Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Crashing When Turned On (urgent Help Needed)


  • Please log in to reply
28 replies to this topic

#1 Lanimilbus

Lanimilbus

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 23 May 2006 - 06:08 PM

As of this afternoon, I turned on my computer with no sign of problem, used it for about 20 minutes without doing anything out of the ordinary, then, after opening an mp3 in Winamp (it was an mp3 I have played many times before) the program opened and it started to play, but everything behind it disappeared except for my wallpaper. My toolbar disappeared, my desktop icons disappeared, everything disappeared; the only thing on the screen was the Winamp window playing the song and my wallpaper behind it. I x’d out of Winamp and nothing changed. The only thing on my screen was my wallpaper. I pressed control alt delete twice to restart my computer, and it came back on and made its normal loading noise that it makes when it turns on, except instead of loading the desktop the blue screen of death came up. I clicked a key and another blue screen came up. I did this several more times and eventually my wallpaper came up and it told me a program had performed an illegal operation and needed to be shut down. I clicked okay. My desktop icons and toolbar started to load, and every time I clicked on, even right clicked on, any of the toolbar programs, an error message came up saying that program performed an illegal operation and needed to be shut down. Then it froze. I clicked control alt delete twice more and restarted again and this time it only loaded my wallpaper, no desktop icons, no toolbar. Restarted once more and a whole bunch of blue screens followed by the computer completely freezing up. Shut it off manually, turned it back on, and it loaded my desktop and toolbar except my background was white and said something about active desktop in blue text, then gave me an error message about RunDLL-something performing an illegal operation and needing to be shut down. I clicked close, and then opened Internet Explorer, where it gave me a window telling me to download something like WinAntiVirus or something, and I clicked cancel and a new ad window came up for that program, and then my toolbar and desktop disappeared and the whole computer froze.
I then manually shut it off, and, after several failed attempts, got it to load without crashing, and ran a full system scan by Norton Anti-Virus. After 2 hours it found no results. Zero threats. I then ran HijackThis and copied the log into http://www.hijackthis.de (I did this in Firefox; Internet Explorer crashes my computer and gives me that ad when I use it) to check to see if any of the entries were threats, but it said they were all safe except for a couple unknowns, the only suspicious looking ones being:

O2 - BHO: (no name) - {06C7CAB4-39AC-499F-BCD2-D487DAC7A73C} - C:\WINDOWS\SYSTEM\LJJKL.DLL

And…

O2 - BHO: (no name) - {11427620-EA81-11DA-B7B2-000FB5097D24} - C:\WINDOWS\SYSTEM\IIFEB.DLL

But seeing as these were .DLL files and in the SYSTEM folder, I decided not to touch them and ask here for help. It’s critical that this computer be fully operational, as I have much work due for the end of the month that I can only do on this machine…so any help on the matter, especially prompt help, would be HUGELY appreciated. Thanks in advance,

-Alec

Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:31:39 PM, on 5/23/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\S\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {06C7CAB4-39AC-499F-BCD2-D487DAC7A73C} - C:\WINDOWS\SYSTEM\LJJKL.DLL
O2 - BHO: (no name) - {11427620-EA81-11DA-B7B2-000FB5097D24} - C:\WINDOWS\SYSTEM\IIFEB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O4 - HKLM\..\RunOnce: [*IIFEB] rundll32.exe C:\WINDOWS\SYSTEM\IIFEB.DLL,CreateProtectProc rerun
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 May 2006 - 05:49 PM

Hi Lanimilbus and Welcome to the Bleeping Computer!


I need you to download 2 tools first

Process Explorer

Killbox


Once these are downloaded to your desktop,I need you to scan fresh with HijackThis and please do not reboot the PC until I reply.


My hopes are you will see this message tonight and we can catch the bug the easy way.


Post back with the fresh HijackThis log as soon as you are ready.

#3 Lanimilbus

Lanimilbus
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  

Posted 24 May 2006 - 08:39 PM

I downloaded those two programs...and unfortunately it's hard not to reboot, as anywhere from 2 to 20 minutes after I successfully turn the computer on it completely freezes up or gives me the blue screen of death that doesn't go away when i press keys. It takes 5 or 6 tries, usually manually shutting off and on again, to get the computer to successfully load and turn on again after that happens. Something I might mention is that, out of nowhere today, I got a window telling me to install SysProtect, which I x'd out of, and then there was the SysProtect program on my desktop. I deleted it, and a while later I got another window installing it automatically. Then my computer froze. Anyway, here's a HijackThis log from just now;

Logfile of HijackThis v1.99.1
Scan saved at 9:27:20 PM, on 5/24/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\LUCOMSERVER_3_0.EXE
C:\WINDOWS\DESKTOP\S\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {06C7CAB4-39AC-499F-BCD2-D487DAC7A73C} - C:\WINDOWS\SYSTEM\LJJKL.DLL
O2 - BHO: (no name) - {AB52AFE0-EB68-11DA-B7B2-000FB5097D24} - C:\WINDOWS\SYSTEM\VTSST.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 May 2006 - 09:11 PM

OK,maybe we will be quick enough to catch it.

Attached to this post is a zip folder which contains a registry file I want you to use.

Download and Unzip to your desktop and place the Registry File somewhere easy to access.


Open up Killbox and let it be,we will use it in a minute.


Now open Process Explorer

Double Click on "Explorer.exe"

Once the smaller Window Opens-> Click Threads

Locate and Highlight all instances of "LJJKL.DLL"-> Once Highlighted-> Click the "Kill" tab

Also look for the filename in reverse-> "LKJJL.DLL" and Kill any instances of those threads as well.

Repeat the Process for these 2 as well-> "VTSST.DLL" and "TSSTV.DLL" and Kill any instances of those threads as well.

Close out that Properties page.


Now go to "RUNDLL32.EXE"

Double Click on "RUNDLL32.EXE"

Once the smaller Window Opens-> Click Threads

Locate and Highlight all instances of "LJJKL.DLL"-> Once Highlighted-> Click the "Kill" tab

Also look for the filename in reverse-> "LKJJL.DLL" and Kill any instances of those threads as well.

Repeat the Process for these 2 as well-> "VTSST.DLL" and "TSSTV.DLL" and Kill any instances of those threads as well.

Close out that Properties page.

Now,Right Click "RUNDLL32.EXE" and Select "Suspend"

Leave Process Explorer just it is.


Locate and Double Click the Registry File-> When prompted-> Allow this to merge into the registry.
  • Open Killbox
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\WINDOWS\SYSTEM\LJJKL.DLL
    C:\WINDOWS\SYSTEM\VTSST.DLL
    C:\WINDOWS\SYSTEM\LKJJL.DLL
    C:\WINDOWS\SYSTEM\TSSTV.DLL


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Select Delete on Reboot-> Unregister .dll before Deleting and End Explorer Shell While Killing File
  • then Click on the All Files button.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Restart in Safe Mode-> Once more-> Locate and Double Click the Registry File-> When prompted-> Allow this to merge into the registry.


Restart Normal and Post a fresh HijackThis log.

Attached Files

  • Attached File  Vun.zip   376bytes   9 downloads


#5 Lanimilbus

Lanimilbus
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 24 May 2006 - 09:58 PM

I downloaded the attached .zip file...but I'm having some confusion following the directions.

Now open Process Explorer
-Did this (double clicked procexp.exe)

Double Click on "Explorer.exe"
-Where do I click on Explorer.exe? Here is a screenprint of Process Explorer, and I only see "EXPLORER.EXE" but when I double click on that I don't see anything that says Threads, or any instances of LLJKL.DLL...here's what I see when I double click on EXPLORER.EXE.

So I'm not sure what to do...any further help would be greatly appreciated.

-Alec

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 May 2006 - 10:07 PM

Errrrr... its been so long since I played on a 9x machine I had forgotten some of its capacities.

Allright,lets see if we have any luck tonight.

Try just suspending the RUNDLL32.exe process and then follow the rest of the directions as listed.


Crap,RUNDLL32 doesnt appear to running at all now.


Go ahead and just try the parts of the instructions you can do and see if Killbox will get the files.

Edited by Cretemonster, 24 May 2006 - 10:11 PM.


#7 Lanimilbus

Lanimilbus
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  

Posted 25 May 2006 - 01:06 AM

I did what you said with KillBox...it did restart on its own, but unfortunately when it restarted I got the blue screen of death and after pressing keys a thousand times, nothing happened but more blue screens of death and the occasional "Rundll32 has performed an illegal operation and must be shut down" windows popping up before my desktop icons or anything else could load. I manually shut it off and turned it back on again and got the same thing. Restarted, same thing. Did this about 25 more times...same thing every time. Now I can't use the computer because I can't get to my desktop before the blue screens come up. I can only use Safe Mode without those blue screens coming up, but unfortunately my mouse isn't recognized in safe mode and won't work (this has been the case forever) and I can only navigate around using my keyboard, without being able to click on anything or move the cursor over anything, making most tasks very difficult and some impossible. I am writing this current post through another computer (not my own) and have no idea where to go from here. Again (especially now that my computer won't work at all) help would be VERY much appreciated. Thanks,

-Alec

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 May 2006 - 05:01 AM

Try Safe Mode again and press Ctrl+Alt+Delete to get the TaskManager Open.

If you get this far-> In that Task Manager-> Click File-> NewTask(Run...)

Type in C:\WINDOWS\EXPLORER.EXE


Let me know if you can get that far?

#9 Lanimilbus

Lanimilbus
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 25 May 2006 - 10:14 AM

Actually, this morning, after turning it off and on again a few more times just to get the blue screens, it loaded the desktop successfully, and I was able to get onto Firefox to post this message. While doing so however, a window called "Add/Remove Programs" came up on it's own in Internet Explorer...I checked the IE history and the url of that ad was: http://scanner.sysprotect.com/pages/scanne...o_sptff_r1&lid=

Not sure if that's worthy of mentioning, but I thought it might help. Anyway, I have an appointment to go to today, but I'll leave my computer on while I'm gone...what steps should I take now?

Here's a HijackThis log from just now if that helps:

Logfile of HijackThis v1.99.1
Scan saved at 11:10:24 AM, on 5/25/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\S\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {06C7CAB4-39AC-499F-BCD2-D487DAC7A73C} - C:\WINDOWS\SYSTEM\LJJKL.DLL
O2 - BHO: (no name) - {C6E2C0E0-EBDD-11DA-B7B2-000FB5097D24} - C:\WINDOWS\SYSTEM\VTSST.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O4 - HKLM\..\RunOnce: [*VTSST] rundll32.exe C:\WINDOWS\SYSTEM\VTSST.DLL,CreateProtectProc rerun
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 May 2006 - 04:19 PM

OK,that was enough tinkering for me. :thumbsup:


Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directory as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.


