-5-21-3723271197-3581506895-1790521817-1008\software\intermixmedia\ (2 subtraces) (ID = 129439)
5:00 PM: HKU\S-1-5-21-3723271197-3581506895-1790521817-1008\software\microsoft\internet explorer\menuext\sirsearch\ (3 subtraces) (ID = 129441)
5:00 PM: HKU\S-1-5-21-3723271197-3581506895-1790521817-1008\software\pwrsmnd1\ (6 subtraces) (ID = 129518)
5:01 PM: Found Adware: websearch toolbar
5:01 PM: HKU\S-1-5-21-3723271197-3581506895-1790521817-1008\software\toolbar\ (2 subtraces) (ID = 146513)
5:01 PM: HKU\S-1-5-21-3723271197-3581506895-1790521817-1008\software\microsoft\internet explorer\main\ || updater2 (ID = 146720)
5:01 PM: HKU\S-1-5-21-3723271197-3581506895-1790521817-1008\software\microsoft\internet explorer\main\ || updater (ID = 146721)
5:01 PM: HKU\S-1-5-21-3723271197-3581506895-1790521817-1008\software\toolbar\ (2 subtraces) (ID = 646239)
5:01 PM: Registry Sweep Complete, Elapsed Time:00:00:10
5:01 PM: Starting Cookie Sweep
5:01 PM: Found Spy Cookie: 2o7.net cookie
5:01 PM: brad marcum@2o7[1].txt (ID = 1957)
5:01 PM: Found Spy Cookie: specificclick.com cookie
5:01 PM: brad marcum@adopt.specificclick[2].txt (ID = 3400)
5:01 PM: Found Spy Cookie: adrevolver cookie
5:01 PM: brad marcum@adrevolver[1].txt (ID = 2088)
5:01 PM: brad marcum@adrevolver[3].txt (ID = 2088)
5:01 PM: Found Spy Cookie: pointroll cookie
5:01 PM: brad marcum@ads.pointroll[1].txt (ID = 3148)
5:01 PM: Found Spy Cookie: apmebf cookie
5:01 PM: brad marcum@apmebf[1].txt (ID = 2229)
5:01 PM: Found Spy Cookie: falkag cookie
5:01 PM: brad marcum@as1.falkag[2].txt (ID = 2650)
5:01 PM: Found Spy Cookie: ask cookie
5:01 PM: brad marcum@ask[1].txt (ID = 2245)
5:01 PM: Found Spy Cookie: belnk cookie
5:01 PM: brad marcum@belnk[1].txt (ID = 2292)
5:01 PM: Found Spy Cookie: zedo cookie
5:01 PM: brad marcum@c1.zedo[1].txt (ID = 3763)
5:01 PM: Found Spy Cookie: centrport net cookie
5:01 PM: brad marcum@centrport[2].txt (ID = 2374)
5:01 PM: brad marcum@dist.belnk[2].txt (ID = 2293)
5:01 PM: Found Spy Cookie: ru4 cookie
5:01 PM: brad marcum@edge.ru4[2].txt (ID = 3269)
5:01 PM: Found Spy Cookie: metareward.com cookie
5:01 PM: brad marcum@metareward[1].txt (ID = 2990)
5:01 PM: brad marcum@msnportal.112.2o7[1].txt (ID = 1958)
5:01 PM: Found Spy Cookie: partypoker cookie
5:01 PM: brad marcum@partypoker[1].txt (ID = 3111)
5:01 PM: Found Spy Cookie: qsrch cookie
5:01 PM: brad marcum@qsrch[1].txt (ID = 3215)
5:01 PM: Found Spy Cookie: questionmarket cookie
5:01 PM: brad marcum@questionmarket[1].txt (ID = 3217)
5:01 PM: Found Spy Cookie: realmedia cookie
5:01 PM: brad marcum@realmedia[1].txt (ID = 3235)
5:01 PM: Found Spy Cookie: reliablestats cookie
5:01 PM: brad marcum@stats1.reliablestats[1].txt (ID = 3254)
5:01 PM: Found Spy Cookie: tribalfusion cookie
5:01 PM: brad marcum@tribalfusion[2].txt (ID = 3589)
5:01 PM: brad marcum@zedo[1].txt (ID = 3762)
5:01 PM: chelsea marcum@112.2o7[2].txt (ID = 1958)
5:01 PM: chelsea marcum@122.2o7[1].txt (ID = 1958)
5:01 PM: Found Spy Cookie: 247realmedia cookie
5:01 PM: chelsea marcum@247realmedia[1].txt (ID = 1953)
5:01 PM: chelsea marcum@2o7[1].txt (ID = 1957)
5:01 PM: Found Spy Cookie: websponsors cookie
5:01 PM: chelsea marcum@a.websponsors[1].txt (ID = 3665)
5:01 PM: Found Spy Cookie: go.com cookie
5:01 PM: chelsea marcum@abc.go[2].txt (ID = 2729)
5:01 PM: chelsea marcum@abcnews.go[1].txt (ID = 2729)
5:01 PM: Found Spy Cookie: about cookie
5:01 PM: chelsea marcum@about[1].txt (ID = 2037)
5:01 PM: Found Spy Cookie: yieldmanager cookie
5:01 PM: chelsea marcum@ad.yieldmanager[1].txt (ID = 3751)
5:01 PM: Found Spy Cookie: adecn cookie
5:01 PM: chelsea marcum@adecn[2].txt (ID = 2063)
5:01 PM: Found Spy Cookie: adknowledge cookie
5:01 PM: chelsea marcum@adknowledge[1].txt (ID = 2072)
5:01 PM: chelsea marcum@adopt.specificclick[1].txt (ID = 3400)
5:01 PM: chelsea marcum@adrevolver[1].txt (ID = 2088)
5:01 PM: chelsea marcum@adrevolver[3].txt (ID = 2088)
5:01 PM: Found Spy Cookie: addynamix cookie
5:01 PM: chelsea marcum@ads.addynamix[1].txt (ID = 2062)
5:01 PM: Found Spy Cookie: ads.adsag cookie
5:01 PM: chelsea marcum@ads.adsag[1].txt (ID = 2108)
5:01 PM: Found Spy Cookie: belointeractive cookie
5:01 PM: chelsea marcum@ads.belointeractive[2].txt (ID = 2295)
5:01 PM: chelsea marcum@ads.pointroll[2].txt (ID = 3148)
5:01 PM: Found Spy Cookie: adtech cookie
5:01 PM: chelsea marcum@adtech[2].txt (ID = 2155)
5:01 PM: chelsea marcum@apmebf[1].txt (ID = 2229)
5:01 PM: chelsea marcum@as-us.falkag[2].txt (ID = 2650)
5:01 PM: chelsea marcum@as1.falkag[1].txt (ID = 2650)
5:01 PM: chelsea marcum@ask[1].txt (ID = 2245)
5:01 PM: chelsea marcum@ath.belnk[2].txt (ID = 2293)
5:01 PM: Found Spy Cookie: atwola cookie
5:01 PM: chelsea marcum@atwola[1].txt (ID = 2255)
5:01 PM: Found Spy Cookie: adbureau cookie
5:01 PM: chelsea marcum@audible.adbureau[2].txt (ID = 2060)
5:01 PM: Found Spy Cookie: azjmp cookie
5:01 PM: chelsea marcum@azjmp[1].txt (ID = 2270)
5:01 PM: Found Spy Cookie: a cookie
5:01 PM: chelsea marcum@a[1].txt (ID = 2027)
5:01 PM: Found Spy Cookie: banner cookie
5:01 PM: chelsea marcum@banner[1].txt (ID = 2276)
5:01 PM: chelsea marcum@belnk[1].txt (ID = 2292)
5:01 PM: chelsea marcum@belointeractive[1].txt (ID = 2294)
5:01 PM: Found Spy Cookie: bilbo.counted.com cookie
5:01 PM: chelsea marcum@bilbo.counted[2].txt (ID = 2306)
5:01 PM: Found Spy Cookie: bizrate cookie
5:01 PM: chelsea marcum@bizrate[1].txt (ID = 2308)
5:01 PM: Found Spy Cookie: bluestreak cookie
5:01 PM: chelsea marcum@bluestreak[2].txt (ID = 2314)