#11 Lanimilbus

Lanimilbus
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  

Posted 25 May 2006 - 11:30 PM

Alright, I went through all of those steps, and here's the Spy Sweeper Session Log:

********
10:27 PM: | Start of Session, Thursday, May 25, 2006 |
10:27 PM: Spy Sweeper started
10:27 PM: Sweep initiated using definitions version 686
10:27 PM: Starting Memory Sweep
10:27 PM: Found Adware: virtumonde
10:27 PM: Detected running threat: C:\WINDOWS\SYSTEM\vtsst.dll (ID = 394)
10:32 PM: Memory Sweep Complete, Elapsed Time: 00:05:06
10:32 PM: Starting Registry Sweep
10:33 PM: Found Adware: delfin
10:33 PM: HKLM\software\microsoft\windows\currentversion\uninstall\dmvlite\ (2 subtraces) (ID = 124880)
10:33 PM: Found Adware: e2g
10:33 PM: HKU\.default\software\ptech\ (1 subtraces) (ID = 125405)
10:33 PM: Found Adware: elitemediagroup-mediamotor
10:33 PM: HKLM\software\classes\typelib\{466c63ac-f26e-49f1-861a-e07da768a46a}\ (9 subtraces) (ID = 140131)
10:33 PM: HKCR\typelib\{466c63ac-f26e-49f1-861a-e07da768a46a}\ (9 subtraces) (ID = 140223)
10:33 PM: Found Adware: surfsidekick
10:33 PM: HKLM\software\surfsidekick2\ (2 subtraces) (ID = 143411)
10:33 PM: HKLM\software\surfsidekick3\ (2 subtraces) (ID = 143413)
10:34 PM: Found Adware: directrevenue-abetterinternet
10:34 PM: HKU\.default\software\ceres\ (26 subtraces) (ID = 145764)
10:34 PM: Found Adware: enbrowser
10:34 PM: HKLM\software\system\sysold\ (1 subtraces) (ID = 926808)
10:34 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mm83.ocx (ID = 959929)
10:34 PM: Found Adware: mediamotor - popuppers
10:34 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mm83.ocx\ (2 subtraces) (ID = 960758)
10:34 PM: Found Adware: 180search assistant/zango
10:34 PM: HKCR\saix.installercaller.1\ (3 subtraces) (ID = 1156609)
10:34 PM: HKCR\saix.installercaller\ (5 subtraces) (ID = 1156613)
10:34 PM: HKLM\software\classes\saix.installercaller.1\ (3 subtraces) (ID = 1156657)
10:34 PM: HKLM\software\classes\saix.installercaller\ (5 subtraces) (ID = 1156661)
10:34 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/saix.dll\ (2 subtraces) (ID = 1156667)
10:34 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\saix.dll (ID = 1156675)
10:34 PM: Found Adware: winantivirus pro
10:34 PM: HKLM\software\winantivirus pro 2006\ (ID = 1216196)
10:34 PM: HKU\.DEFAULT\software\dvx\ (4 subtraces) (ID = 124853)
10:34 PM: HKU\.DEFAULT\software\ptech\ (1 subtraces) (ID = 125528)
10:34 PM: HKU\.DEFAULT\software\ceres\ (26 subtraces) (ID = 145851)
10:34 PM: HKU\chartman\software\dvx\ (4 subtraces) (ID = 124853)
10:34 PM: HKU\chartman\software\surfsidekick3\ (2 subtraces) (ID = 143412)
10:34 PM: HKU\chartman\software\system\sysuid\ (1 subtraces) (ID = 731748)
10:34 PM: HKU\WRSS_Profile_Lanimilbus\software\dvx\ (4 subtraces) (ID = 124853)
10:34 PM: HKU\WRSS_Profile_Lanimilbus\software\ceres\ (26 subtraces) (ID = 145851)
10:34 PM: Registry Sweep Complete, Elapsed Time:00:02:25
10:34 PM: Starting Cookie Sweep
10:34 PM: Found Spy Cookie: nextag cookie
10:34 PM: chartman@nextag[2].txt (ID = 5014)
10:34 PM: Found Spy Cookie: atwola cookie
10:34 PM: chartman@atwola[1].txt (ID = 2255)
10:34 PM: Found Spy Cookie: belnk cookie
10:34 PM: chartman@ath.belnk[1].txt (ID = 2293)
10:34 PM: Found Spy Cookie: dealtime cookie
10:34 PM: chartman@dealtime[1].txt (ID = 2505)
10:34 PM: Found Spy Cookie: ask cookie
10:34 PM: chartman@ask[1].txt (ID = 2245)
10:34 PM: Found Spy Cookie: about cookie
10:34 PM: chartman@psychology.about[1].txt (ID = 2038)
10:34 PM: chartman@about[1].txt (ID = 2037)
10:34 PM: chartman@photography.about[1].txt (ID = 2038)
10:34 PM: Found Spy Cookie: freestats.net cookie
10:34 PM: chartman@abbyssh.freestats[2].txt (ID = 2705)
10:34 PM: Found Spy Cookie: servlet cookie
10:34 PM: chartman@servlet[3].txt (ID = 3345)
10:34 PM: Found Spy Cookie: banner cookie
10:34 PM: chartman@banner[2].txt (ID = 2276)
10:34 PM: Found Spy Cookie: seeq cookie
10:34 PM: chartman@www48.seeq[1].txt (ID = 3332)
10:34 PM: Found Spy Cookie: 360i cookie
10:34 PM: chartman@ct.360i[1].txt (ID = 1962)
10:34 PM: chartman@www.seeq[1].txt (ID = 3332)
10:34 PM: Found Spy Cookie: tshirthell cookie
10:34 PM: chartman@www.tshirthell[1].txt (ID = 3596)
10:34 PM: Found Spy Cookie: enhance cookie
10:34 PM: chartman@c.enhance[1].txt (ID = 2614)
10:34 PM: Found Spy Cookie: go2net.com cookie
10:34 PM: chartman@go2net[1].txt (ID = 2730)
10:34 PM: Found Spy Cookie: clickzs cookie
10:34 PM: chartman@cz4.clickzs[2].txt (ID = 2413)
10:34 PM: chartman@cz3.clickzs[2].txt (ID = 2413)
10:34 PM: Found Spy Cookie: goclick cookie
10:34 PM: chartman@c.goclick[2].txt (ID = 2733)
10:34 PM: chartman@birding.about[1].txt (ID = 2038)
10:34 PM: chartman@cz6.clickzs[2].txt (ID = 2413)
10:34 PM: Found Spy Cookie: 91338698 cookie
10:34 PM: chartman@91338698[1].txt (ID = 2025)
10:34 PM: Found Spy Cookie: websponsors cookie
10:34 PM: chartman@a.websponsors[2].txt (ID = 3665)
10:34 PM: Found Spy Cookie: burstnet cookie
10:34 PM: chartman@burstnet[2].txt (ID = 2336)
10:34 PM: chartman@belnk[2].txt (ID = 2292)
10:34 PM: chartman@cz5.clickzs[2].txt (ID = 2413)
10:34 PM: chartman@cz9.clickzs[2].txt (ID = 2413)
10:34 PM: Found Spy Cookie: clicktracks cookie
10:34 PM: chartman@stats2.clicktracks[1].txt (ID = 2407)
10:34 PM: chartman@dist.belnk[1].txt (ID = 2293)
10:34 PM: chartman@cz11.clickzs[1].txt (ID = 2413)
10:34 PM: chartman@stat.dealtime[2].txt (ID = 2506)
10:34 PM: chartman@servlet[2].txt (ID = 3345)
10:34 PM: Found Spy Cookie: adknowledge cookie
10:34 PM: chartman@adknowledge[1].txt (ID = 2072)
10:34 PM: chartman@www.burstnet[1].txt (ID = 2337)
10:34 PM: Found Spy Cookie: burstbeacon cookie
10:34 PM: chartman@www.burstbeacon[1].txt (ID = 2335)
10:34 PM: Found Spy Cookie: webpower cookie
10:34 PM: chartman@webpower[1].txt (ID = 3660)
10:34 PM: Found Spy Cookie: experclick cookie
10:34 PM: chartman@experclick[2].txt (ID = 2639)
10:34 PM: chartman@cz8.clickzs[2].txt (ID = 2413)
10:35 PM: Found Spy Cookie: yieldmanager cookie
10:35 PM: chartman@ad.yieldmanager[2].txt (ID = 3751)
10:35 PM: Found Spy Cookie: cc214142 cookie
10:35 PM: chartman@ads.cc214142[2].txt (ID = 2367)
10:35 PM: chartman@yieldmanager[1].txt (ID = 3749)
10:35 PM: chartman@ask[2].txt (ID = 2245)
10:35 PM: Found Spy Cookie: xren_cj cookie
10:35 PM: chartman@xren_cj[1].txt (ID = 3723)
10:35 PM: Found Spy Cookie: toplist cookie
10:35 PM: chartman@toplist[2].txt (ID = 3557)
10:35 PM: Found Spy Cookie: clickandtrack cookie
10:35 PM: chartman@hits.clickandtrack[2].txt (ID = 2397)
10:35 PM: chartman@about[2].txt (ID = 2037)
10:35 PM: Found Spy Cookie: offeroptimizer cookie
10:35 PM: chartman@offeroptimizer[2].txt (ID = 3087)
10:35 PM: chartman@homeschooling.about[2].txt (ID = 2038)
10:35 PM: Found Spy Cookie: banners cookie
10:35 PM: chartman@banners[1].txt (ID = 2282)
10:35 PM: Found Spy Cookie: cliks cookie
10:35 PM: chartman@cliks[2].txt (ID = 2414)
10:35 PM: chartman@servlet[4].txt (ID = 3345)
10:35 PM: chartman@burstnet[1].txt (ID = 2336)
10:35 PM: chartman@atwola[2].txt (ID = 2255)
10:35 PM: Found Spy Cookie: ic-live cookie
10:35 PM: chartman@ic-live[1].txt (ID = 2821)
10:35 PM: chartman@cz5.clickzs[3].txt (ID = 2413)
10:35 PM: Found Spy Cookie: cnt cookie
10:35 PM: chartman@cnt[1].txt (ID = 2422)
10:35 PM: chartman@cz8.clickzs[3].txt (ID = 2413)
10:35 PM: Found Spy Cookie: 030 cookie
10:35 PM: chartman@030[1].txt (ID = 1913)
10:35 PM: chartman@belnk[3].txt (ID = 2292)
10:35 PM: Found Spy Cookie: infospace cookie