5:01 PM: Found Spy Cookie: bravenet cookie
5:01 PM: chelsea marcum@bravenet[1].txt (ID = 2322)
5:01 PM: Found Spy Cookie: burstnet cookie
5:01 PM: chelsea marcum@burstnet[2].txt (ID = 2336)
5:01 PM: Found Spy Cookie: casalemedia cookie
5:01 PM: chelsea marcum@casalemedia[1].txt (ID = 2354)
5:01 PM: chelsea marcum@centrport[2].txt (ID = 2374)
5:01 PM: Found Spy Cookie: clickbank cookie
5:01 PM: chelsea marcum@clickbank[1].txt (ID = 2398)
5:01 PM: chelsea marcum@cnn.122.2o7[1].txt (ID = 1958)
5:01 PM: chelsea marcum@contests.about[1].txt (ID = 2038)
5:01 PM: Found Spy Cookie: xhit cookie
5:01 PM: chelsea marcum@count.xhit[2].txt (ID = 3714)
5:01 PM: chelsea marcum@countrymusic.about[1].txt (ID = 2038)
5:01 PM: Found Spy Cookie: 360i cookie
5:01 PM: chelsea marcum@ct.360i[2].txt (ID = 1962)
5:01 PM: Found Spy Cookie: customer cookie
5:01 PM: chelsea marcum@customer[1].txt (ID = 2481)
5:01 PM: chelsea marcum@customer[2].txt (ID = 2481)
5:01 PM: Found Spy Cookie: did-it cookie
5:01 PM: chelsea marcum@did-it[2].txt (ID = 2523)
5:01 PM: chelsea marcum@dist.belnk[2].txt (ID = 2293)
5:01 PM: chelsea marcum@edge.ru4[2].txt (ID = 3269)
5:01 PM: chelsea marcum@go[2].txt (ID = 2728)
5:01 PM: Found Spy Cookie: humanclick cookie
5:01 PM: chelsea marcum@hc2.humanclick[2].txt (ID = 2810)
5:01 PM: Found Spy Cookie: clickandtrack cookie
5:01 PM: chelsea marcum@hits.clickandtrack[1].txt (ID = 2397)
5:01 PM: Found Spy Cookie: freestats.net cookie
5:01 PM: chelsea marcum@hollywoodteenmovies.freestats[1].txt (ID = 2705)
5:01 PM: Found Spy Cookie: hypertracker.com cookie
5:01 PM: chelsea marcum@hypertracker[1].txt (ID = 2817)
5:01 PM: Found Spy Cookie: maxserving cookie
5:01 PM: chelsea marcum@maxserving[2].txt (ID = 2966)
5:01 PM: chelsea marcum@msnportal.112.2o7[1].txt (ID = 1958)
5:01 PM: chelsea marcum@mysa.belointeractive[2].txt (ID = 2295)
5:01 PM: Found Spy Cookie: nextag cookie
5:01 PM: chelsea marcum@nextag[2].txt (ID = 5014)
5:01 PM: Found Spy Cookie: overture cookie
5:01 PM: chelsea marcum@overture[2].txt (ID = 3105)
5:01 PM: chelsea marcum@partypoker[2].txt (ID = 3111)
5:01 PM: chelsea marcum@patrickkwan.freestats[2].txt (ID = 2705)
5:01 PM: chelsea marcum@perf.overture[2].txt (ID = 3106)
5:01 PM: chelsea marcum@politicalhumor.about[1].txt (ID = 2038)
5:01 PM: Found Spy Cookie: pricegrabber cookie
5:01 PM: chelsea marcum@pricegrabber[2].txt (ID = 3185)
5:01 PM: Found Spy Cookie: qksrv cookie
5:01 PM: chelsea marcum@qksrv[2].txt (ID = 3213)
5:01 PM: chelsea marcum@questionmarket[1].txt (ID = 3217)
5:01 PM: Found Spy Cookie: directtrack cookie
5:01 PM: chelsea marcum@rapidresponse.directtrack[2].txt (ID = 2528)
5:01 PM: chelsea marcum@realmedia[1].txt (ID = 3235)
5:01 PM: Found Spy Cookie: revenue.net cookie
5:01 PM: chelsea marcum@revenue[1].txt (ID = 3257)
5:01 PM: chelsea marcum@rsi.abc.go[1].txt (ID = 2729)
5:01 PM: chelsea marcum@rsi.abcnews.go[1].txt (ID = 2729)
5:01 PM: chelsea marcum@scifi.about[1].txt (ID = 2038)
5:01 PM: Found Spy Cookie: server.iad.liveperson cookie
5:01 PM: chelsea marcum@server.iad.liveperson[2].txt (ID = 3341)
5:01 PM: Found Spy Cookie: serving-sys cookie
5:01 PM: chelsea marcum@serving-sys[1].txt (ID = 3343)
5:01 PM: Found Spy Cookie: servlet cookie
5:01 PM: chelsea marcum@servlet[2].txt (ID = 3345)
5:01 PM: Found Spy Cookie: statcounter cookie
5:01 PM: chelsea marcum@statcounter[2].txt (ID = 3447)
5:01 PM: chelsea marcum@stats1.reliablestats[1].txt (ID = 3254)
5:01 PM: chelsea marcum@teenwriting.about[1].txt (ID = 2038)
5:01 PM: Found Spy Cookie: tickle cookie
5:01 PM: chelsea marcum@tickle[2].txt (ID = 3529)
5:01 PM: Found Spy Cookie: tradedoubler cookie
5:01 PM: chelsea marcum@tradedoubler[1].txt (ID = 3575)
5:01 PM: Found Spy Cookie: trafficmp cookie
5:01 PM: chelsea marcum@trafficmp[1].txt (ID = 3581)
5:01 PM: chelsea marcum@tribalfusion[1].txt (ID = 3589)
5:01 PM: Found Spy Cookie: tripod cookie
5:01 PM: chelsea marcum@tripod[1].txt (ID = 3591)
5:01 PM: Found Spy Cookie: burstbeacon cookie
5:01 PM: chelsea marcum@www.burstbeacon[2].txt (ID = 2335)
5:01 PM: chelsea marcum@www.burstnet[1].txt (ID = 2337)
5:01 PM: Found Spy Cookie: yadro cookie
5:01 PM: chelsea marcum@yadro[1].txt (ID = 3743)
5:01 PM: chelsea marcum@yieldmanager[2].txt (ID = 3749)
5:01 PM: Found Spy Cookie: adserver cookie
5:01 PM: chelsea marcum@z1.adserver[1].txt (ID = 2142)
5:01 PM: chelsea marcum@zedo[1].txt (ID = 3762)
5:01 PM: Cookie Sweep Complete, Elapsed Time: 00:00:05
5:01 PM: Starting File Sweep
5:01 PM: c:\documents and settings\chelsea marcum\local settings\temp\~dlfntmp4 (1 subtraces) (ID = -2147481122)
5:01 PM: c:\documents and settings\chelsea marcum\local settings\temp\~dlfntmp1 (1 subtraces) (ID = -2147481125)
5:01 PM: c:\documents and settings\chelsea marcum\local settings\temp\~dlfntmp2 (1 subtraces) (ID = -2147481124)
5:01 PM: c:\documents and settings\chelsea marcum\local settings\temp\~dlfntmp3 (1 subtraces) (ID = -2147481123)
5:01 PM: c:\documents and settings\chelsea marcum\local settings\temp\vmstmp (ID = -2147481126)
5:01 PM: Found Adware: apropos
5:01 PM: c:\documents and settings\chelsea marcum\local settings\temp\atf (ID = -2147481416)
5:01 PM: c:\documents and settings\chelsea marcum\local settings\temp\autoupdate0 (1 subtraces) (ID = -2147481415)
5:03 PM: wingenerics.dll (ID = 50187)
5:03 PM: ace.dll (ID = 50009)
5:03 PM: proxystub.dll (ID = 50146)
5:04 PM: Found System Monitor: onflow
5:04 PM: ieonflow.dll (ID = 71512)
5:04 PM: nponflow.dll (ID = 71513)
5:04 PM: onflowplayer0.dll (ID = 71515)
5:04 PM: onflowreport.exe (ID = 71516)
5:07 PM: Found Adware: tvmedia
5:07 PM: tvmknwrd.dll (ID = 81726)
5:07 PM: Found Trojan Horse: lzio
5:07 PM: 10.tmp (ID = 69066)
5:07 PM: 109.tmp (ID = 69024)
5:07 PM: 12.tmp (ID = 69035)
5:07 PM: 12c.tmp (ID = 69024)
5:07 PM: 13.tmp (ID = 69024)
5:07 PM: 15.tmp (ID = 69024)
5:07 PM: 16.tmp (ID = 69066)
5:07 PM: 179.tmp (ID = 69137)
5:07 PM: 185.tmp (ID = 69035)
5:07 PM: 1d.tmp (ID = 69024)
5:07 PM: 21.tmp (ID = 69066)
5:07 PM: 22.tmp (ID = 69066)
5:07 PM: 25.tmp (ID = 69024)
5:07 PM: 27.tmp (ID = 69024)
5:07 PM: 2a.tmp (ID = 69024)
5:07 PM: 33.tmp (ID = 69024)
5:07 PM: 34.tmp (ID = 69066)
5:07 PM: 36.tmp (ID = 69066)
5:07 PM: 38.tmp (ID = 69137)
5:07 PM: 39.tmp (ID = 69035)
5:07 PM: 43.tmp (ID = 69066)
5:07 PM: 49.tmp (ID = 69035)
5:07 PM: 4d.tmp (ID = 69137)
5:07 PM: 56.tmp (ID = 69035)
5:07 PM: 5e.tmp (ID = 69024)
5:07 PM: 6f.tmp (ID = 69024)
5:07 PM: 77.tmp (ID = 69024)
5:07 PM: 7f.tmp (ID = 69024)
5:07 PM: 9.tmp (ID = 69024)
5:07 PM: 9d.tmp (ID = 69024)
5:07 PM: 9f.tmp (ID = 69066)
5:07 PM: b9.tmp (ID = 69035)
5:07 PM: d5.tmp (ID = 69035)
5:07 PM: dc.tmp (ID = 69137)
5:07 PM: e.tmp (ID = 69024)
5:07 PM: e7.tmp (ID = 69066)
5:07 PM: ed.tmp (ID = 69035)
5:07 PM: f2.tmp (ID = 69035)
5:07 PM: ff.tmp (ID = 69035)
5:07 PM: setup.inf (ID = 50158)
5:07 PM: Found Adware: 180search assistant/zango
5:07 PM: preinstaller.exe (ID = 70589)
5:07 PM: Found Adware: mindset interactive - favoriteman
5:07 PM: setup_powersearch_mindset_p1.exe (ID = 69863)
5:10 PM: Found Adware: coolwebsearch (cws)
5:10 PM: ab scissor.url (ID = 130666)
5:10 PM: broadband comparison.url (ID = 130667)
5:10 PM: credit counseling.url (ID = 130668)
5:10 PM: credit report.url (ID = 130669)
5:10 PM: crm software.url (ID = 130670)
5:10 PM: debt credit card.url (ID = 130671)
5:10 PM: escorts.url (ID = 130672)
5:10 PM: fha.url (ID = 130673)
5:10 PM: health insurance.url (ID = 130674)
5:10 PM: help desk software.url (ID = 130675)
5:10 PM: insurance home.url (ID = 130676)
5:10 PM: loan for debt consolidation.url (ID = 130677)
5:10 PM: loan for people with bad credit.url (ID = 130678)
5:10 PM: marketing email.url (ID = 130679)
5:10 PM: mortgage insurance.url (ID = 130680)
5:10 PM: mortgage life insurance.url (ID = 130681)
5:10 PM: nevada corporations.url (ID = 130682)
5:10 PM: online betting site.url (ID = 130683)
5:10 PM: online gambling casino.url (ID = 130684)
5:10 PM: online instant loan.url (ID = 130685)
5:10 PM: order phentermine.url (ID = 130686)
5:10 PM: payroll advance.url (ID = 130687)
5:10 PM: personal loans online.url (ID = 130688)
5:10 PM: personal loans with bad credit.url (ID = 130689)
5:10 PM: prescription drugs rx online.url (ID = 130690)
5:10 PM: refinancing my mortgage.url (ID = 130691)
5:10 PM: tahoe vacation rental.url (ID = 130692)
5:10 PM: unsecured bad credit loans.url (ID = 130693)
5:10 PM: videos.url (ID = 130694)
5:10 PM: what is hydrocodone.url (ID = 130695)
5:10 PM: Found Adware: twain-tech
5:10 PM: multimpp.inf (ID = 81828)
5:10 PM: Found Adware: directrevenue-abetterinternet
5:10 PM: satmat.inf (ID = 83498)
5:10 PM: satmat.ini (ID = 83499)
5:10 PM: auto_update[1] (ID = 50056)
5:10 PM: sais_gdf.dat (ID = 93789)
5:10 PM: Found Adware: personal money tree
5:10 PM: pmtlauncher.exe (ID = 136095)
5:10 PM: preuninstallpmt.exe (ID = 74822)
5:10 PM: b3e113b.tmp (ID = 143820)
5:10 PM: Found Adware: ist yoursitebar
5:10 PM: yoursitebar.xml (ID = 158318)
5:11 PM: Found Adware: quicklink search toolbar
5:11 PM: uninst.exe (ID = 73428)
5:11 PM: 2c.tmp (ID = 69066)
5:11 PM: 16.tmp (ID = 69066)
5:11 PM: 27.tmp (ID = 69066)
5:11 PM: 19c.tmp (ID = 69066)
5:11 PM: 33.tmp (ID = 69024)
5:11 PM: 8.tmp (ID = 68961)
5:11 PM: e4.tmp (ID = 69024)
5:11 PM: setup.inf (ID = 50158)
5:11 PM: 22.tmp (ID = 69066)
5:11 PM: icon32x32.ico (ID = 107403)
5:11 PM: 20.tmp (ID = 69137)
5:11 PM: ae.tmp (ID = 69024)
5:11 PM: Found Adware: exact cashback/bargain buddy
5:11 PM: mac80ex.idf (ID = 50730)
5:11 PM: 21.tmp (ID = 69024)
5:11 PM: 44.tmp (ID = 69137)
5:11 PM: 10.tmp (ID = 69066)
5:11 PM: 6a.tmp (ID = 69024)
5:11 PM: 1a.tmp (ID = 69024)
5:11 PM: qlink32.dll (ID = 140751)
5:11 PM: 99.tmp (ID = 69024)
5:11 PM: 9.tmp (ID = 69024)
5:11 PM: Found Adware: shopathomeselect
5:11 PM: bundle.exe (ID = 75687)
5:11 PM: 27.tmp (ID = 69024)
5:11 PM: d.tmp (ID = 69024)
5:11 PM: 7.tmp (ID = 69137)
5:11 PM: 90.tmp (ID = 69024)
5:11 PM: Found Adware: cws_ns3
5:11 PM: kb824105.log:nzetj (ID = 56287)
5:11 PM: 34.tmp (ID = 69066)
5:11 PM: e.tmp (ID = 69024)
5:11 PM: dummyg.exe (ID = 69011)
5:11 PM: io2unsins.exe (ID = 69056)
5:11 PM: dc.tmp (ID = 69024)
5:11 PM: pmtcore.bin (ID = 93264)
5:11 PM: 8d.tmp (ID = 69024)
5:11 PM: 33.tmp (ID = 69066)
5:11 PM: vx1x.nls (ID = 50908)
5:11 PM: 13.tmp (ID = 69024)
5:11 PM: f1.tmp (ID = 69035)
5:11 PM: b9.tmp (ID = 69035)
5:11 PM: vx1.nls (ID = 50899)
5:11 PM: 57.tmp (ID = 69024)
5:11 PM: 9e.tmp (ID = 69024)
5:11 PM: addremln.inf (ID = 83092)
5:11 PM: setup_powersearch_mindset_p1.exe (ID = 69863)
5:11 PM: 75.tmp (ID = 69024)
5:11 PM: preinstaller.exe (ID = 70589)
5:11 PM: addremln.cab (ID = 83091)
5:11 PM: powerreg.dat:slqib (ID = 56287)
5:11 PM: Found Trojan Horse: trojan-downloader-qbau
5:11 PM: yiqfu.exe (ID = 80887)
5:11 PM: 49.tmp (ID = 69035)
5:11 PM: 14c.tmp (ID = 69024)
5:12 PM: e.tmp (ID = 69024)
5:12 PM: ttlw.exe (ID = 69066)
5:12 PM: 15.tmp (ID = 69024)
5:12 PM: d5.tmp (ID = 69035)