10:35 PM: chartman@ypng.infospace[1].txt (ID = 2866)
10:35 PM: chartman@dist.belnk[2].txt (ID = 2293)
10:35 PM: Found Spy Cookie: tacoda cookie
10:35 PM: chartman@tacoda[2].txt (ID = 6444)
10:35 PM: Found Spy Cookie: 888 cookie
10:35 PM: chartman@888[2].txt (ID = 2019)
10:35 PM: Found Spy Cookie: mx-targeting cookie
10:35 PM: chartman@master.mx-targeting[1].txt (ID = 3024)
10:35 PM: Found Spy Cookie: abetterinternet cookie
10:35 PM: chartman@abetterinternet[1].txt (ID = 2035)
10:35 PM: chartman@dealtime[2].txt (ID = 2505)
10:35 PM: Found Spy Cookie: mashka cookie
10:35 PM: chartman@mashka[2].txt (ID = 2949)
10:35 PM: Found Spy Cookie: howstuffworks cookie
10:35 PM: chartman@howstuffworks[1].txt (ID = 2805)
10:35 PM: chartman@stats2.clicktracks[3].txt (ID = 2407)
10:35 PM: Found Spy Cookie: pricegrabber cookie
10:35 PM: chartman@pcworld.pricegrabber[1].txt (ID = 3186)
10:35 PM: chartman@pricegrabber[1].txt (ID = 3185)
10:35 PM: Found Spy Cookie: paypopup cookie
10:35 PM: chartman@paypopup[1].txt (ID = 3119)
10:35 PM: Found Spy Cookie: trb.com cookie
10:35 PM: chartman@trb[1].txt (ID = 3587)
10:35 PM: Found Spy Cookie: azjmp cookie
10:35 PM: chartman@azjmp[2].txt (ID = 2270)
10:35 PM: chartman@banner[1].txt (ID = 2276)
10:35 PM: Found Spy Cookie: tracking cookie
10:35 PM: chartman@tracking[1].txt (ID = 3571)
10:35 PM: chartman@nextag[3].txt (ID = 5014)
10:35 PM: chartman@stat.dealtime[1].txt (ID = 2506)
10:35 PM: Found Spy Cookie: winantiviruspro cookie
10:35 PM: chartman@www.winantiviruspro[2].txt (ID = 3690)
10:35 PM: Found Spy Cookie: reliablestats cookie
10:35 PM: chartman@stats1.reliablestats[2].txt (ID = 3254)
10:35 PM: chartman@cz9.clickzs[3].txt (ID = 2413)
10:35 PM: chartman@xren_cj[2].txt (ID = 3723)
10:35 PM: chartman@webpower[2].txt (ID = 3660)
10:35 PM: chartman@www.burstbeacon[3].txt (ID = 2335)
10:35 PM: chartman@atwola[3].txt (ID = 2255)
10:35 PM: Found Spy Cookie: ccbill cookie
10:35 PM: chartman@ccbill[1].txt (ID = 2369)
10:35 PM: Found Spy Cookie: teenax cookie
10:35 PM: chartman@www.teenax[2].txt (ID = 3504)
10:35 PM: Found Spy Cookie: a cookie
10:35 PM: chartman@a[1].txt (ID = 2027)
10:35 PM: Found Spy Cookie: aptimus cookie
10:35 PM: chartman@network.aptimus[2].txt (ID = 2235)
10:35 PM: chartman@cz4.clickzs[3].txt (ID = 2413)
10:35 PM: Found Spy Cookie: go.com cookie
10:35 PM: chartman@go[1].txt (ID = 2728)
10:35 PM: Found Spy Cookie: reunion cookie
10:35 PM: chartman@reunion[2].txt (ID = 3255)
10:35 PM: chartman@ath.belnk[2].txt (ID = 2293)
10:35 PM: chartman@azjmp[1].txt (ID = 2270)
10:35 PM: chartman@go2net[2].txt (ID = 2730)
10:35 PM: chartman@infospace[1].txt (ID = 2865)
10:35 PM: Found Spy Cookie: bannerspace cookie
10:35 PM: chartman@bannerspace[1].txt (ID = 2284)
10:35 PM: chartman@www.tshirthell[2].txt (ID = 3596)
10:35 PM: Found Spy Cookie: contextuads cookie
10:35 PM: chartman@contextuads[1].txt (ID = 2461)
10:35 PM: chartman@ad.yieldmanager[1].txt (ID = 3751)
10:35 PM: chartman@cz7.clickzs[1].txt (ID = 2413)
10:35 PM: chartman@www.burstbeacon[2].txt (ID = 2335)
10:35 PM: chartman@belnk[1].txt (ID = 2292)
10:35 PM: chartman@ath.belnk[4].txt (ID = 2293)
10:35 PM: chartman@a.websponsors[1].txt (ID = 3665)
10:35 PM: chartman@ask[4].txt (ID = 2245)
10:35 PM: Found Spy Cookie: classmates cookie
10:35 PM: chartman@classmates[2].txt (ID = 2384)
10:35 PM: chartman@cz11.clickzs[2].txt (ID = 2413)
10:35 PM: Found Spy Cookie: specificclick.com cookie
10:35 PM: chartman@adopt.specificclick[1].txt (ID = 3400)
10:35 PM: chartman@adknowledge[2].txt (ID = 2072)
10:35 PM: chartman@adknowledge[4].txt (ID = 2072)
10:35 PM: Found Spy Cookie: adrevolver cookie
10:35 PM: chartman@adrevolver[3].txt (ID = 2088)
10:35 PM: Found Spy Cookie: ugo cookie
10:35 PM: chartman@ugo[1].txt (ID = 3608)
10:35 PM: chartman@burstnet[4].txt (ID = 2336)
10:35 PM: Found Spy Cookie: hit-counter cookie
10:35 PM: chartman@bar.hit-counter.udub[2].txt (ID = 2780)
10:35 PM: chartman@webpower[3].txt (ID = 3660)
10:35 PM: chartman@toplist[1].txt (ID = 3557)
10:35 PM: chartman@about[3].txt (ID = 2037)
10:35 PM: chartman@ccbill[3].txt (ID = 2369)
10:35 PM: chartman@vip2.clickzs[2].txt (ID = 2413)
10:35 PM: chartman@xren_cj[3].txt (ID = 3723)
10:35 PM: Found Spy Cookie: dl cookie
10:35 PM: chartman@dl[1].txt (ID = 2529)
10:35 PM: Found Spy Cookie: falkag cookie
10:35 PM: chartman@as-us.falkag[1].txt (ID = 2650)
10:35 PM: Found Spy Cookie: atlas dmt cookie
10:35 PM: chartman@atdmt[2].txt (ID = 2253)
10:35 PM: chartman@www48.seeq[2].txt (ID = 3332)
10:35 PM: Found Spy Cookie: adecn cookie
10:35 PM: chartman@adecn[2].txt (ID = 2063)
10:35 PM: Found Spy Cookie: realmedia cookie
10:35 PM: chartman@network.realmedia[1].txt (ID = 3236)
10:35 PM: chartman@servlet[5].txt (ID = 3345)
10:35 PM: chartman@adq.nextag[1].txt (ID = 5015)
10:35 PM: chartman@anat.tacoda[1].txt (ID = 6445)
10:35 PM: Found Spy Cookie: 69.93.205 cookie
10:35 PM: chartman@69.93.205[1].txt (ID = 2005)
10:35 PM: Found Spy Cookie: tribalfusion cookie
10:35 PM: chartman@tribalfusion[1].txt (ID = 3589)
10:35 PM: chartman@dist.belnk[4].txt (ID = 2293)
10:35 PM: Found Spy Cookie: overture cookie
10:35 PM: chartman@data2.perf.overture[1].txt (ID = 3106)
10:35 PM: Found Spy Cookie: hbmediapro cookie
10:35 PM: chartman@adopt.hbmediapro[2].txt (ID = 2768)
10:35 PM: Found Spy Cookie: fastclick cookie
10:35 PM: chartman@fastclick[2].txt (ID = 2651)
10:35 PM: chartman@belnk[5].txt (ID = 2292)
10:35 PM: chartman@cz9.clickzs[1].txt (ID = 2413)
10:35 PM: Found Spy Cookie: casalemedia cookie
10:35 PM: chartman@b.casalemedia[1].txt (ID = 2355)
10:35 PM: chartman@cz7.clickzs[2].txt (ID = 2413)
10:35 PM: chartman@cz11.clickzs[3].txt (ID = 2413)
10:35 PM: chartman@www.tshirthell[3].txt (ID = 3596)
10:35 PM: Found Spy Cookie: 2o7.net cookie
10:35 PM: chartman@buycom.122.2o7[1].txt (ID = 1958)
10:35 PM: chartman@as.casalemedia[1].txt (ID = 2355)
10:35 PM: chartman@bannerspace[2].txt (ID = 2284)
10:35 PM: chartman@graphicssoft.about[1].txt (ID = 2038)
10:35 PM: chartman@stats2.clicktracks[4].txt (ID = 2407)
10:35 PM: Found Spy Cookie: 3 cookie
10:35 PM: chartman@3[1].txt (ID = 1959)
10:35 PM: chartman@ad.yieldmanager[5].txt (ID = 3751)
10:35 PM: chartman@dist.belnk[3].txt (ID = 2293)
10:35 PM: chartman@vip.clickzs[2].txt (ID = 2413)
10:35 PM: Found Spy Cookie: exitexchange cookie
10:35 PM: chartman@exitexchange[1].txt (ID = 2633)
10:35 PM: chartman@nextag[1].txt (ID = 5014)
10:35 PM: chartman@adopt.specificclick[3].txt (ID = 3400)
10:35 PM: chartman@a.websponsors[4].txt (ID = 3665)
10:35 PM: Found Spy Cookie: trafficmp cookie
10:35 PM: chartman@trafficmp[1].txt (ID = 3581)
10:35 PM: chartman@yieldmanager[3].txt (ID = 3749)
10:35 PM: Found Spy Cookie: ru4 cookie
10:35 PM: chartman@edge.ru4[1].txt (ID = 3269)
10:35 PM: chartman@ath.belnk[5].txt (ID = 2293)
10:35 PM: chartman@adknowledge[5].txt (ID = 2072)
10:35 PM: chartman@yieldmanager[4].txt (ID = 3749)
10:35 PM: chartman@anat.tacoda[2].txt (ID = 6445)
10:35 PM: chartman@go[3].txt (ID = 2728)
10:35 PM: Found Spy Cookie: askmen cookie
10:35 PM: chartman@askmen[1].txt (ID = 2247)
10:35 PM: chartman@data1.perf.overture[1].txt (ID = 3106)
10:35 PM: chartman@go2net[3].txt (ID = 2730)
10:35 PM: chartman@ad.yieldmanager[3].txt (ID = 3751)
10:35 PM: Found Spy Cookie: addynamix cookie
10:35 PM: chartman@ads.addynamix[1].txt (ID = 2062)
10:35 PM: chartman@vip.clickzs[3].txt (ID = 2413)
10:35 PM: Found Spy Cookie: tradedoubler cookie
10:35 PM: chartman@tradedoubler[2].txt (ID = 3575)