5:12 PM: a5.tmp (ID = 69066)
5:12 PM: b7.tmp (ID = 69024)
5:12 PM: b2.tmp (ID = 69066)
5:12 PM: 69.tmp (ID = 69024)
5:12 PM: 17b.tmp (ID = 69024)
5:12 PM: 99.tmp (ID = 69024)
5:12 PM: 92.tmp (ID = 69024)
5:12 PM: 36.tmp (ID = 69066)
5:12 PM: ssm.exe (ID = 69125)
5:12 PM: opprintserver.ini:zlxdz (ID = 56447)
5:12 PM: 16f.tmp (ID = 69024)
5:12 PM: a0.tmp (ID = 69066)
5:12 PM: 6f.tmp (ID = 69024)
5:12 PM: 93.tmp (ID = 69024)
5:12 PM: 87.tmp (ID = 69024)
5:12 PM: 4.tmp (ID = 69035)
5:12 PM: 120.tmp (ID = 69035)
5:12 PM: ngove.exe (ID = 69024)
5:12 PM: a.tmp (ID = 69024)
5:12 PM: 50.tmp (ID = 69024)
5:12 PM: 9d.tmp (ID = 69024)
5:12 PM: 2b.tmp (ID = 69024)
5:12 PM: 11.tmp (ID = 69066)
5:12 PM: 8.tmp (ID = 69024)
5:12 PM: 1505.tmp (ID = 69024)
5:12 PM: 134.tmp (ID = 69024)
5:12 PM: 3e.tmp (ID = 69137)
5:12 PM: 56.tmp (ID = 69035)
5:12 PM: preuninstallql.exe (ID = 131326)
5:12 PM: eafbn.exe (ID = 69024)
5:12 PM: 14b.tmp (ID = 69066)
5:12 PM: 70.tmp (ID = 69024)
5:12 PM: 6.tmp (ID = 69035)
5:12 PM: 2a.tmp (ID = 69035)
5:12 PM: 160.tmp (ID = 69024)
5:12 PM: 89.tmp (ID = 69024)
5:12 PM: c8.tmp (ID = 69035)
5:12 PM: 7f.tmp (ID = 69024)
5:12 PM: 43.tmp (ID = 69066)
5:12 PM: dummyd.exe (ID = 69011)
5:12 PM: cb.tmp (ID = 69024)
5:12 PM: 47.tmp (ID = 69035)
5:12 PM: 30.tmp (ID = 69024)
5:12 PM: 11c.tmp (ID = 69024)
5:12 PM: 8b.tmp (ID = 69066)
5:12 PM: 96.tmp (ID = 69024)
5:12 PM: Found Adware: couponage
5:12 PM: casync.dll (ID = 54700)
5:12 PM: 88.tmp (ID = 69024)
5:13 PM: 26.tmp (ID = 69024)
5:13 PM: 9f.tmp (ID = 69024)
5:13 PM: 42.tmp (ID = 69035)
5:13 PM: ac.tmp (ID = 69024)
5:13 PM: ce.tmp (ID = 69035)
5:13 PM: kcform.dat:uvagp (ID = 56472)
5:13 PM: 182.tmp (ID = 69035)
5:13 PM: 7a.tmp (ID = 69024)
5:13 PM: puvxzuiaru.exe (ID = 80887)
5:13 PM: d5.tmp (ID = 69035)
5:13 PM: ac.tmp (ID = 69066)
5:13 PM: 8f.tmp (ID = 69024)
5:13 PM: 33.tmp (ID = 69066)
5:13 PM: 176.tmp (ID = 69024)
5:13 PM: 177.tmp (ID = 69024)
5:13 PM: 6f.tmp (ID = 69024)
5:13 PM: uninst.exe (ID = 73428)
5:13 PM: 65.tmp (ID = 69024)
5:13 PM: cd.tmp (ID = 69066)
5:13 PM: 18f.tmp (ID = 69024)
5:13 PM: 71.tmp (ID = 69024)
5:13 PM: 15c.tmp (ID = 69024)
5:13 PM: olcijic.exe (ID = 69035)
5:13 PM: cc.tmp (ID = 69035)
5:13 PM: 39.tmp (ID = 69035)
5:13 PM: 176.tmp (ID = 69024)
5:13 PM: ec.tmp (ID = 69137)
5:13 PM: b.tmp (ID = 69024)
5:13 PM: 76.tmp (ID = 69024)
5:13 PM: Found Adware: cws-aboutblank
5:13 PM: kwv2.dat:jxivk (ID = 54863)
5:13 PM: 7a.tmp (ID = 69024)
5:13 PM: 163.tmp (ID = 69024)
5:13 PM: b3.tmp (ID = 69024)
5:13 PM: e5.tmp (ID = 69066)
5:13 PM: a3.tmp (ID = 69066)
5:13 PM: vmstmp.exe (ID = 57818)
5:13 PM: 21.tmp (ID = 69024)
5:13 PM: be.tmp (ID = 69024)
5:13 PM: 27.tmp (ID = 69137)
5:13 PM: ed.tmp (ID = 69035)
5:13 PM: 16b.tmp (ID = 69024)
5:13 PM: ivcxvsjl.exe (ID = 69024)
5:13 PM: 10b.tmp (ID = 69137)
5:13 PM: 98.tmp (ID = 69024)
5:13 PM: f.tmp (ID = 69024)
5:13 PM: 23.tmp (ID = 69024)
5:13 PM: bunsetup.cab (ID = 75703)
5:13 PM: 25.tmp (ID = 69066)
5:13 PM: bd.tmp (ID = 69024)
5:13 PM: ca.tmp (ID = 69066)
5:13 PM: 109.tmp (ID = 69024)
5:13 PM: b5.tmp (ID = 69066)
5:13 PM: tgvnwv.exe (ID = 69024)
5:13 PM: 15d.tmp (ID = 69066)
5:14 PM: 98.tmp (ID = 69024)
5:14 PM: 10d.tmp (ID = 69035)
5:14 PM: kb825119.log:faozd (ID = 56451)
5:14 PM: 8e.tmp (ID = 69066)
5:14 PM: 3c.tmp (ID = 69035)
5:14 PM: 8c.tmp (ID = 69024)
5:14 PM: 1d.tmp (ID = 69024)
5:14 PM: 153.tmp (ID = 69024)
5:14 PM: 19.tmp (ID = 69066)
5:14 PM: 29.tmp (ID = 69137)
5:14 PM: d6.tmp (ID = 69066)
5:14 PM: 132.tmp (ID = 69035)
5:14 PM: 90.tmp (ID = 69024)
5:14 PM: 12f.tmp (ID = 69137)
5:14 PM: 38.tmp (ID = 69137)
5:14 PM: 1a8.tmp (ID = 69066)
5:14 PM: 1cc.tmp (ID = 69137)
5:14 PM: 8d.tmp (ID = 69024)
5:14 PM: 8e.tmp (ID = 69024)
5:14 PM: a9.tmp (ID = 69024)
5:14 PM: 190.tmp (ID = 69024)
5:14 PM: 143.tmp (ID = 69024)
5:14 PM: c2.tmp (ID = 69024)
5:14 PM: 1d8.tmp (ID = 69035)
5:14 PM: 18.tmp (ID = 69024)
5:14 PM: 1b.tmp (ID = 69024)
5:14 PM: ff.tmp (ID = 69137)
5:14 PM: c0.tmp (ID = 69066)
5:14 PM: 12.tmp (ID = 69035)
5:14 PM: 81.tmp (ID = 69024)
5:14 PM: b7.tmp (ID = 69024)
5:14 PM: 55.tmp (ID = 69024)
5:14 PM: 1d.tmp (ID = 69024)
5:14 PM: 67.tmp (ID = 69024)
5:14 PM: b6.tmp (ID = 69066)
5:14 PM: 21.tmp (ID = 69066)
5:14 PM: 7e.tmp (ID = 69024)
5:14 PM: 10.tmp (ID = 69024)
5:14 PM: 55.tmp (ID = 69137)
5:14 PM: pmtinstaller.exe (ID = 143930)
5:14 PM: vx2x.nls (ID = 50922)
5:14 PM: vx2.nls (ID = 50917)
5:14 PM: javex80.vxd (ID = 50715)
5:14 PM: betterinternet.exe (ID = 83159)
5:14 PM: betterinternet.exe (ID = 83159)
5:14 PM: tvmknwrd.dll (ID = 81726)
5:14 PM: 7f.tmp (ID = 69024)
5:14 PM: ff.tmp (ID = 69035)
5:14 PM: 25.tmp (ID = 69024)
5:15 PM: pmt.exe (ID = 137597)
5:15 PM: 11a.tmp (ID = 69024)
5:15 PM: installpreinstall_p1.exe (ID = 70545)
5:15 PM: 68.tmp (ID = 69024)
5:15 PM: 81.tmp (ID = 69024)
5:15 PM: 2a.tmp (ID = 69024)
5:15 PM: _default.pif:vglgr (ID = 56603)
5:15 PM: 17.tmp (ID = 69024)
5:15 PM: 9e.tmp (ID = 69066)
5:15 PM: 77.tmp (ID = 69035)
5:15 PM: 4d.tmp (ID = 69137)
5:15 PM: 7e.tmp (ID = 69066)
5:15 PM: 80.tmp (ID = 69024)
5:15 PM: yswtovge.exe (ID = 69024)
5:15 PM: ee.tmp (ID = 69035)
5:15 PM: 97.tmp (ID = 69024)
5:15 PM: c1.tmp (ID = 69066)
5:15 PM: cacore.dll (ID = 54694)
5:15 PM: 83.tmp (ID = 69024)
5:15 PM: a1.tmp (ID = 69024)
5:15 PM: 11b.tmp (ID = 69024)
5:15 PM: 1516.tmp (ID = 69035)
5:15 PM: a7.tmp (ID = 69024)
5:15 PM: axpfbho.exe (ID = 68988)
5:15 PM: 5e.tmp (ID = 69024)
5:15 PM: 14fb.tmp (ID = 69024)
5:15 PM: 77.tmp (ID = 69024)
5:15 PM: 9f.tmp (ID = 69066)
5:15 PM: 10c.tmp (ID = 69024)
5:15 PM: a6.tmp (ID = 69024)
5:15 PM: a8.tmp (ID = 69024)
5:15 PM: 159.tmp (ID = 69066)
5:15 PM: personalmoneytree.exe (ID = 136094)
5:15 PM: pmtdata.bin (ID = 93265)
5:15 PM: pmtskin.bmp (ID = 107409)
5:15 PM: 11c.tmp (ID = 69024)
5:15 PM: f0.tmp (ID = 69024)
5:15 PM: 1e.tmp (ID = 69024)
5:15 PM: 1b8.tmp (ID = 69035)
5:15 PM: ntdtcsetup.log:wjusc (ID = 54262)
5:15 PM: 179.tmp (ID = 69137)
5:15 PM: aa.tmp (ID = 69024)
5:15 PM: e2.tmp (ID = 69066)
5:15 PM: 13f.tmp (ID = 69024)
5:16 PM: 1af.tmp (ID = 69024)
5:16 PM: 8c.tmp (ID = 69024)
5:16 PM: 26.tmp (ID = 69035)
5:16 PM: e7.tmp (ID = 69024)
5:16 PM: 93.tmp (ID = 69024)
5:16 PM: 111.tmp (ID = 69066)
5:16 PM: 185.tmp (ID = 69035)
5:16 PM: 120.tmp (ID = 69024)
5:16 PM: 94.tmp (ID = 69024)
5:16 PM: bf.tmp (ID = 69024)
5:16 PM: c0.tmp (ID = 69024)
5:16 PM: a4.tmp (ID = 69024)
5:16 PM: a9.tmp (ID = 69024)
5:16 PM: 128.tmp (ID = 69024)
5:16 PM: 13c.tmp (ID = 69066)
5:16 PM: 18.tmp (ID = 69035)
5:16 PM: e7.tmp (ID = 69066)
5:16 PM: f2.tmp (ID = 69035)
5:16 PM: c5.tmp (ID = 69024)
5:16 PM: 28.tmp (ID = 69024)
5:16 PM: 97.tmp (ID = 69024)
5:16 PM: 12c.tmp (ID = 69024)
5:16 PM: 10f.tmp (ID = 69035)
5:16 PM: c2.tmp (ID = 69066)
5:16 PM: 41.tmp (ID = 69024)
5:16 PM: 137.tmp (ID = 69035)
5:16 PM: dc.tmp (ID = 69137)
5:16 PM: 29.tmp (ID = 69024)
5:16 PM: 108.tmp (ID = 69024)
5:16 PM: 1503.tmp (ID = 69024)
5:16 PM: mawc.exe (ID = 69024)
5:16 PM: ee.tmp (ID = 69024)
5:16 PM: Found Adware: altnet
5:16 PM: 873101.tmp (ID = 49868)
5:16 PM: fd.tmp (ID = 69035)
5:16 PM: 10f.tmp (ID = 69024)
5:16 PM: 1d.tmp (ID = 69066)
5:17 PM: 1545.tmp (ID = 69035)
5:17 PM: 1538.tmp (ID = 69024)
5:17 PM: __unin__.exe (ID = 49796)
5:17 PM: ff.tmp (ID = 69024)
5:17 PM: 31.tmp (ID = 69024)
5:17 PM: fewdyq.exe (ID = 69024)
5:17 PM: urkadvi.exe (ID = 69024)
5:17 PM: lbul.exe (ID = 69024)
5:17 PM: 101.tmp (ID = 69024)
5:18 PM: 3.tmp (ID = 69035)
5:18 PM: Found Adware: look2me
5:18 PM: icont.exe (ID = 65809)
5:18 PM: carules.dll (ID = 54699)
5:18 PM: endiser.exe (ID = 69035)
5:18 PM: llujei.exe (ID = 69024)
5:18 PM: pfvbqo.exe (ID = 69024)
5:18 PM: jufoie.exe (ID = 69024)
5:18 PM: blomm.exe (ID = 69024)
5:18 PM: fidu.exe (ID = 69024)
5:18 PM: rmyhfc.exe (ID = 69024)
5:19 PM: gybgki.exe (ID = 69066)
5:20 PM: saieau.dat (ID = 70624)
5:21 PM: auto_update[1] (ID = 50056)
5:21 PM: auto_update[1] (ID = 50056)
5:21 PM: Found Adware: my daily horoscope
5:21 PM: svcmm32.inf (ID = 70263)
5:21 PM: Found Trojan Horse: gloogle downloader
5:21 PM: counter.inf (ID = 61782)
5:21 PM: multimpp.inf (ID = 81828)
5:21 PM: Found Adware: netpal
5:21 PM: gamehouse games.url (ID = 70891)
5:21 PM: big fish games.url (ID = 70885)
5:21 PM: atpartners.inf (ID = 69817)
5:21 PM: flyordie games.url (ID = 70890)
5:21 PM: localnrd.inf (ID = 83368)
5:21 PM: credit counseling.url (ID = 130668)
5:21 PM: insurance home.url (ID = 130676)
5:21 PM: mortgage life insurance.url (ID = 130681)
5:21 PM: help desk software.url (ID = 130675)
5:21 PM: ab scissor.url (ID = 130666)
5:21 PM: videos.url (ID = 130694)
5:21 PM: what is hydrocodone.url (ID = 130695)
5:21 PM: online gambling casino.url (ID = 130684)
5:21 PM: refinancing my mortgage.url (ID = 130691)
5:21 PM: debt credit card.url (ID = 130671)
5:21 PM: fha.url (ID = 130673)
5:21 PM: loan for debt consolidation.url (ID = 130677)
5:21 PM: health insurance.url (ID = 130674)
5:21 PM: personal loans online.url (ID = 130688)
5:21 PM: payroll advance.url (ID = 130687)
5:21 PM: marketing email.url (ID = 130679)
5:21 PM: prescription drugs rx online.url (ID = 130690)
5:21 PM: credit report.url (ID = 130669)
5:21 PM: tahoe vacation rental.url (ID = 130692)
5:21 PM: escorts.url (ID = 130672)
5:21 PM: order phentermine.url (ID = 130686)
5:21 PM: mortgage insurance.url (ID = 130680)
5:21 PM: personal loans with bad credit.url (ID = 130689)
5:21 PM: crm software.url (ID = 130670)
5:21 PM: nevada corporations.url (ID = 130682)
5:21 PM: unsecured bad credit loans.url (ID = 130693)
5:21 PM: loan for people with bad credit.url (ID = 130678)
5:21 PM: broadband comparison.url (ID = 130667)
5:21 PM: online betting site.url (ID = 130683)
5:21 PM: Found Adware: ezula ilookup
5:21 PM: toptext button show - hide.lnk (ID = 60649)
5:21 PM: Found Adware: ipinsight
5:21 PM: conscorr.ini (ID = 64264)
5:21 PM: Found Adware: powerscan
5:21 PM: power scan.lnk (ID = 72676)
5:21 PM: online instant loan.url (ID = 130685)
5:21 PM: mindset1019.sah (ID = 75831)
5:21 PM: conscorr.inf (ID = 64277)
5:21 PM: clientax.inf (ID = 70515)
5:21 PM: satmat.inf (ID = 83498)
5:21 PM: satmat.ini (ID = 83499)
5:21 PM: satmat.inf (ID = 83498)
5:21 PM: satmat.ini (ID = 83499)
5:21 PM: ysbactivex.inf (ID = 91034)
5:21 PM: Found Adware: bho_sep
5:21 PM: sepsd.bin (ID = 75367)
5:21 PM: Found Trojan Horse: 2nd-thought
5:21 PM: winupdt.bin (ID = 48364)
5:21 PM: Found Adware: adlogix
5:21 PM: xmydub.xml (ID = 49280)
5:22 PM: File Sweep Complete, Elapsed Time: 00:20:55
5:22 PM: Full Sweep has completed. Elapsed time 00:23:40
5:22 PM: Traces Found: 704
5:24 PM: Removal process initiated
5:24 PM: Quarantining All Traces: 180search assistant/zango
5:24 PM: Quarantining All Traces: 2nd-thought
5:24 PM: Quarantining All Traces: adlogix
5:24 PM: Quarantining All Traces: cws_ns3
5:24 PM: Quarantining All Traces: cws-aboutblank
5:24 PM: Quarantining All Traces: directrevenue-abetterinternet
5:24 PM: Quarantining All Traces: look2me
5:24 PM: Quarantining All Traces: lzio