10:35 PM: Found Spy Cookie: adjuggler cookie
10:35 PM: chartman@rotator.adjuggler[1].txt (ID = 2071)
10:35 PM: chartman@chicagosuntimes.122.2o7[1].txt (ID = 1958)
10:35 PM: Found Spy Cookie: bizrate cookie
10:35 PM: chartman@bizrate[2].txt (ID = 2308)
10:35 PM: chartman@msnportal.112.2o7[1].txt (ID = 1958)
10:35 PM: chartman@xren_cj[7].txt (ID = 3723)
10:35 PM: chartman@xren_cj[5].txt (ID = 3723)
10:35 PM: chartman@adrevolver[2].txt (ID = 2088)
10:35 PM: Found Spy Cookie: questionmarket cookie
10:35 PM: chartman@questionmarket[1].txt (ID = 3217)
10:35 PM: Found Spy Cookie: yadro cookie
10:35 PM: chartman@yadro[1].txt (ID = 3743)
10:35 PM: chartman@ask[5].txt (ID = 2245)
10:35 PM: chartman@infospace[2].txt (ID = 2865)
10:35 PM: Found Spy Cookie: tripod cookie
10:35 PM: chartman@tripod[1].txt (ID = 3591)
10:35 PM: chartman@realitytv.about[1].txt (ID = 2038)
10:35 PM: chartman@atwola[5].txt (ID = 2255)
10:35 PM: chartman@xren_cj[4].txt (ID = 3723)
10:35 PM: chartman@cz2.clickzs[2].txt (ID = 2413)
10:35 PM: chartman@about[5].txt (ID = 2037)
10:35 PM: chartman@888[1].txt (ID = 2019)
10:35 PM: chartman@cz5.clickzs[4].txt (ID = 2413)
10:35 PM: chartman@trb[2].txt (ID = 3587)
10:35 PM: chartman@ccbill[4].txt (ID = 2369)
10:35 PM: chartman@personalweb.about[1].txt (ID = 2038)
10:35 PM: chartman@ypng.infospace[2].txt (ID = 2866)
10:35 PM: chartman@www.burstbeacon[4].txt (ID = 2335)
10:35 PM: chartman@cbs.112.2o7[1].txt (ID = 1958)
10:35 PM: chartman@cz11.clickzs[4].txt (ID = 2413)
10:35 PM: chartman@adq.nextag[2].txt (ID = 5015)
10:35 PM: Found Spy Cookie: bluestreak cookie
10:35 PM: chartman@bluestreak[2].txt (ID = 2314)
10:35 PM: chartman@realmedia[2].txt (ID = 3235)
10:35 PM: chartman@www.888[1].txt (ID = 2020)
10:35 PM: chartman@nextag[4].txt (ID = 5014)
10:35 PM: chartman@bannerspace[3].txt (ID = 2284)
10:35 PM: chartman@cz8.clickzs[4].txt (ID = 2413)
10:35 PM: chartman@a.websponsors[5].txt (ID = 3665)
10:35 PM: Found Spy Cookie: 190dotcom cookie
10:35 PM: chartman@69.50.190[2].txt (ID = 1936)
10:35 PM: chartman@webpower[4].txt (ID = 3660)
10:35 PM: chartman@tacoda[3].txt (ID = 6444)
10:35 PM: Found Spy Cookie: inqwire cookie
10:35 PM: chartman@inqwire[1].txt (ID = 2867)
10:35 PM: chartman@ad.yieldmanager[6].txt (ID = 3751)
10:35 PM: Found Spy Cookie: partypoker cookie
10:35 PM: chartman@partypoker[2].txt (ID = 3111)
10:35 PM: Found Spy Cookie: adserver cookie
10:35 PM: chartman@z1.adserver[1].txt (ID = 2142)
10:35 PM: chartman@riptownmedia.122.2o7[1].txt (ID = 1958)
10:35 PM: chartman@network.realmedia[2].txt (ID = 3236)
10:35 PM: chartman@stat.dealtime[4].txt (ID = 2506)
10:35 PM: chartman@cnn.122.2o7[1].txt (ID = 1958)
10:35 PM: Found Spy Cookie: zedo cookie
10:35 PM: chartman@zedo[2].txt (ID = 3762)
10:35 PM: chartman@portlandme.about[1].txt (ID = 2038)
10:35 PM: Found Spy Cookie: pointroll cookie
10:35 PM: chartman@ads.pointroll[1].txt (ID = 3148)
10:35 PM: chartman@adopt.specificclick[2].txt (ID = 3400)
10:35 PM: chartman@vip2.clickzs[3].txt (ID = 2413)
10:35 PM: Found Spy Cookie: outster cookie
10:35 PM: chartman@outster[2].txt (ID = 3103)
10:35 PM: chartman@anheuserbusch.122.2o7[1].txt (ID = 1958)
10:35 PM: Found Spy Cookie: mediaplex cookie
10:35 PM: chartman@mediaplex[2].txt (ID = 6442)
10:35 PM: chartman@adecn[1].txt (ID = 2063)
10:35 PM: chartman@casalemedia[2].txt (ID = 2354)
10:35 PM: chartman@hits.clickandtrack[1].txt (ID = 2397)
10:35 PM: Found Spy Cookie: realtracker cookie
10:35 PM: chartman@web4.realtracker[1].txt (ID = 3242)
10:35 PM: chartman@bar.hit-counter.udub[3].txt (ID = 2780)
10:35 PM: Found Spy Cookie: advertising cookie
10:35 PM: chartman@advertising[2].txt (ID = 2175)
10:35 PM: chartman@cz9.clickzs[5].txt (ID = 2413)
10:35 PM: chartman@stats1.reliablestats[3].txt (ID = 3254)
10:35 PM: chartman@perf.overture[1].txt (ID = 3106)
10:35 PM: chartman@exitexchange[2].txt (ID = 2633)
10:35 PM: chartman@nextag[2].txt (ID = 5014)
10:35 PM: chartman@atwola[1].txt (ID = 2255)
10:35 PM: chartman@ath.belnk[1].txt (ID = 2293)
10:35 PM: chartman@dealtime[1].txt (ID = 2505)
10:35 PM: chartman@ask[1].txt (ID = 2245)
10:35 PM: chartman@psychology.about[1].txt (ID = 2038)
10:35 PM: chartman@about[1].txt (ID = 2037)
10:35 PM: chartman@photography.about[1].txt (ID = 2038)
10:35 PM: chartman@abbyssh.freestats[2].txt (ID = 2705)
10:35 PM: lanimilbus@atwola[1].txt (ID = 2255)
10:35 PM: lanimilbus@ask[1].txt (ID = 2245)
10:35 PM: Cookie Sweep Complete, Elapsed Time: 00:00:38
10:35 PM: Starting File Sweep
10:35 PM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because
it is being used by another process
10:35 PM: Found Trojan Horse: lzio
10:35 PM: real.exe (ID = 254866)
10:51 PM: Found Adware: zenosearchassistant
10:51 PM: msnav32.ax (ID = 220229)
10:51 PM: nt68rrtc12.sys (ID = 220230)
10:51 PM: Found Trojan Horse: trojan-downloader-ruin
10:51 PM: cstuj.exe (ID = 246)
10:51 PM: dmghx.exe (ID = 147)
10:51 PM: pre2.exe (ID = 251303)
10:53 PM: c:\windows\system\vmss (ID = -2147481116)
10:56 PM: delfinbd.edx (ID = 57680)
10:56 PM: delfined.edx (ID = 57680)
10:56 PM: delfinid.edx (ID = 57691)
10:56 PM: delfindl.edx (ID = 57680)
10:56 PM: sskknwrd.dll (ID = 77733)
10:56 PM: sskcwrd.dll (ID = 77712)
10:56 PM: delfinaf.edx (ID = 57679)
10:56 PM: delfinco.edx (ID = 57680)
10:56 PM: delfinld.edx (ID = 57680)
10:56 PM: delfintg.ebd (ID = 57693)
10:56 PM: delfinky.edx (ID = 57685)
10:56 PM: delfinst.ebd (ID = 57692)
10:56 PM: delfinsi.edx (ID = 57691)
10:59 PM: Found Adware: ieplugin
10:59 PM: desktop toolbar (ID = 63344)
11:04 PM: backup-20060114-223817-391.inf (ID = 186017)
11:04 PM: Found Adware: mirar webband
11:04 PM: backup-20060114-235047-355.inf (ID = 208224)
11:04 PM: backup-20060319-161253-924.inf (ID = 186017)
11:04 PM: backup-20060319-161253-989.inf (ID = 208224)
11:05 PM: zeno.lnk (ID = 146127)
11:12 PM: sskknwrd.dll (ID = 77733)
11:12 PM: sskcwrd.dll (ID = 77712)
11:12 PM: sskknwrd.dll (ID = 77733)
11:12 PM: sskcwrd.dll (ID = 77712)
11:13 PM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscsc5e59002-ec3c-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
11:13 PM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscsc5e59003-ec3c-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
11:13 PM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscsc5e59004-ec3c-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
11:13 PM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscsc5e59005-ec3c-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
11:13 PM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscsc5e59006-ec3c-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
11:13 PM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscsc5e59007-ec3c-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
11:13 PM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscsc5e59008-ec3c-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
11:13 PM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscsc5e59009-ec3c-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
11:13 PM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscsc5e5900a-ec3c-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
11:13 PM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscsc5e5900b-ec3c-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
11:13 PM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscsc5e5900c-ec3c-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
it is being used by another process
********