5:25 PM: Quarantining All Traces: onflow
5:25 PM: Quarantining All Traces: virtumonde
5:25 PM: virtumonde is in use. It will be removed on reboot.
5:25 PM: C:\WINDOWS\msagent\intl\cab.dll is in use. It will be removed on reboot.
5:25 PM: C:\WINDOWS\repair\imgsys.dll is in use. It will be removed on reboot.
5:25 PM: Quarantining All Traces: websearch toolbar
5:25 PM: Quarantining All Traces: wildmedia
5:25 PM: Quarantining All Traces: alwaysupdatednews
5:25 PM: Quarantining All Traces: apropos
5:25 PM: Quarantining All Traces: coolwebsearch (cws)
5:26 PM: Quarantining All Traces: gloogle downloader
5:26 PM: Quarantining All Traces: mindset interactive - favoriteman
5:26 PM: Quarantining All Traces: trojan-downloader-qbau
5:26 PM: Quarantining All Traces: altnet
5:26 PM: Quarantining All Traces: bho_sep
5:26 PM: Quarantining All Traces: couponage
5:26 PM: Quarantining All Traces: delfin
5:26 PM: Quarantining All Traces: drsnsrch.com hijack
5:26 PM: Quarantining All Traces: ebates money maker
5:26 PM: Quarantining All Traces: exact cashback/bargain buddy
5:26 PM: Quarantining All Traces: ezula ilookup
5:26 PM: Quarantining All Traces: ieplugin
5:26 PM: Quarantining All Traces: ipinsight
5:26 PM: Quarantining All Traces: ist sidefind
5:26 PM: Quarantining All Traces: ist yoursitebar
5:26 PM: Quarantining All Traces: keenvalue/perfectnav
5:26 PM: Quarantining All Traces: my daily horoscope
5:26 PM: Quarantining All Traces: netpal
5:26 PM: Quarantining All Traces: personal money tree
5:26 PM: Quarantining All Traces: powerscan
5:26 PM: Quarantining All Traces: quicklink search toolbar
5:26 PM: Quarantining All Traces: shopathomeselect
5:26 PM: Quarantining All Traces: tvmedia
5:26 PM: Quarantining All Traces: twain-tech
5:26 PM: Quarantining All Traces: webrebates
5:26 PM: Quarantining All Traces: 247realmedia cookie
5:26 PM: Quarantining All Traces: 2o7.net cookie
5:26 PM: Quarantining All Traces: 360i cookie
5:26 PM: Quarantining All Traces: a cookie
5:26 PM: Quarantining All Traces: about cookie
5:26 PM: Quarantining All Traces: adbureau cookie
5:26 PM: Quarantining All Traces: addynamix cookie
5:26 PM: Quarantining All Traces: adecn cookie
5:26 PM: Quarantining All Traces: adknowledge cookie
5:26 PM: Quarantining All Traces: adrevolver cookie
5:26 PM: Quarantining All Traces: ads.adsag cookie
5:26 PM: Quarantining All Traces: adserver cookie
5:26 PM: Quarantining All Traces: adtech cookie
5:26 PM: Quarantining All Traces: apmebf cookie
5:26 PM: Quarantining All Traces: ask cookie
5:26 PM: Quarantining All Traces: atwola cookie
5:26 PM: Quarantining All Traces: azjmp cookie
5:26 PM: Quarantining All Traces: banner cookie
5:26 PM: Quarantining All Traces: belnk cookie
5:26 PM: Quarantining All Traces: belointeractive cookie
5:26 PM: Quarantining All Traces: bilbo.counted.com cookie
5:26 PM: Quarantining All Traces: bizrate cookie
5:26 PM: Quarantining All Traces: bluestreak cookie
5:26 PM: Quarantining All Traces: bravenet cookie
5:26 PM: Quarantining All Traces: burstbeacon cookie
5:26 PM: Quarantining All Traces: burstnet cookie
5:26 PM: Quarantining All Traces: casalemedia cookie
5:26 PM: Quarantining All Traces: centrport net cookie
5:26 PM: Quarantining All Traces: clickandtrack cookie
5:26 PM: Quarantining All Traces: clickbank cookie
5:26 PM: Quarantining All Traces: customer cookie
5:26 PM: Quarantining All Traces: did-it cookie
5:26 PM: Quarantining All Traces: directtrack cookie
5:26 PM: Quarantining All Traces: falkag cookie
5:26 PM: Quarantining All Traces: freestats.net cookie
5:26 PM: Quarantining All Traces: go.com cookie
5:26 PM: Quarantining All Traces: humanclick cookie
5:26 PM: Quarantining All Traces: hypertracker.com cookie
5:26 PM: Quarantining All Traces: maxserving cookie
5:26 PM: Quarantining All Traces: metareward.com cookie
5:26 PM: Quarantining All Traces: nextag cookie
5:26 PM: Quarantining All Traces: overture cookie
5:26 PM: Quarantining All Traces: partypoker cookie
5:26 PM: Quarantining All Traces: pointroll cookie
5:26 PM: Quarantining All Traces: pricegrabber cookie
5:26 PM: Quarantining All Traces: qksrv cookie
5:26 PM: Quarantining All Traces: qsrch cookie
5:26 PM: Quarantining All Traces: questionmarket cookie
5:26 PM: Quarantining All Traces: realmedia cookie
5:26 PM: Quarantining All Traces: reliablestats cookie
5:26 PM: Quarantining All Traces: revenue.net cookie
5:26 PM: Quarantining All Traces: ru4 cookie
5:26 PM: Quarantining All Traces: server.iad.liveperson cookie
5:26 PM: Quarantining All Traces: serving-sys cookie
5:26 PM: Quarantining All Traces: servlet cookie
5:26 PM: Quarantining All Traces: specificclick.com cookie
5:26 PM: Quarantining All Traces: statcounter cookie
5:26 PM: Quarantining All Traces: tickle cookie
5:26 PM: Quarantining All Traces: tradedoubler cookie
5:26 PM: Quarantining All Traces: trafficmp cookie
5:26 PM: Quarantining All Traces: tribalfusion cookie
5:26 PM: Quarantining All Traces: tripod cookie
5:26 PM: Quarantining All Traces: websponsors cookie
5:26 PM: Quarantining All Traces: xhit cookie
5:26 PM: Quarantining All Traces: yadro cookie
5:26 PM: Quarantining All Traces: yieldmanager cookie
5:26 PM: Quarantining All Traces: zedo cookie
5:27 PM: Removal process completed. Elapsed time 00:02:26
********
4:57 PM: | Start of Session, Saturday, December 03, 2005 |
4:57 PM: Spy Sweeper started
4:57 PM: Your spyware definitions have been updated.
4:58 PM: | End of Session, Saturday, December 03, 2005 |