Also, if it helps, here's another HijackThis log from just now:

Logfile of HijackThis v1.99.1
Scan saved at 12:26:23 AM, on 5/26/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\S\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {06C7CAB4-39AC-499F-BCD2-D487DAC7A73C} - C:\WINDOWS\SYSTEM\LJJKL.DLL
O2 - BHO: (no name) - {71812460-EC3D-11DA-B7B2-000FB5097D24} - C:\WINDOWS\SYSTEM\VTSST.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 26 May 2006 - 04:46 PM

The Spy Sweeper log got cut off,can you post it by itself in the next reply.


After that,Let me see a HijackThis Start Up log.

Open HijackThis and Click the "Open Misc Tools Section" tab.

Select Generate StartUpList log and make sure that both Boxes beside it are checked:

Put a check by:
List all minor sections(Full)
and
List Empty Sections(Complete)

It will produce a NotePad Page,I need you to copy the entire contents of that page to the next reply.

#13 Lanimilbus

Lanimilbus
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 27 May 2006 - 12:47 PM

Since yesterday when I posted that Spysweeper log, I've run Spysweeper two more times and have deleted everything it's found. I saved all three logs...here's the most recent one. If you want me to post the other two Spysweeper logs as well I can do that too.

EDIT: Just to make it clear again, this is the most recent log, of when it was run last night, not a repost of the one I posted before. This scan found much less than the first two, I'm guessing because it deleted most of the entries it found in the first two scans.