Here is the hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 3:07:06 PM, on 12/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {827DC836-DD9F-4A68-A602-5812EB50A834} - (no file)
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [LwxERif4j] aklkmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Spyware Begone] "C:\Documents and Settings\All Users\Desktop\Old 20GB Drive Contents\spywarebegone\SpywareBeGone.exe" -FastScan
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124393622046
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: cab - C:\WINDOWS\msagent\intl\cab.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Finally, here is the start-up log:

StartupList report, 12/4/2005, 3:07:29 PM
StartupList version: 1.52.2
Started from : C:\hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

VTTrayp = VTtrayp.exe
VTTimer = VTTimer.exe
AudioDeck = C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
LiveMonitor = C:\Program Files\MSI\Live Update 3\LMonitor.exe
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
vptray = C:\Program Files\NavNT\vptray.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "D:\Program Files\Messenger\msmsgs.exe" /background
AIM = C:\Program Files\AIM\aim.exe -cnetwait.odl
LwxERif4j = aklkmon.exe
H/PC Connection Agent = "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
Spyware Begone = "C:\Documents and Settings\All Users\Desktop\Old 20GB Drive Contents\spywarebegone\SpywareBeGone.exe" -FastScan

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - (no file) - {827DC836-DD9F-4A68-A602-5812EB50A834}