********
2:27 AM: | Start of Session, Saturday, May 27, 2006 |
2:27 AM: Spy Sweeper started
2:27 AM: Sweep initiated using definitions version 686
2:27 AM: Starting Memory Sweep
2:28 AM: Found Adware: virtumonde
2:28 AM: Detected running threat: C:\WINDOWS\SYSTEM\jkkif.dll (ID = 394)
2:33 AM: Memory Sweep Complete, Elapsed Time: 00:06:29
2:33 AM: Starting Registry Sweep
2:36 AM: Registry Sweep Complete, Elapsed Time:00:02:32
2:36 AM: Starting Cookie Sweep
2:36 AM: Found Spy Cookie: atwola cookie
2:36 AM: chartman@atwola[1].txt (ID = 2255)
2:36 AM: Found Spy Cookie: tribalfusion cookie
2:36 AM: chartman@tribalfusion[2].txt (ID = 3589)
2:36 AM: Found Spy Cookie: trafficmp cookie
2:36 AM: chartman@trafficmp[2].txt (ID = 3581)
2:36 AM: Found Spy Cookie: fastclick cookie
2:36 AM: chartman@fastclick[2].txt (ID = 2651)
2:36 AM: Found Spy Cookie: coremetrics cookie
2:36 AM: chartman@twci.coremetrics[1].txt (ID = 2472)
2:36 AM: Found Spy Cookie: atlas dmt cookie
2:36 AM: chartman@atdmt[2].txt (ID = 2253)
2:36 AM: Found Spy Cookie: ru4 cookie
2:36 AM: chartman@edge.ru4[1].txt (ID = 3269)
2:36 AM: Found Spy Cookie: realmedia cookie
2:36 AM: chartman@network.realmedia[1].txt (ID = 3236)
2:36 AM: Found Spy Cookie: belnk cookie
2:36 AM: chartman@belnk[1].txt (ID = 2292)
2:36 AM: Found Spy Cookie: ask cookie
2:36 AM: chartman@ask[1].txt (ID = 2245)
2:36 AM: Found Spy Cookie: overture cookie
2:36 AM: chartman@perf.overture[1].txt (ID = 3106)
2:36 AM: Found Spy Cookie: casalemedia cookie
2:36 AM: chartman@casalemedia[2].txt (ID = 2354)
2:36 AM: Found Spy Cookie: zedo cookie
2:36 AM: chartman@zedo[1].txt (ID = 3762)
2:36 AM: Found Spy Cookie: reliablestats cookie
2:36 AM: chartman@stats1.reliablestats[1].txt (ID = 3254)
2:36 AM: Found Spy Cookie: onestat.com cookie
2:36 AM: chartman@stat.onestat[2].txt (ID = 3098)
2:36 AM: chartman@as.casalemedia[1].txt (ID = 2355)
2:36 AM: Found Spy Cookie: ccbill cookie
2:36 AM: chartman@ccbill[2].txt (ID = 2369)
2:36 AM: Found Spy Cookie: clickzs cookie
2:36 AM: chartman@vip2.clickzs[1].txt (ID = 2413)
2:36 AM: chartman@realmedia[2].txt (ID = 3235)
2:36 AM: chartman@cz4.clickzs[1].txt (ID = 2413)
2:36 AM: Found Spy Cookie: exitexchange cookie
2:36 AM: chartman@exitexchange[2].txt (ID = 2633)
2:36 AM: Found Spy Cookie: mediaplex cookie
2:36 AM: chartman@mediaplex[1].txt (ID = 6442)
2:36 AM: Found Spy Cookie: questionmarket cookie
2:36 AM: chartman@questionmarket[1].txt (ID = 3217)
2:36 AM: Found Spy Cookie: pointroll cookie
2:36 AM: chartman@ads.pointroll[2].txt (ID = 3148)
2:36 AM: Found Spy Cookie: yieldmanager cookie
2:36 AM: chartman@ad.yieldmanager[1].txt (ID = 3751)
2:36 AM: Found Spy Cookie: maxserving cookie
2:36 AM: chartman@maxserving[2].txt (ID = 2966)
2:36 AM: Found Spy Cookie: advertising cookie
2:36 AM: chartman@advertising[2].txt (ID = 2175)
2:36 AM: Found Spy Cookie: adknowledge cookie
2:36 AM: chartman@adknowledge[2].txt (ID = 2072)
2:36 AM: chartman@data4.perf.overture[1].txt (ID = 3106)
2:36 AM: Found Spy Cookie: specificclick.com cookie
2:36 AM: chartman@adopt.specificclick[2].txt (ID = 3400)
2:36 AM: Found Spy Cookie: adviva cookie
2:36 AM: chartman@adviva[2].txt (ID = 2177)
2:36 AM: Cookie Sweep Complete, Elapsed Time: 00:00:04
2:36 AM: Starting File Sweep
2:36 AM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845c2-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845c3-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845c4-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845c5-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845c6-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845c7-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845c8-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845c9-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845ca-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845cb-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845cc-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845cd-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845ce-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845cf-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845d0-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845d1-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845d2-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845d3-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845d4-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845d5-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845d6-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845d7-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845d8-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845d9-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845da-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845db-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845dc-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845dd-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845de-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845df-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845e0-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845e1-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845e2-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845e3-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845e4-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845e5-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845e6-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845e7-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845e8-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845e9-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845ea-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845eb-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845ec-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845ed-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845ee-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845ef-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845f0-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845f1-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845f2-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845f3-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845f4-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845f5-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845f6-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845f7-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845f8-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845f9-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845fa-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845fb-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845fc-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845fd-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845fe-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs311845ff-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184600-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184601-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184602-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184603-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184604-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184605-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184606-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184607-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184608-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184609-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs3118460a-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs3118460b-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs3118460c-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs3118460d-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs3118460e-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs3118460f-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184610-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184611-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184612-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184613-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184614-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184615-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184616-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184617-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184618-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184619-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs3118461a-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs3118461b-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs3118461c-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs3118461d-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs3118461e-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs3118461f-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184620-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184621-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184622-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184623-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184624-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184625-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184626-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184627-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184628-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:09 AM: Warning: Failed to open file "c:\windows\profiles\chartman\application data\webroot\spy sweeper\temp\sscs31184629-ed28-11da-b7b2-000fb5097d24.tmp". The process cannot access the file because
it is being used by another process
3:17 AM: Warning: Failed to open file "c:\program files\common files\symantec shared\ccpd-lc\symlcrst.dll". The process cannot access the file because
it is being used by another process
3:50 AM: File Sweep Complete, Elapsed Time: 01:14:38
3:50 AM: Full Sweep has completed. Elapsed time 01:23:47
3:50 AM: Traces Found: 41
1:06 PM: Removal process initiated
1:06 PM: Quarantining All Traces: virtumonde
1:06 PM: virtumonde is in use. It will be removed on reboot.
1:06 PM: C:\WINDOWS\SYSTEM\jkkif.dll is in use. It will be removed on reboot.
1:06 PM: Quarantining All Traces: adknowledge cookie
1:06 PM: Quarantining All Traces: advertising cookie
1:06 PM: Quarantining All Traces: adviva cookie
1:06 PM: Quarantining All Traces: ask cookie
1:06 PM: Quarantining All Traces: atlas dmt cookie
1:06 PM: Quarantining All Traces: atwola cookie
1:06 PM: Quarantining All Traces: belnk cookie
1:06 PM: Quarantining All Traces: casalemedia cookie
1:06 PM: Quarantining All Traces: ccbill cookie
1:06 PM: Quarantining All Traces: clickzs cookie
1:06 PM: Quarantining All Traces: coremetrics cookie
1:06 PM: Quarantining All Traces: exitexchange cookie
1:06 PM: Quarantining All Traces: fastclick cookie
1:06 PM: Quarantining All Traces: maxserving cookie
1:06 PM: Quarantining All Traces: mediaplex cookie
1:06 PM: Quarantining All Traces: onestat.com cookie
1:06 PM: Quarantining All Traces: overture cookie
1:06 PM: Quarantining All Traces: pointroll cookie
1:06 PM: Quarantining All Traces: questionmarket cookie
1:06 PM: Quarantining All Traces: realmedia cookie
1:06 PM: Quarantining All Traces: reliablestats cookie
1:06 PM: Quarantining All Traces: ru4 cookie
1:06 PM: Quarantining All Traces: specificclick.com cookie
1:06 PM: Quarantining All Traces: trafficmp cookie
1:06 PM: Quarantining All Traces: tribalfusion cookie
1:06 PM: Quarantining All Traces: yieldmanager cookie
1:06 PM: Quarantining All Traces: zedo cookie
1:06 PM: Warning: Launched explorer.exe
1:06 PM: Warning: Quarantine process could not restart Explorer.
1:06 PM: Removal process completed. Elapsed time 00:00:35
********
11:05 AM: | Start of Session, Friday, May 26, 2006 |
11:05 AM: Spy Sweeper started
11:05 AM: Sweep initiated using definitions version 686
11:05 AM: Starting Memory Sweep
11:10 AM: Found Adware: virtumonde
11:10 AM: Detected running threat: C:\WINDOWS\SYSTEM\wvuvv.dll (ID = 394)
11:10 AM: Memory Sweep Complete, Elapsed Time: 00:05:20
11:10 AM: Starting Registry Sweep
11:11 AM: Found Adware: delfin
11:11 AM: HKLM\software\microsoft\windows\currentversion\uninstall\dmvlite\ (2 subtraces) (ID = 124880)
11:11 AM: Found Adware: e2g
11:11 AM: HKU\.default\software\ptech\ (1 subtraces) (ID = 125405)
11:11 AM: Found Adware: elitemediagroup-mediamotor
11:11 AM: HKLM\software\classes\typelib\{466c63ac-f26e-49f1-861a-e07da768a46a}\ (9 subtraces) (ID = 140131)
11:11 AM: HKCR\typelib\{466c63ac-f26e-49f1-861a-e07da768a46a}\ (9 subtraces) (ID = 140223)
11:11 AM: Found Adware: surfsidekick
11:11 AM: HKLM\software\surfsidekick2\ (2 subtraces) (ID = 143411)
11:11 AM: HKLM\software\surfsidekick3\ (2 subtraces) (ID = 143413)