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/...b?1124393622046

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[QDiagHUpdateObj Class]
InProcServer32 = C:\WINDOWS\system32\qdiagh.ocx
CODEBASE = http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 4,969 bytes
Report generated in 0.015 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Thanks and best regards,

Brad

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:25 PM

Posted 04 December 2005 - 05:40 PM

Fix the following with HJT:

O2 - BHO: (no name) - {827DC836-DD9F-4A68-A602-5812EB50A834} - (no file)
O4 - HKCU\..\Run: [LwxERif4j] aklkmon.exe
O20 - Winlogon Notify: cab - C:\WINDOWS\msagent\intl\cab.dll (file missing)

Go to add/remove and uninstall SpyWareBeGone

Reboot and post a new HJT log

How's everything running?

David :thumbsup:

#5 SATCFI

SATCFI
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 04 December 2005 - 06:32 PM

David,

I fixed the following:
O2 - BHO: (no name) - {827DC836-DD9F-4A68-A602-5812EB50A834} - (no file)
O4 - HKCU\..\Run: [LwxERif4j] aklkmon.exe
O20 - Winlogon Notify: cab - C:\WINDOWS\msagent\intl\cab.dll (file missing)"

Even though the spyware be gone icon is on my computer and I can run the program, when I go to remove and install programs it isn't there.

Thanks,

Brad

Edited by SATCFI, 04 December 2005 - 06:41 PM.


#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:25 PM

Posted 05 December 2005 - 04:05 PM

Delete this folder:

C:\Documents and Settings\All Users\Desktop\Old 20GB Drive Contents\spywarebegone

Also, find this and delete, if it's not there don;t worry:

C:\Program Files\spywarebegone

How's everything running?

David

#7 SATCFI

SATCFI
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 05 December 2005 - 06:58 PM

David,

done and things seem to be running smoothly.

Thanks very much and best regards,

Brad

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:25 PM

Posted 06 December 2005 - 11:28 AM

Ok! Glad i was able to help you! :thumbsup:

The log is clean! :flowers:

If i have helped you please consider making a donation using the "make a donation" button in my signature. My help is free, but please consider it to keep me fighting spyware for you and others! :trumpet: :inlove:

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users