11:11 AM: Found Adware: directrevenue-abetterinternet
11:11 AM: HKU\.default\software\ceres\ (26 subtraces) (ID = 145764)
11:12 AM: Found Adware: enbrowser
11:12 AM: HKLM\software\system\sysold\ (1 subtraces) (ID = 926808)
11:12 AM: Found Adware: mediamotor - popuppers
11:12 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mm83.ocx\ (2 subtraces) (ID = 960758)
11:12 AM: Found Adware: 180search assistant/zango
11:12 AM: HKCR\saix.installercaller.1\ (3 subtraces) (ID = 1156609)
11:12 AM: HKCR\saix.installercaller\ (5 subtraces) (ID = 1156613)
11:12 AM: HKLM\software\classes\saix.installercaller.1\ (3 subtraces) (ID = 1156657)
11:12 AM: HKLM\software\classes\saix.installercaller\ (5 subtraces) (ID = 1156661)
11:12 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/saix.dll\ (2 subtraces) (ID = 1156667)
11:12 AM: Found Adware: winantivirus pro
11:12 AM: HKLM\software\winantivirus pro 2006\ (ID = 1216196)
11:12 AM: HKU\.DEFAULT\software\dvx\ (4 subtraces) (ID = 124853)
11:12 AM: HKU\.DEFAULT\software\ptech\ (1 subtraces) (ID = 125528)
11:12 AM: HKU\.DEFAULT\software\ceres\ (26 subtraces) (ID = 145851)
11:12 AM: HKU\chartman\software\dvx\ (4 subtraces) (ID = 124853)
11:12 AM: HKU\chartman\software\surfsidekick3\ (2 subtraces) (ID = 143412)
11:12 AM: HKU\chartman\software\system\sysuid\ (1 subtraces) (ID = 731748)
11:12 AM: HKU\WRSS_Profile_Lanimilbus\software\dvx\ (4 subtraces) (ID = 124853)
11:12 AM: HKU\WRSS_Profile_Lanimilbus\software\ceres\ (26 subtraces) (ID = 145851)
11:12 AM: Registry Sweep Complete, Elapsed Time:00:02:11
11:12 AM: Starting Cookie Sweep
11:12 AM: Found Spy Cookie: nextag cookie
11:12 AM: chartman@nextag[2].txt (ID = 5014)
11:12 AM: Found Spy Cookie: atwola cookie
11:12 AM: chartman@atwola[1].txt (ID = 2255)
11:12 AM: Found Spy Cookie: belnk cookie
11:12 AM: chartman@ath.belnk[1].txt (ID = 2293)
11:12 AM: Found Spy Cookie: dealtime cookie
11:12 AM: chartman@dealtime[1].txt (ID = 2505)
11:12 AM: Found Spy Cookie: ask cookie
11:12 AM: chartman@ask[1].txt (ID = 2245)
11:12 AM: Found Spy Cookie: about cookie
11:12 AM: chartman@psychology.about[1].txt (ID = 2038)
11:12 AM: chartman@about[1].txt (ID = 2037)
11:12 AM: chartman@photography.about[1].txt (ID = 2038)
11:12 AM: Found Spy Cookie: freestats.net cookie
11:12 AM: chartman@abbyssh.freestats[2].txt (ID = 2705)
11:12 AM: Found Spy Cookie: servlet cookie
11:12 AM: chartman@servlet[3].txt (ID = 3345)
11:12 AM: Found Spy Cookie: banner cookie
11:12 AM: chartman@banner[2].txt (ID = 2276)
11:12 AM: Found Spy Cookie: seeq cookie
11:12 AM: chartman@www48.seeq[1].txt (ID = 3332)
11:12 AM: Found Spy Cookie: 360i cookie
11:12 AM: chartman@ct.360i[1].txt (ID = 1962)
11:12 AM: chartman@www.seeq[1].txt (ID = 3332)
11:12 AM: Found Spy Cookie: tshirthell cookie
11:12 AM: chartman@www.tshirthell[1].txt (ID = 3596)
11:12 AM: Found Spy Cookie: enhance cookie
11:12 AM: chartman@c.enhance[1].txt (ID = 2614)
11:12 AM: Found Spy Cookie: go2net.com cookie
11:12 AM: chartman@go2net[1].txt (ID = 2730)
11:12 AM: Found Spy Cookie: clickzs cookie
11:12 AM: chartman@cz4.clickzs[2].txt (ID = 2413)
11:12 AM: chartman@cz3.clickzs[2].txt (ID = 2413)
11:12 AM: Found Spy Cookie: goclick cookie
11:12 AM: chartman@c.goclick[2].txt (ID = 2733)
11:12 AM: chartman@birding.about[1].txt (ID = 2038)
11:12 AM: chartman@cz6.clickzs[2].txt (ID = 2413)
11:12 AM: Found Spy Cookie: 91338698 cookie
11:12 AM: chartman@91338698[1].txt (ID = 2025)
11:12 AM: Found Spy Cookie: websponsors cookie
11:12 AM: chartman@a.websponsors[2].txt (ID = 3665)
11:12 AM: Found Spy Cookie: burstnet cookie
11:12 AM: chartman@burstnet[2].txt (ID = 2336)
11:12 AM: chartman@belnk[2].txt (ID = 2292)
11:12 AM: chartman@cz5.clickzs[2].txt (ID = 2413)
11:12 AM: chartman@cz9.clickzs[2].txt (ID = 2413)
11:12 AM: Found Spy Cookie: clicktracks cookie
11:12 AM: chartman@stats2.clicktracks[1].txt (ID = 2407)
11:12 AM: chartman@dist.belnk[1].txt (ID = 2293)
11:12 AM: chartman@cz11.clickzs[1].txt (ID = 2413)
11:12 AM: chartman@stat.dealtime[2].txt (ID = 2506)
11:12 AM: chartman@servlet[2].txt (ID = 3345)
11:12 AM: Found Spy Cookie: adknowledge cookie
11:12 AM: chartman@adknowledge[1].txt (ID = 2072)
11:12 AM: chartman@www.burstnet[1].txt (ID = 2337)
11:12 AM: Found Spy Cookie: burstbeacon cookie
11:12 AM: chartman@www.burstbeacon[1].txt (ID = 2335)
11:12 AM: Found Spy Cookie: webpower cookie
11:12 AM: chartman@webpower[1].txt (ID = 3660)
11:12 AM: Found Spy Cookie: experclick cookie
11:12 AM: chartman@experclick[2].txt (ID = 2639)
11:12 AM: chartman@cz8.clickzs[2].txt (ID = 2413)
11:12 AM: Found Spy Cookie: yieldmanager cookie
11:12 AM: chartman@ad.yieldmanager[2].txt (ID = 3751)
11:12 AM: Found Spy Cookie: cc214142 cookie
11:12 AM: chartman@ads.cc214142[2].txt (ID = 2367)
11:12 AM: chartman@yieldmanager[1].txt (ID = 3749)
11:12 AM: chartman@ask[2].txt (ID = 2245)
11:12 AM: Found Spy Cookie: xren_cj cookie
11:12 AM: chartman@xren_cj[1].txt (ID = 3723)
11:12 AM: Found Spy Cookie: toplist cookie
11:12 AM: chartman@toplist[2].txt (ID = 3557)
11:12 AM: Found Spy Cookie: clickandtrack cookie
11:12 AM: chartman@hits.clickandtrack[2].txt (ID = 2397)
11:12 AM: chartman@about[2].txt (ID = 2037)
11:12 AM: Found Spy Cookie: offeroptimizer cookie
11:12 AM: chartman@offeroptimizer[2].txt (ID = 3087)
11:12 AM: chartman@homeschooling.about[2].txt (ID = 2038)
11:12 AM: Found Spy Cookie: banners cookie
11:12 AM: chartman@banners[1].txt (ID = 2282)
11:12 AM: Found Spy Cookie: cliks cookie
11:12 AM: chartman@cliks[2].txt (ID = 2414)
11:12 AM: chartman@servlet[4].txt (ID = 3345)
11:12 AM: chartman@burstnet[1].txt (ID = 2336)
11:12 AM: chartman@atwola[2].txt (ID = 2255)
11:12 AM: Found Spy Cookie: ic-live cookie
11:12 AM: chartman@ic-live[1].txt (ID = 2821)
11:12 AM: chartman@cz5.clickzs[3].txt (ID = 2413)
11:12 AM: Found Spy Cookie: cnt cookie
11:12 AM: chartman@cnt[1].txt (ID = 2422)
11:12 AM: chartman@cz8.clickzs[3].txt (ID = 2413)
11:12 AM: Found Spy Cookie: 030 cookie
11:12 AM: chartman@030[1].txt (ID = 1913)
11:12 AM: chartman@belnk[3].txt (ID = 2292)
11:12 AM: Found Spy Cookie: infospace cookie
11:12 AM: chartman@ypng.infospace[1].txt (ID = 2866)
11:12 AM: chartman@dist.belnk[2].txt (ID = 2293)
11:12 AM: Found Spy Cookie: tacoda cookie
11:12 AM: chartman@tacoda[2].txt (ID = 6444)
11:12 AM: Found Spy Cookie: 888 cookie
11:12 AM: chartman@888[2].txt (ID = 2019)
11:12 AM: Found Spy Cookie: mx-targeting cookie
11:12 AM: chartman@master.mx-targeting[1].txt (ID = 3024)
11:12 AM: Found Spy Cookie: abetterinternet cookie
11:12 AM: chartman@abetterinternet[1].txt (ID = 2035)
11:12 AM: chartman@dealtime[2].txt (ID = 2505)
11:12 AM: Found Spy Cookie: mashka cookie
11:12 AM: chartman@mashka[2].txt (ID = 2949)
11:12 AM: Found Spy Cookie: howstuffworks cookie
11:12 AM: chartman@howstuffworks[1].txt (ID = 2805)
11:12 AM: chartman@stats2.clicktracks[3].txt (ID = 2407)
11:12 AM: Found Spy Cookie: pricegrabber cookie
11:12 AM: chartman@pcworld.pricegrabber[1].txt (ID = 3186)
11:12 AM: chartman@pricegrabber[1].txt (ID = 3185)
11:12 AM: Found Spy Cookie: paypopup cookie
11:12 AM: chartman@paypopup[1].txt (ID = 3119)
11:12 AM: Found Spy Cookie: trb.com cookie
11:12 AM: chartman@trb[1].txt (ID = 3587)
11:12 AM: Found Spy Cookie: azjmp cookie
11:12 AM: chartman@azjmp[2].txt (ID = 2270)
11:12 AM: chartman@banner[1].txt (ID = 2276)
11:12 AM: Found Spy Cookie: tracking cookie
11:12 AM: chartman@tracking[1].txt (ID = 3571)
11:12 AM: chartman@nextag[3].txt (ID = 5014)
11:12 AM: chartman@stat.dealtime[1].txt (ID = 2506)
11:12 AM: Found Spy Cookie: winantiviruspro cookie
11:12 AM: chartman@www.winantiviruspro[2].txt (ID = 3690)
11:12 AM: Found Spy Cookie: reliablestats cookie
11:12 AM: chartman@stats1.reliablestats[2].txt (ID = 3254)
11:12 AM: chartman@cz9.clickzs[3].txt (ID = 2413)
11:12 AM: chartman@xren_cj[2].txt (ID = 3723)
11:12 AM: chartman@webpower[2].txt (ID = 3660)
11:12 AM: chartman@www.burstbeacon[3].txt (ID = 2335)
11:12 AM: chartman@atwola[3].txt (ID = 2255)
11:12 AM: Found Spy Cookie: ccbill cookie
11:12 AM: chartman@ccbill[1].txt (ID = 2369)
11:12 AM: Found Spy Cookie: a cookie
11:12 AM: chartman@a[1].txt (ID = 2027)
11:12 AM: Found Spy Cookie: aptimus cookie
11:12 AM: chartman@network.aptimus[2].txt (ID = 2235)
11:12 AM: chartman@cz4.clickzs[3].txt (ID = 2413)
11:12 AM: Found Spy Cookie: go.com cookie
11:12 AM: chartman@go[1].txt (ID = 2728)
11:12 AM: Found Spy Cookie: reunion cookie
11:12 AM: chartman@reunion[2].txt (ID = 3255)
11:12 AM: chartman@ath.belnk[2].txt (ID = 2293)
11:12 AM: chartman@atwola[4].txt (ID = 2255)
11:12 AM: chartman@go2net[2].txt (ID = 2730)
11:12 AM: chartman@infospace[1].txt (ID = 2865)
11:12 AM: Found Spy Cookie: bannerspace cookie
11:12 AM: chartman@bannerspace[1].txt (ID = 2284)
11:12 AM: chartman@www.tshirthell[2].txt (ID = 3596)
11:12 AM: Found Spy Cookie: contextuads cookie
11:12 AM: chartman@contextuads[1].txt (ID = 2461)
11:12 AM: chartman@ad.yieldmanager[1].txt (ID = 3751)
11:12 AM: chartman@cz7.clickzs[1].txt (ID = 2413)
11:12 AM: chartman@www.burstbeacon[2].txt (ID = 2335)
11:12 AM: chartman@belnk[1].txt (ID = 2292)
11:12 AM: chartman@ath.belnk[4].txt (ID = 2293)
11:12 AM: chartman@a.websponsors[1].txt (ID = 3665)
11:12 AM: chartman@ask[4].txt (ID = 2245)
11:12 AM: Found Spy Cookie: classmates cookie
11:12 AM: chartman@classmates[2].txt (ID = 2384)
11:12 AM: chartman@cz11.clickzs[2].txt (ID = 2413)
11:12 AM: Found Spy Cookie: specificclick.com cookie
11:12 AM: chartman@adopt.specificclick[1].txt (ID = 3400)
11:12 AM: chartman@adknowledge[2].txt (ID = 2072)
11:12 AM: chartman@adknowledge[4].txt (ID = 2072)
11:12 AM: Found Spy Cookie: ugo cookie
11:12 AM: chartman@ugo[1].txt (ID = 3608)
11:12 AM: chartman@burstnet[4].txt (ID = 2336)
11:12 AM: Found Spy Cookie: hit-counter cookie
11:12 AM: chartman@bar.hit-counter.udub[2].txt (ID = 2780)
11:12 AM: chartman@webpower[3].txt (ID = 3660)
11:12 AM: chartman@toplist[1].txt (ID = 3557)
11:12 AM: chartman@about[3].txt (ID = 2037)
11:12 AM: chartman@ccbill[3].txt (ID = 2369)
11:12 AM: chartman@vip2.clickzs[2].txt (ID = 2413)
11:12 AM: chartman@xren_cj[3].txt (ID = 3723)
11:12 AM: Found Spy Cookie: dl cookie
11:12 AM: chartman@dl[1].txt (ID = 2529)
11:12 AM: Found Spy Cookie: adecn cookie
11:12 AM: chartman@adecn[2].txt (ID = 2063)
11:12 AM: Found Spy Cookie: realmedia cookie
11:12 AM: chartman@network.realmedia[1].txt (ID = 3236)
11:12 AM: chartman@servlet[5].txt (ID = 3345)
11:12 AM: chartman@adq.nextag[1].txt (ID = 5015)
11:12 AM: chartman@anat.tacoda[1].txt (ID = 6445)
11:12 AM: Found Spy Cookie: 69.93.205 cookie
11:12 AM: chartman@69.93.205[1].txt (ID = 2005)
11:12 AM: Found Spy Cookie: overture cookie
11:12 AM: chartman@data2.perf.overture[1].txt (ID = 3106)
11:12 AM: Found Spy Cookie: hbmediapro cookie
11:12 AM: chartman@adopt.hbmediapro[2].txt (ID = 2768)
11:12 AM: Found Spy Cookie: atlas dmt cookie
11:12 AM: chartman@atdmt[1].txt (ID = 2253)
11:12 AM: chartman@cz9.clickzs[1].txt (ID = 2413)
11:12 AM: Found Spy Cookie: casalemedia cookie
11:12 AM: chartman@b.casalemedia[1].txt (ID = 2355)
11:12 AM: chartman@cz7.clickzs[2].txt (ID = 2413)
11:12 AM: chartman@cz11.clickzs[3].txt (ID = 2413)
11:12 AM: chartman@www.tshirthell[3].txt (ID = 3596)
11:12 AM: Found Spy Cookie: 2o7.net cookie
11:12 AM: chartman@buycom.122.2o7[1].txt (ID = 1958)
11:12 AM: chartman@bannerspace[2].txt (ID = 2284)
11:12 AM: chartman@graphicssoft.about[1].txt (ID = 2038)
11:12 AM: chartman@stats2.clicktracks[4].txt (ID = 2407)
11:12 AM: Found Spy Cookie: advertising cookie
11:12 AM: chartman@advertising[2].txt (ID = 2175)
11:12 AM: chartman@ad.yieldmanager[5].txt (ID = 3751)
11:12 AM: chartman@dist.belnk[3].txt (ID = 2293)
11:12 AM: chartman@vip.clickzs[2].txt (ID = 2413)
11:12 AM: Found Spy Cookie: exitexchange cookie
11:12 AM: chartman@exitexchange[1].txt (ID = 2633)
11:12 AM: chartman@nextag[1].txt (ID = 5014)
11:12 AM: chartman@adopt.specificclick[3].txt (ID = 3400)
11:12 AM: chartman@a.websponsors[4].txt (ID = 3665)
11:12 AM: Found Spy Cookie: zedo cookie
11:12 AM: chartman@zedo[2].txt (ID = 3762)
11:12 AM: chartman@yieldmanager[3].txt (ID = 3749)
11:12 AM: chartman@ad.yieldmanager[3].txt (ID = 3751)
11:12 AM: chartman@bar.hit-counter.udub[1].txt (ID = 2780)
11:12 AM: chartman@nextag[2].txt (ID = 5014)
11:12 AM: chartman@atwola[1].txt (ID = 2255)
11:12 AM: chartman@ath.belnk[1].txt (ID = 2293)
11:12 AM: chartman@dealtime[1].txt (ID = 2505)
11:12 AM: chartman@ask[1].txt (ID = 2245)
11:12 AM: chartman@psychology.about[1].txt (ID = 2038)
11:12 AM: chartman@about[1].txt (ID = 2037)
11:12 AM: chartman@photography.about[1].txt (ID = 2038)
11:12 AM: chartman@abbyssh.freestats[2].txt (ID = 2705)
11:12 AM: lanimilbus@atwola[1].txt (ID = 2255)
11:12 AM: lanimilbus@ask[1].txt (ID = 2245)
11:12 AM: Cookie Sweep Complete, Elapsed Time: 00:00:18
11:12 AM: Starting File Sweep

Edited by Lanimilbus, 27 May 2006 - 12:51 PM.


#14 Lanimilbus

Lanimilbus
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  

Posted 27 May 2006 - 12:55 PM

...and here's the StartUpList log from HijackThis:

StartupList report, 5/27/06, 1:49:14 PM
StartupList version: 1.52.2
Started from : C:\WINDOWS\DESKTOP\S\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\S\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Symantec Core LC = C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
EnsoniqMixer = starter.exe
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ccSetMgr = "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
NPFMonitor = C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
ALU Scheduler Service = C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AIM = C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
ctfmon.exe = ctfmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = c:\windows\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[SetupcPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 c:\windows\INF\setupc.inf

[AppletsPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 c:\windows\INF\applets.inf

[FontsPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 c:\windows\INF\fonts.inf

[{5A8D6EE0-3E18-11D0-821E-444553540000}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36

[PerUser_ICW_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 c:\windows\INF\icw97.inf

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\SYSTEM\ie4uinit.inf,Shell.UserStub,,36

[>PerUser_MSN_Clean] *
StubPath = c:\windows\msnmgsr1.exe

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

[PerUser_Msinfo] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 c:\windows\INF\msinfo.inf

[PerUser_Msinfo2] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 c:\windows\INF\msinfo.inf

[MotownMmsysPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 c:\windows\INF\motown.inf

[MotownAvivideoPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 c:\windows\INF\motown.inf

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub

[MotownMPlayPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 c:\windows\INF\mplay98.inf

[PerUser_Base] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 c:\windows\INF\msmail.inf

[ShellPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 c:\windows\INF\shell.inf

[Shell2PerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 c:\windows\INF\shell2.inf

[PerUser_winbase_Links] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 c:\windows\INF\subase.inf

[PerUser_winapps_Links] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 c:\windows\INF\subase.inf

[PerUser_LinkBar_URLs] *
StubPath = c:\windows\COMMAND\sulfnbk.exe /L

[TapiPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 c:\windows\INF\tapi.inf

[PerUserOldLinks] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 c:\windows\INF\appletpp.inf

[MmoptRegisterPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 c:\windows\INF\mmopt.inf

[OlsPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 c:\windows\INF\ols.inf

[OlsMsnPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 c:\windows\INF\ols.inf

[PerUser_Paint_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 c:\windows\INF\applets.inf

[PerUser_Calc_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 c:\windows\INF\applets.inf

[PerUser_dxxspace_Links] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_dxxspace_Links 64 c:\windows\INF\applets1.inf

[PerUser_MSBackup_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSBackup_Inis 64 c:\windows\INF\applets1.inf

[PerUser_CVT_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 c:\windows\INF\applets1.inf

[PerUser_Enable_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis 64 c:\windows\INF\enable.inf

[MotownRecPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 c:\windows\INF\motown.inf

[PerUser_Vol] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 c:\windows\INF\motown.inf

[PerUser_MSWordPad_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 c:\windows\INF\wordpad.inf

[PerUser_RNA_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 c:\windows\INF\rna.inf

[PerUser_Wingames_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_Sysmon_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_Sysmeter_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_netwatch_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_netwatch_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_CharMap_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_Onlinelnks_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_Dialer_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_ClipBrd_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis 64 c:\windows\INF\clip.inf

[MmoptMusicaPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 c:\windows\INF\mmopt.inf

[MmoptJunglePerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 c:\windows\INF\mmopt.inf

[MmoptRobotzPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 c:\windows\INF\mmopt.inf

[MmoptUtopiaPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 c:\windows\INF\mmopt.inf

[PerUser_CDPlayer_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 c:\windows\INF\mmopt.inf

[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[OlsAolPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 c:\windows\INF\ols.inf

[OlsAttPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 c:\windows\INF\ols.inf

[OlsCompuservePerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUser 64 c:\windows\INF\ols.inf

[OlsProdigyPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 c:\windows\INF\ols.inf

[Shell3PerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 c:\windows\INF\shell3.inf

[Theme_Windows_PerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Themes_Windows_PerUser 0 c:\windows\INF\themes.inf

[Theme_MoreWindows_PerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 c:\windows\INF\themes.inf

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\wpie5x86.inf,PerUserStub

[>IEPerUser] *
StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[Chl99] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\chl99.inf,InstallUser

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\wmp.inf,PerUserRemove

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = c:\WINDOWS\SYSTEM\Rundll32.exe c:\WINDOWS\SYSTEM\mscories.dll,Install

[NetservrPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection NetservrPerUser 64 c:\windows\INF\netservr.inf

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\BLANKS~1.SCR
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 27/5/2006, 13:6:8)

[rename]
NUL=C:\WINDOWS\SYSTEM\JKKIF.DLL
[rename]

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET BLASTER=A220 I7 D1 H7 P330 T6
SET SBPCI=C:\SBPCI
REM [Header]
ECHO OFF
REM [CD-ROM Drive]
REM [Miscellaneous]
REM [Display]
REM [Sound, MIDI, or Video Capture Card]
REM [Mouse]

--------------------------------------------------

C:\CONFIG.SYS listing:

DEVICE=C:\WINDOWS\HIMEM.SYS
DEVICE=C:\WINDOWS\EMM386.EXE
REM [Header]
REM [CD-ROM Drive]
REM [Miscellaneous]
REM [SCSI Controllers]
REM [Display]
REM [Sound, MIDI, or Video Capture Card]
REM [Mouse]
REM ------------------

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

echo off
REM Notes:
REM DOSSTART.BAT is run whenenver you choose "Restart the computer
REM in MS-DOS mode" from the Shutdown menu in Windows. It allows
REM you to load programs that you might not want loaded in Windows,
REM (because they have functional equivalents) but that you do
REM want loaded under MS-DOS. The two primary candidates for
REM this are MSCDEX and a real mode driver for the mouse you ship
REM with your system. Commands that you want present in both Windows
REM and MS-DOS should be placed in the Autoexec.bat in the
REM \Image directory of your reference server. Please note that for
REM MSCDEX you will need to load the corresponding real-mode CD
REM driver in Config.sys. This driver won't be used by Windows 98
REM but will be available prior to and after Windows 98 exits.
REM
REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
REM before Windows loads and access the CD-ROM. All you have to do
REM is press F8 and then run DOSSTART to load MSCDEX and your real
REM mode mouse driver (no need to remember the command line parameters
REM for these two files.
REM
REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
REM - The string following the /D: statement must explicitly match
REM the string in CONFIG.SYS following your CD-ROM device driver.
REM MSCDEX.EXE /D:OEMCD001 /l:d
REM MOUSE.EXE
C:\SBPCI\SBINIT

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\WINDOWS\SYSTEM\WVUVV.DLL (file missing) - {DC8D7260-ECA4-11DA-B7B2-000FB5097D24}
(no name) - C:\WINDOWS\SYSTEM\LJHEF.DLL (file missing) - {E36FE000-ECD5-11DA-B7B2-000FB5097D24}

--------------------------------------------------

Enumerating Task Scheduler jobs:

ccleaner.job
Tune-up Application Start.job
Windows Critical Update Notification.job
Norton AntiVirus - Scan my computer - chartman.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://c:\windows\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CODEBASE = file://c:\windows\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CODEBASE = file://c:\windows\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8364.5228240741

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\LEGITCHECKCONTROL.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH8.OCX
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

[{32564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/wmv8ax.cab

[{0000000A-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/d/4...0367/wmavax.CAB

[{31564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/wmvax.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

[{00000161-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/msaudio.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[{3334504D-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/mpeg4ax.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

[Webshots Photo Uploader]
InProcServer32 = C:\WINDOWS\DOWNLO~1\WSPHOT~1.OCX
CODEBASE = http://community.webshots.com/html/WSPhotoUploader.CAB

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Java Plug-in 1.5.0_04]
InProcServer32 = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in 1.5.0_04]
InProcServer32 = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Symantec Download Bridge]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SYMDLBRG.DLL
CODEBASE = https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab

[ActiveDataInfo Class]
InProcServer32 = C:\PROGRA~1\COMMON~1\SYMANT~2\SYMADATA.DLL
CODEBASE = http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

[SupportSoft Script Runner Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\TGCTLSR.DLL
CODEBASE = http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab

[SupportSoft SmartIssue]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\TGCTLSI.DLL
CODEBASE = http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab

[YInstStarter Class]
InProcServer32 = C:\PROGRAM FILES\YAHOO!\COMMON\YINSTHELPER.DLL
CODEBASE = C:\Program Files\Yahoo!\Common\yinsthelper.dll

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: c:\windows\SYSTEM\rnr20.dll
Protocol #1: c:\windows\SYSTEM\msafd.dll
Protocol #2: c:\windows\SYSTEM\msafd.dll
Protocol #3: c:\windows\SYSTEM\msafd.dll
Protocol #4: c:\windows\SYSTEM\rsvpsp.dll
Protocol #5: c:\windows\SYSTEM\rsvpsp.dll
Protocol #6: c:\windows\SYSTEM\mswsosp.dll
Protocol #7: c:\windows\SYSTEM\mswsosp.dll
Protocol #8: c:\windows\SYSTEM\mswsosp.dll
Protocol #9: c:\windows\SYSTEM\mswsosp.dll

--------------------------------------------------

Enumerating Win9x VxD services:

VNETSUP: vnetsup.vxd
NDIS: ndis.vxd,ndis2sup.vxd
JAVASUP: JAVASUP.VXD
CONFIGMG: *CONFIGMG
NTKern: *NTKERN
VWIN32: *VWIN32
VFBACKUP: *VFBACKUP
VCOMM: *VCOMM
COMBUFF: *COMBUFF
IFSMGR: *IFSMGR
IOS: *IOS
MTRR: *mtrr
SPOOLER: *SPOOLER
UDF: *UDF
VFAT: *VFAT
VCACHE: *VCACHE
VCOND: *VCOND
VCDFSD: *VCDFSD
VXDLDR: *VXDLDR
VDEF: *VDEF
VPICD: *VPICD
VTD: *VTD
REBOOT: *REBOOT
VDMAD: *VDMAD
VSD: *VSD
V86MMGR: *V86MMGR
PAGESWAP: *PAGESWAP
DOSMGR: *DOSMGR
VMPOLL: *VMPOLL
SHELL: *SHELL
PARITY: *PARITY
BIOSXLAT: *BIOSXLAT
VMCPD: *VMCPD
VTDAPI: *VTDAPI
PERF: *PERF
VRTWD: c:\windows\SYSTEM\vrtwd.386
VFIXD: c:\windows\SYSTEM\vfixd.vxd
VNETBIOS: vnetbios.vxd
VREDIR: vredir.vxd
DFS: dfs.vxd
VSERVER: vserver.vxd
NWREDIR: nwredir.vxd
NWLink: nwlink.vxd
NSCL: nscl.vxd
SYMTDI: SYMTDI.VXD

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

TYPFTP = C:\WINDOWS\SYSTEM\TYPFTP.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 28,736 bytes
Report generated in 0.483 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#15 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 27 May 2006 - 01:46 PM

Looks like Spy Sweeper is really doing the trick.

You have any idea where this file came from---> C:\WINDOWS\SYSTEM\TYPFTP.exe


If not,please go to the site listed below and have it scanned there
http://www.virustotal.com/en/indexf.html

Copy the results to notepad and post them in the next reply.


After that,have the PC scanned Here

Just scan and Save the report,I want to have a look before removing anything.


Post back with a normal HijackThis log and the results of the file scan and the ewido scan.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users